I'm using letsencrypt certificates since several years but now the update aka renewal fails completely.
The system is based on Ububtu 20.04 LTS and the apache webserver is the version 2.4.41. However, since some weeks this update process fails continously. I looks like the .well-known directory with the challenge isn't written by the cerbot application. I make use of the snap version of certbot rather then the apt version. But both fail with the same error message: "Cerbot failed to authenticate some domains (www.broesecke.eu) . During secondary validation the challenge couldn't be read, a time out occured.
Even the originating IPs performing this renewal aren't blocked by my firewall and this tends to the assumption, either a directive of my webserver or I do not fully understand the mechanismen of Certbot.
I hope someone can support me in determining the issue.
Yepp, I block a lot of connections. I had a several attacks some month ago and decided to block them as soon a possible. However, the port 80 is open but redicrt to my https site and both configs have the same web-root.
You need to open your firewall to allow all port 80 connections. Does it have an API that you could open and close just during the renewal? Certbot has --pre-hook and --post-hook for that.
Can your firewall look at URI and allow all acme-challenge?
Hmm, port 80 isn't blocked in the firewall. Yes, I block certain networks on forwarding to my webserver. If I use my mobile phone and open up http://www.broesecke.eu I get the certificate error and approve it, I can see the content of my webserver.
Can you please rfer to the documentiaon of pre and post hook?
P.S: Once I removed the premanent redirect just for fun and opened the connection and got the index.html created.