Unable to renew certs after upgrade to snap

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
lifeinlocal.com
I ran this command:
sudo certbot renew --standalone --dry-run
It produced this output:
Certbot failed to authenticate some domains (authenticator: standalone)
...
Hint: The Certificate Authority failed to download the challenge files forom the temporary standalone webserver started on port 80.
My web server is (include version):
n/a- using certbot's
The operating system my web server runs on is (include version):
Ubuntu 14.04
My hosting provider, if applicable, is:
n/a
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.31.0

NOTE: Renewals have been working for years until the past weekend when letsencrypt-auto renew stopped working and I had to update to snap. After the update, I have been unable to renew or get new certs.

Please provide the entire output instead of leaving out essential parts. Thank you.

6 Likes

Port 80 seems to be blocked for demo.lifeinlocal.com / 207.178.252.116. Please allow and/or NAT portmap port 80 too.

Also, is there a specific reason why you're using the --standalone plugin instead of the --apache or --webroot plugin? There seems to be an Apache running on that host.

6 Likes

Port 80 is not blocked and is mapped correctly. As I mentioned, everything was working perfectly fine before having to upgrade to snap.

I tried adding Apache as a workaround when it wasn't working. Apache is currently stopped. (The server currently runs Pound as a reverse proxy, which is stopped during the cert renewals.)

What do you see to draw that conclusion? Because a port map test from my test server shows these filtered (blocked):

nmap -p22,25,80,443 demo.lifeinlocal.com -Pn
rDNS record for 207.178.252.116: mail.lifeinlocal.com
PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

The Let's Debug test site cannot see it either. (results here)

6 Likes

From around the world HTTP

And HTTPS

1 Like

From around the world HTTP

And for HTTPS

I have no problem getting demo.lifeinlocal.com in a browser.

We have most server farms blocked at the firewall- most likely check-host.net is using IPs that are blocked. I turn the blocks off when renewing the certs, because letsencrypt was getting blocked as well. And yes, I re-confirmed the blocks were off when I tried the renewals this time.

Please check these out, as your server is using obsolete crypto suites.

and

Based on using

  1. GitHub - drwetter/testssl.sh: Testing TLS/SSL encryption anywhere on any port
  2. https://testssl.sh/
1 Like

Hmm. Should it work right now? Because I tried my phone (w/wifi off) and still could not get through using HTTP. I can see it with HTTPS. Which is what you show on your latest post (note the padlock next to demo...)

In any event, with your standalone command you could try adding this as a test

sudo certbot certonly --standalone --dry-run -v --debug-challenges -d demo.lifeinlocal.com

It will pause showing you the challenge URL. You should try that from outside your local network. You must keep the certbot running while you make those tests. If you want, show that URL to us and we can try too.

My own certbot install is broken at the moment so can't try it but I am pretty sure that is the correct format. (I will pursue that promptly)

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.