after migration to http-01 challenge I could not renew my certificate.
I tried a lot of different tips and I disabled the https-redirect in my apache-config but nothing seems to help.
My domain is:
I ran this command:
sudo certbot run -a webroot -i apache -w /var/www -d d4x.de
I also tried
sudo certbot certonly --manual --preferred-challenges http
It produced this output:
Cleaning up challenges
Failed authorization procedure. d4x.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://d4x.de/.well-known/acme-challenge/ztgINcZpGm6PNhdey62CZ9uFnCO48LWg0ssPglcP9_c: Error getting validation data, www.d4x.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.d4x.de/.well-known/acme-challenge/3EXJx0dea0CHofPE5UBN3CxDADyNPdJ0wic-zZvL8xI: Error getting validation data
My web server is (include version):
Version : 2.4.6
Ausgabe : 88.el7.centos
The operating system my web server runs on is (include version):
CentOS Linux release 7.6.1810
My hosting provider, if applicable, is:
STRATO. So schnell geht das. Hosting-Pakete, Cloud-Speicher, Homepage-Baukasten, Webshops u. Server. ✓ Kurze Laufzeiten ✓ 30 Tage Geld-zurück-Garantie
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you’re using Certbot):
I could access the files mentioned above via curl:
So I don’t understand why the letsencrypt-server could not reach the files.
Thanks in advance for any hints.
For me, attempts to connect to the site’s IPv6 and IPv4 addresses using HTTP both return ICMP destination unreachable - administratively prohibited errors.
I see, you have checked your domain via
You have ipv4 and ipv6 addresses:
But http / port 80 has a timeout - ipv4 and ipv6:
https works, you can use a redirect http -> https. But if you want to use http-01 validation, the first connection is via http.
Letsencrypt prefers ipv6, so that should work.
Thanks, Jürgen and [mnordhoff],
I read the information on your site but didn’t belive it. curl seems to switch to https without any further notice, so it was misleading me.
The problem was that I blocked port 80 in firewalld quite a while ago and didn’t remember that setting. This setting was never a problem for any browser, but certbot seems to be a little bit picky and does not try to reach 443.
sudo firewall-cmd --zone=public --add-service=http
sudo firewall-cmd --zone=public --add-service=http --permanent
and than certbot runs smoothly:
new certificate deployed with reload of apache server; fullchain is
Congratulations, all renewals succeeded. The following certs have been renewed:
Big thanks to you and the service you offer on your website! It’s really impressive how many people you’ve helped in this forum.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.