Unable to renew certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: helpdesk.catanagroup.com

I ran this command: sudo certbot renew --dry-run -v

It produced this output:
"Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for helpdesk.catanagroup.com
Performing the following challenges:
http-01 challenge for helpdesk.catanagroup.com
Waiting for verification...
Challenge failed for domain helpdesk.catanagroup.com
http-01 challenge for helpdesk.catanagroup.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: helpdesk.catanagroup.com
Type: connection
Detail: 109.239.118.156: Fetching http://helpdesk.catanagroup.com/.well-known/acme-challenge/xC_LVXDzNPBhzVcY4zNL-qcX2kDESao4sJK22eXhPIk: Timeout after connect (your server may be slow or overloaded)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet."

My web server is (include version): Apache 2.4.62

The operating system my web server runs on is (include version): Debian 12.8

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 3.2.0

You should also know that my ssl vhost is configured on port 65443 and even when i put it back on port 443, the renewal does not work

Thank you for your help

The --apache option uses an HTTP Challenge. This challenge has the Let's Encrypt server sending an HTTP request using port 80 to your domain. This request is timing out

A helpful site to test new setups is this:

If for some reason you cannot use port 80, you may need to look at using a DNS Challenge instead.

First than you for this anwer.

So that would mean that my port 80 is unavailable ?

Correct.

OK so after checking my firewall, my port 80 is open and redirecting to the correct server.

However, when i am in my LAN, i can access my website via the FQDN of the VM on which the website is and not the servername i set in the vhost parameters.

so correct me if i am wrong but can the problem come from here ?

The HTTP Challenge requests from the Let's Encrypt server come from the public internet. Your server must be reachable and reply properly to such requests.

The exact error shown by Certbot is a little unusual which is why I suggested using Let's Debug to test connections.

You could also try using a mobile phone with wifi disabled. Then try connecting to: http://helpdesk.catanagroup.com
Most likely you will also fail to connect.

You say self-hosted so check your router config especially for any firewall and the NAT or port forwarding. If your ISP does not allow inbound requests on port 80 you will need to use a DNS Challenge. Or, with Apache you could use its mod_md feature instead of Certbot with TLS-ALPN Challenge.

But, yes, it all comes down to connections to your server from the public internet.

yes but i should be able to access my website locally (in LAN) via http://helpdesk.catanagroup.com but even locally i can't. i can only access it via http://helpdesk.catana.local so you have any idea why ?

Maybe the IP address in the DNS is not correct?

Questions about general server and network config are best asked at a forum specializing in those topics.

OK so i found the solution. My firewall was redirecting to the port 80 to the wrong server...

Thanks a lot for your help and your time !