7

I am facing the following error when I try to renew my ssl certificate using

certbot renew

Challenge failed for domain ***********.com

Some challenges have failed.

The following errors were reported by the server:

Domain: arjunbroker.com Type: connection Detail: Fetching http://arjunbroker.com/.well-known/acme-challenge/F9nlyrRQBpJGOpPLHGPCj1vzdJOd_rBISU7q2aX7t_o: Timeout during connect (likely firewall problem)

I have checked UFW and firewalld. And both port 80 and 443 are open.

umunBeing
  • 514
  • 1
  • 5
  • 15

5 Answers5

2

I fixed that in AWS EC2 updating the Group Security like this: enter image description here

More about EC2 Group Security: https://docs.aws.amazon.com/pt_br/AWSEC2/latest/UserGuide/ec2-security-groups.html

Mateus Alves de Oliveira
  • 791
  • 6
  • 12
  • 1
    for me it was adding 0.0.0.0/0 to port 80, even though the other wildcard format for 80 was already set and had been working for years – user1130176 Jul 24 '23 at 15:59
1

I finally realised that prior to installing SSL on this server, I used to forward port 80 to port 8080 using

 sudo /sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

So I simply forwarded port 80 back to port 80.

Lesson learnt, for Certbot to work port 80 forwarding should be in place.

umunBeing
  • 514
  • 1
  • 5
  • 15
0

I finally realized that I ONLY had http/https open to my test client machines. I opened them wide for the certbot run then closed them again. I'll try to determine what IP needs to be open for letsencrypt probes so I can automate the certbot renewals.

brucer42
  • 1
  • 1
  • This does not really answer the question. If you have a different question, you can ask it by clicking [Ask Question](https://stackoverflow.com/questions/ask). To get notified when this question gets new answers, you can [follow this question](https://meta.stackexchange.com/q/345661). Once you have enough [reputation](https://stackoverflow.com/help/whats-reputation), you can also [add a bounty](https://stackoverflow.com/help/privileges/set-bounties) to draw more attention to this question. - [From Review](/review/late-answers/29913832) – rv.kvetch Sep 25 '21 at 04:44
0

For me the issue was that Let's Encrypt uses IPv6 if possible to do the http challenge and my site worked fine over IPv4 but not over IPv6 (as I had it setup wrong). You can use this site to test your IPv6 setup.

gene_wood
  • 1,960
  • 4
  • 26
  • 39
0

I solved this by disabling 'Permanent SEO-safe 301 redirect from HTTP to HTTPS' (in Hosting Settings for Plesk / CentOS Linux 7.9).

LetsEncrypt wouldn't assign or renew its SSL certificates otherwise. Spent a day re-configuring, DNS, panel.ini, firewall, etc., and eventually pinpointed this as the specific cause.

The issue surfaced about 10 months ago and we only realised what was happening recently.

Lynton Black
  • 179
  • 1
  • 2