Unable to renew cert

lease fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: kee8.ddns.net

I ran this command: certbot renew

It produced this output:
Processing /etc/letsencrypt/renewal/kee8.ddns.net.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sprocket.ddns.net
http-01 challenge for kee8.ddns.net
Using default address 80 for authentication.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (kee8.ddns.net) from /etc/letsencrypt/renewal/kee8.ddns.net.conf produced an unexpected error: Failed authorization procedur$
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/kee8.ddns.net/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/kee8.ddns.net/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: sprocket.ddns.net
  Type: None
  Detail: no valid A records found for sprocket.ddns.net; no valid
  AAAA records found for sprocket.ddns.net

Ask for help or search for solutions at https://community.letsencrypt.org 1$

My web server is (include version):nginx version: nginx version: nginx/1.14$
The operating system my web server runs on is (include version):
Linux 5.10.103-v7+ #1529 SMP Tue Mar 8 12:21:37 GMT 2022 armv7l GNU/Linux
on Raspberry Pi 3B

My hosting provider, if applicable, is: self-host

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and ve$

The version of my client is (e.g. output of certbot --version or certbot-au$

Additional info
site sprocket.ddns.net is no longer in use and ddns domain removed

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: self-host

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 0.31.0
Additional info
site sprocket.ddns.net is no longer in use and ddns domain removed

Hi @teockm,

Try running something like

certbot --nginx --cert-name kee8.ddns.net -d kee8.ddns.net

If this works, it should replace your existing certificate with a newly obtained one that only includes the domain name that you are still using, and omits the old one.

Thanks for the quick response.
Tried your suggestion but got the following error message:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for kee8.ddns.net
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. kee8.ddns.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: 66.228.0.178: Fetching http://kee8.ddns.net/.well-known/acme-challenge/4Pm8R7y34ad93bELbhfpCxnIbc1Yogr9xMKxJRf2s3I: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: kee8.ddns.net
  Type: connection
  Detail: 66.228.0.178: Fetching
  http://kee8.ddns.net/.well-known/acme-challenge/4Pm8R7y34ad93bELbhfpCxnIbc1Yogr9xMKxJRf2s3I:
  Timeout during connect (likely firewall problem)

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you're using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

Port 80 needs to be open.

I checked my proxy server's firewall status and it showed both ports 80 and 443 allowed. My web server with a local 192.168.1.xx address has port 80 open as well.

Something is preventing the connection.

Does your ISP block port 80?

Supplemental information

$ nmap -Pn kee8.ddns.net
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-08 16:18 UTC
Nmap scan report for kee8.ddns.net (66.228.0.178)
Host is up (0.25s latency).
Not shown: 999 filtered ports
PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 22.83 seconds

$ nmap -Pn sprocket.ddns.net
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-08 16:19 UTC
Failed to resolve "sprocket.ddns.net".
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.12 seconds

Failed traceroute on Port 80 to domain name kee8.ddns.net

$ sudo traceroute -T -p 80 kee8.ddns.net
traceroute to kee8.ddns.net (66.228.0.178), 30 hops max, 60 byte packets
 1  EdgeRouter-4 (192.168.1.1)  0.181 ms  0.145 ms  0.129 ms
 2  96.120.60.137 (96.120.60.137)  8.722 ms  8.897 ms  8.883 ms
 3  162.151.125.157 (162.151.125.157)  14.986 ms  8.854 ms  14.959 ms
 4  68.85.243.154 (68.85.243.154)  8.827 ms  8.813 ms  16.627 ms
 5  96.216.60.245 (96.216.60.245)  8.597 ms  8.771 ms  14.555 ms
 6  24.124.129.61 (24.124.129.61)  14.861 ms  21.432 ms  21.415 ms
 7  ae-69-ar01.beaverton.or.bverton.comcast.net (96.216.60.157)  56.945 ms  22.955 ms  8.836 ms
 8  be-36211-cs01.portland.or.ibone.comcast.net (68.86.94.193)  9.675 ms be-36241-cs04.portland.or.ibone.comcast.net (68.86.94.205)  9.572 ms be-36221-cs02.portland.or.ibone.comcast.net (68.86.94.197)  16.569 ms
 9  be-1211-cr11.portland.or.ibone.comcast.net (96.110.46.226)  16.504 ms be-1311-cr11.portland.or.ibone.comcast.net (96.110.46.242)  15.823 ms be-1111-cr11.portland.or.ibone.comcast.net (96.110.46.210)  16.432 ms
10  be-303-cr13.sunnyvale.ca.ibone.comcast.net (96.110.39.41)  30.094 ms be-301-cr13.sunnyvale.ca.ibone.comcast.net (96.110.36.121)  30.065 ms  30.038 ms
11  be-1213-cs02.sunnyvale.ca.ibone.comcast.net (96.110.46.21)  30.006 ms be-1113-cs01.sunnyvale.ca.ibone.comcast.net (96.110.46.9)  29.977 ms be-1213-cs02.sunnyvale.ca.ibone.comcast.net (96.110.46.21)  29.948 ms
12  be-3202-pe02.529bryant.ca.ibone.comcast.net (96.110.41.214)  30.563 ms be-3102-pe02.529bryant.ca.ibone.comcast.net (96.110.41.210)  38.159 ms be-3402-pe02.529bryant.ca.ibone.comcast.net (96.110.41.222)  36.764 ms
13  75.149.231.242 (75.149.231.242)  37.952 ms  35.137 ms  34.029 ms
14  203.208.173.137 (203.208.173.137)  206.356 ms 203.208.172.233 (203.208.172.233)  22.580 ms  22.471 ms
15  203.208.158.190 (203.208.158.190)  209.847 ms 203.208.173.105 (203.208.173.105)  203.967 ms 203.208.158.190 (203.208.158.190)  192.816 ms
16  203.208.166.234 (203.208.166.234)  200.303 ms 203.208.182.250 (203.208.182.250)  205.111 ms 203.208.166.234 (203.208.166.234)  206.483 ms
17  203.208.182.249 (203.208.182.249)  197.210 ms 203.208.158.190 (203.208.158.190)  206.426 ms 203.208.182.249 (203.208.182.249)  197.955 ms
18  203.208.166.234 (203.208.166.234)  207.678 ms 203.208.177.218 (203.208.177.218)  203.569 ms 203.208.171.110 (203.208.171.110)  198.550 ms
19  203.208.177.218 (203.208.177.218)  198.518 ms 165.21.138.182 (165.21.138.182)  214.150 ms  202.292 ms
20  SN-SINTP1-BO118-ae4.singnet.com.sg (165.21.138.93)  204.971 ms  204.220 ms  206.876 ms
21  SN-SINTP1-BO118-ae4.singnet.com.sg (165.21.138.93)  196.516 ms * *
22  165.21.138.182 (165.21.138.182)  217.901 ms * 103.67.168.134 (103.67.168.134)  207.652 ms
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

