I am having this issue as well, I also know that LE is hitting my server, however certbot is not responding to those requests (I have the same logs as the OP). Firewalld and iptables are both disabled
Hi @AddoSolutions and welcome to the LE community forum
I've moved your post to a separate topic in order to provide you with specific solutions to your problem.
That said, we really need more information before we can do that.
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
You must have a functional HTTP site before you can secure it (via HTTP authentication).
Note: LE validation servers are located throughout the Internet and their IPs can change at any moment.
Whyever would you be doing that? Just use the apache authenticator instead of the standalone authenticator. At the very least use the webroot authenticator.
Because I have a fairly complex set of servers, proxies, etc all running through that web server via containers. On this particular server, it's actually not too bad. Webroot would actually be wildly complex to include with all the different applications running on it
Makes sense. With the apache authenticator you would typically write an apache Location directive to specially handle the http-01 challenge files requested under /.well-known/acme-challenge/ such that those requests are not proxied. However, if the server running the ACME client (certbot) is not the one terminating SSL (serving the SSL certificate to the requester), this can pose challenges. I'm going to phone-a-friend here who is very experienced with complex setups to get his recommendations.
I know you are doing renew, this is just example. The --debug-challenge will pause the --standalone server while it waits for you to press enter. You can then "poke" it with something like:
curl -i (domain)
Might help identify what is blocking access to the --standalone server
Just to clarify, this worked when I use docker (which you can see now works when you hit the domain), it's NOT working with the yum installed package.
At this point, the cert is all renewed, all good, my point is that I think there may be an issue with the certbot/centos combo (as per the original thread that I posted this on, which never got resolved) when in standalone mode.
I am happy with my setup as is, it worked up until this last renewal, however I believe the yum package was updated. It's just odd that standalone isn't working
Certbot offers the flag --http-01-port, which will run the standalone webserver on a higher port you specify.
I suggest using that flag to run Certbot on a random high port, and then proxy all traffic from your apache server in /.well-known/acme-challenge/ onto that port.
Doing so will accomplish two things:
You won't have to disrupt services for future renewals
You can spin up a quick webserver to test the proxypass, ensuring it works
Since you're running Certbot, you have Python on your system. One quick commandline can run a python webserver on a high port, just to test the proxypass. See: Serving Files with Python's SimpleHTTPServer Module
Edit: Issues like this are common on complex setups involving containers and proxies. IMHO, it's easiest to set things up to use a proxy because that creates a public facing route you can test reliably from external networks.
