Unable to Renew Cert

Help
1

My domain is: cra.nmgcb.org

I ran this command:
certbot renew
It produced this output:
http://cra.nmgcb.org/.well-known/acme-challenge/CgWT6U2f9_9aBRXtLcVhsyaH4l4_TYt27ELmRoDNHLQ:
Timeout during connect (likely firewall problem)

My web server is (include version):
Nginx 1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 18.04.6

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
0.31.0

I ensured that 443 is open by using nmap:
Nmap done: 1 IP address (1 host up) scanned in 7.42 seconds
root@DESKTOP-2A9G0QE:/home/jcloyd# nmap -sT cra.nmgcb.org
Starting Nmap 7.80 ( https://nmap.org ) at 2022-10-14 11:40 MDT
Nmap scan report for cra.nmgcb.org (164.64.172.202)
Host is up (0.060s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
443/tcp open https

Not sure why it is not renewing.

2

Because port 80 is filtered, that's why. :smiley:

3 Likes
3

Hi @saltywaffles, and welcome to the LE community forum :slight_smile:

Port 443 isn't relevant when using HTTP-01 authentication.
Notice the failure is via HTTP:

I also can't connect to your system via HTTP [TCP port 80]:

curl -Ii cra.nmgcb.org
curl: (56) Recv failure: Connection reset by peer

Let's Debug shows similar issue:
Let's Debug (letsdebug.net)
image

4 Likes
4

How would I allow port 80? in my Nginx config file it is set to port 80 and certbot set ssl to 443:

server {
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name cra.nmgcb.org;
location / {
proxy_pass http://localhost:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
access_log on;
}


#    listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/cra.nmgcb.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/cra.nmgcb.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot

}
server {
if ($host = cra.nmgcb.org) {
return 301 https://$host$request_uri;
} # managed by Certbot


listen 80 default_server;
#    listen [::]:3200 default_server;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name cra.nmgcb.org;
location / {
proxy_pass http://localhost:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
access_log off;
}
}
7

The HTTP blocked port is likely a firewall rule (or your ISP is blocking for you).

4 Likes
8

Lol...well I do feel dumb. I checked my Firewall rules and it only allowed HTTPS for that webserver. I allowed HTTP connections and it worked; the cert has been renewed. Thanks for all the help!

4 Likes
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.