[BlueOnyx:27261] Re: Letsencrypt update failure

[Michael Stauber]

Hi Neil,

> Yes I was running firewalld on the server.
> 
> I've stopped it and tried again, and get exactly the same result.
> 
> Could it be a timeout setting on the LetEncrypt renewal that they've 
> introduced whose default just doesn't work for me?

No, this looks like a general connectivity issue. Let's take a look at 
the logfile you posted:

> [Wed 25 Sep 09:31:15 BST 2024] _ret='0'
> [Wed 25 Sep 09:31:15 BST 2024] code='400'
> [Wed 25 Sep 09:31:16 BST 2024] 
> url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023526/19mPsQ'
> [Wed 25 Sep 09:31:16 BST 2024] payload='{}'
> [Wed 25 Sep 09:31:16 BST 2024] POST
> [Wed 25 Sep 09:31:16 BST 2024] 
> _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023526/19mPsQ'
> [Wed 25 Sep 09:31:16 BST 2024] _CURL='curl --silent --dump-header 

When you take a look at that URL in the browser ...

https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023526/19mPsQ

... you see that ACME tried to connect to this URL:

http://<domain>.co.uk/.well-known/acme-challenge/U5-4FE5ZbLFUVGwfNcB69VHn0aVwSUxABEmBAu3OqGQ"

That's without the "www." in front and it also shows the IP and port 
that it tried. And the connection timed out without a response. Hence 
you got the "Timeout during connect (likely firewall problem)".

When I try to connect to that URL in my browser? I the connection *also* 
does not go through and simply times out.

I checked the DNS and it has DNS records and the IP starts with 90 and 
ends with 200. I can't ping it. I can telnet to port 25 on that IP and 
see that Postfix answers. But Apache? No dice on ports 80 or 443.

So you do have something in place that blocks access to Apache and 
that's why the connection doesn't go through and validation fails.

If its not Firewalld on the server itself, then it is perhaps something 
in front of the server that blocks access.

-- 
With best regards

Michael Stauber