Good traceroute on Port 443 to domain name kee8.ddns.net

$ sudo traceroute -T -p 443 kee8.ddns.net
traceroute to kee8.ddns.net (66.228.0.178), 30 hops max, 60 byte packets
 1  EdgeRouter-4 (192.168.1.1)  0.198 ms  0.148 ms  0.174 ms
 2  96.120.60.137 (96.120.60.137)  7.208 ms  7.194 ms  7.180 ms
 3  162.151.125.157 (162.151.125.157)  7.159 ms  10.734 ms  7.132 ms
 4  68.85.243.154 (68.85.243.154)  8.710 ms  8.595 ms  8.559 ms
 5  96.216.60.245 (96.216.60.245)  8.628 ms  8.509 ms  8.589 ms
 6  24.124.129.61 (24.124.129.61)  8.461 ms  11.744 ms  11.708 ms
 7  ae-69-ar01.beaverton.or.bverton.comcast.net (96.216.60.157)  19.972 ms  18.423 ms  18.358 ms
 8  be-36231-cs03.portland.or.ibone.comcast.net (68.86.94.201)  16.089 ms be-36211-cs01.portland.or.ibone.comcast.net (68.86.94.193)  16.075 ms be-36241-cs04.portland.or.ibone.comcast.net (68.86.94.205)  16.058 ms
 9  be-1211-cr11.portland.or.ibone.comcast.net (96.110.46.226)  10.367 ms be-1311-cr11.portland.or.ibone.comcast.net (96.110.46.242)  9.587 ms  9.548 ms
10  be-302-cr13.sunnyvale.ca.ibone.comcast.net (96.110.36.125)  23.839 ms be-301-cr13.sunnyvale.ca.ibone.comcast.net (96.110.36.121)  23.824 ms be-303-cr13.sunnyvale.ca.ibone.comcast.net (96.110.39.41)  28.500 ms
11  be-1113-cs01.sunnyvale.ca.ibone.comcast.net (96.110.46.9)  28.483 ms be-1313-cs03.sunnyvale.ca.ibone.comcast.net (96.110.46.33)  28.469 ms be-1413-cs04.sunnyvale.ca.ibone.comcast.net (96.110.46.45)  27.837 ms
12  be-3202-pe02.529bryant.ca.ibone.comcast.net (96.110.41.214)  29.284 ms  29.270 ms be-3402-pe02.529bryant.ca.ibone.comcast.net (96.110.41.222)  21.157 ms
13  75.149.231.242 (75.149.231.242)  20.143 ms  24.932 ms  24.904 ms
14  * * 203.208.172.233 (203.208.172.233)  24.902 ms
15  203.208.172.225 (203.208.172.225)  198.683 ms 203.208.182.85 (203.208.182.85)  202.456 ms 203.208.182.249 (203.208.182.249)  215.304 ms
16  203.208.182.250 (203.208.182.250)  208.729 ms  204.605 ms  200.584 ms
17  203.208.177.218 (203.208.177.218)  191.199 ms 203.208.153.186 (203.208.153.186)  205.089 ms 203.208.158.190 (203.208.158.190)  205.035 ms
18  203.208.171.110 (203.208.171.110)  205.957 ms 203.208.166.234 (203.208.166.234)  201.440 ms SN-SINTP1-BO118-ae4.singnet.com.sg (165.21.138.93)  209.183 ms
19  203.208.177.218 (203.208.177.218)  200.479 ms 203.208.166.234 (203.208.166.234)  195.678 ms SN-SINTP1-BO118-ae4.singnet.com.sg (165.21.138.93)  202.904 ms
20  SN-SINTP1-BO118-ae4.singnet.com.sg (165.21.138.93)  202.852 ms 103.67.168.134 (103.67.168.134)  212.056 ms  211.940 ms
21  165.21.138.182 (165.21.138.182)  230.818 ms  215.170 ms *
22  66.228.0.178 (66.228.0.178)  216.890 ms 103.67.168.134 (103.67.168.134)  208.436 ms  214.306 ms
23  66.228.0.178 (66.228.0.178)  272.631 ms  278.179 ms *

And for Port 80 the breakage seem to happen here:
22 165.21.138.182 (165.21.138.182) 217.901 ms * 103.67.168.134 (103.67.168.134) 207.652 ms
23 * * *

Many thanks for the nmap results.
I triggered me to check my router settings. I had removed the port 80 from my port forwarding long ago and forgotten all about it.
Renewed the cert with the command suggested by Mr Schoen.
Everything works! Thanks again to all who responded.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.