These sites stopped updating for some reason. The last successful access by letsencrypt is shown.
During the verification process letsencrypt make no access to my web server successful or error). Letsencrypt just says ‘timeout’. I have other sites, configured the same on the same server which are still working.
The only thing I can think that might affect this of is that I changed the configuration from using DNS verification to http verification (because secondary DNS servers were too slow to update). But that was a few months before these failures started.
Note that I use getssl v2.10 (latest version) to manage my certs.
I ran this command:
getssl -w
It produced this output:
Registering account
Verify each domain
Verifying codehunter.ruaraidh.eu
copying challenge token to /etc/ssl/acme/.well-known/acme-challenge/YD-P3bZH2RA9_R61eywc6KxcL-GbEcld0wJXAq6Pr24
Pending
Pending
Pending
getssl: codehunter.ruaraidh.eu:Verify error: "Fetching http
My web server is (include version):
nginx nginx/1.6.2
The operating system my web server runs on is (include version):
Linux 4.9.0-1-amd64 #1 SMP Debian 4.9.6-3 (2017-01-28) x86_64 GNU/Linux
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
I would appreciate some understanding of this problem and help to resolve.
Was the failure with the timeout message or something else?
I don’t think Let’s Encrypt validating IPs come from AWS, rather from Viawest (but even that is not dependable). You can’t reliably whitelist Let’s Encrypt IPs.
I (personally) can’t access 91.135.5.234 with a connection timeout, from some locations (none of which are China).
In my experience Spamhaus is worse than useless (harmful) and imo they should not advertise these lists.
Unfortunately neither getssl nor Certbot seem to support Let’s Encrypt’s flavor of account key roll-over so you may need to find another client or write a script to change your account key, should you wish to do so.