Unable to renew time out

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: roe13.org

I ran this command: /certbot-auto renew --dry-run Renew also fails the same way as does manual.

It produced this output:
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for roe13.org
http-01 challenge for www.roe13.org
Waiting for verification…
Challenge failed for domain roe13.org
Challenge failed for domain www.roe13.org
http-01 challenge for roe13.org
http-01 challenge for www.roe13.org
Cleaning up challenges
Attempting to renew cert (roe13.org) from /etc/letsencrypt/renewal/roe13.org.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/roe13.org/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/roe13.org/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): Server version: Apache/2.4.23 (Linux/SUSE)
Server built: 2019-02-26 15:44:01.000000000 +0000

The operating system my web server runs on is (include version):
NAME=“openSUSE Leap”
VERSION=“42.3”

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.15.0 (same issue with second identical server with newer version)

Logs show successful access to the validation files.

18.224.20.83 - - [18/Mar/2020:11:29:05 -0500] “GET /.well-known/acme-challenge/o4Tqu7_Cm2Bc5zg7pODX9orqgu7qq1sMZT7iNrkfHVU HTTP/1.1” 200 87 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
18.224.20.83 - - [18/Mar/2020:11:29:06 -0500] “GET /.well-known/acme-challenge/itYW0XRoH1y8HJOuh6GS4vrFqsS6AZfPv6vC25A-p5w HTTP/1.1” 200 87 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
66.133.109.36 - - [18/Mar/2020:11:29:06 -0500] “GET /.well-known/acme-challenge/itYW0XRoH1y8HJOuh6GS4vrFqsS6AZfPv6vC25A-p5w HTTP/1.1” 200 87 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
66.133.109.36 - - [18/Mar/2020:11:29:06 -0500] “GET /.well-known/acme-challenge/o4Tqu7_Cm2Bc5zg7pODX9orqgu7qq1sMZT7iNrkfHVU HTTP/1.1” 200 87 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”

Same results with manual. Checks with whynopadlock, ssllabs and Let’s debug are good. check-your-website.server also gets the error: Fatal: Check of /.well-known/acme-challenge/random-filename has a timeout. Creating a Letsencrypt certificate via http-01 challenge can’t work. You need a running webserver (http) and an open port 80. If it’s a home server + ipv4, perhaps a correct port forwarding port 80 extern ⇒ working port intern is required. Port 80 / http can redirect to another domain port 80 or port 443, but not other ports. If it’s a home server, perhaps your ISP blocks port 80. Then you may use the dns-01 challenge. Trouble creating a certificate? Use https://community.letsencrypt.org/ to ask

I do block most out of the US addresss at a firewall but web logs show access. Updates were fine all last year and worked on 1/1/2020. No changes since then until I started trying to fix it.

1 Like

Hi @DON1

that’s wrong.

Please read

and open your firewall or switch to dns challenge.

Your error

says: The Letsencrypt data center can check your domain. The other network points can’t. You have to allow that.

1 Like

I have a never ending onslaught of hacking attempts if I don’t block. Same blocks were in place last year. Is there a range or ranges of addresses I can allow?

1 Like

That’s

wrong. These are script kiddies, completely unrelevant. Or has your server such great security holes?

If someone really want to hack your server, it’s easy to use an ip from your country you don’t block.

1 Like

I won’t debate the merits of blocking. My box, I’ll block the kiddies and the bots. DNS worked. Thanks!

1 Like

Eh, you’re blocking me as well. Consider using fail2ban instead.

1 Like