<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'><img width="1" height="1" src='https://eeiabdi.r.bh.d.sendibt3.com/tr/op/ZE3o-oVQ_gZXJiEdqOnEe93-YudzvI6y0Og6rYXcbG_gtMsrgnSVcH3ru0VYtR7PAAALmoCGwE60Gl_PiiPfaMhU1gTpS0OJ__Y48tmjA7fAIAC003SYrAGap0TQgUJJrBVJc2ZjPE-Gyet_GKIPl5DaAaSW9jpwpflyUYtbEx6msK_9XgQj1fkAirUTSNou6O68oKvnneUfWwP5QA2lBKKCPA' />
<p>Hi Michael,</p>
<p>Yes I was running firewalld on the server. </p>
<p>I've stopped it and tried again, and get exactly the same result.</p>
<p>Could it be a timeout setting on the LetEncrypt renewal that they've introduced whose default just doesn't work for me?</p>
<div id="signature"></div>
<p>I'm also surprised that it only seems to try 4 out of what is suggested being 30 times to retrieve the verification file:</p>
<p style="padding-left: 40px;">[Wed 25 Sep 09:31:03 BST 2024] Pending, The CA is processing your order, please just wait. (1/30)<br />[Wed 25 Sep 09:31:03 BST 2024] sleep 2 secs to verify again<br />[Wed 25 Sep 09:31:05 BST 2024] checking<br />[Wed 25 Sep 09:31:05 BST 2024] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023536/uPb9Rw'<br />[Wed 25 Sep 09:31:06 BST 2024] payload<br />[Wed 25 Sep 09:31:06 BST 2024] POST<br />[Wed 25 Sep 09:31:06 BST 2024] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023536/uPb9Rw'<br />[Wed 25 Sep 09:31:06 BST 2024] _CURL='curl --silent --dump-header /usr/sausalito/acme/data/http.header -L -g '<br />[Wed 25 Sep 09:31:06 BST 2024] _ret='0'<br />[Wed 25 Sep 09:31:06 BST 2024] code='200'<br />[Wed 25 Sep 09:31:06 BST 2024] Pending, The CA is processing your order, please just wait. (2/30)<br />[Wed 25 Sep 09:31:06 BST 2024] sleep 2 secs to verify again<br />[Wed 25 Sep 09:31:08 BST 2024] checking<br />[Wed 25 Sep 09:31:08 BST 2024] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023536/uPb9Rw'<br />[Wed 25 Sep 09:31:08 BST 2024] payload<br />[Wed 25 Sep 09:31:08 BST 2024] POST<br />[Wed 25 Sep 09:31:08 BST 2024] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023536/uPb9Rw'<br />[Wed 25 Sep 09:31:08 BST 2024] _CURL='curl --silent --dump-header /usr/sausalito/acme/data/http.header -L -g '<br />[Wed 25 Sep 09:31:09 BST 2024] _ret='0'<br />[Wed 25 Sep 09:31:09 BST 2024] code='200'<br />[Wed 25 Sep 09:31:09 BST 2024] Pending, The CA is processing your order, please just wait. (3/30)<br />[Wed 25 Sep 09:31:09 BST 2024] sleep 2 secs to verify again<br />[Wed 25 Sep 09:31:11 BST 2024] checking<br />[Wed 25 Sep 09:31:11 BST 2024] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023536/uPb9Rw'<br />[Wed 25 Sep 09:31:11 BST 2024] payload<br />[Wed 25 Sep 09:31:11 BST 2024] POST<br />[Wed 25 Sep 09:31:11 BST 2024] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023536/uPb9Rw'<br />[Wed 25 Sep 09:31:11 BST 2024] _CURL='curl --silent --dump-header /usr/sausalito/acme/data/http.header -L -g '<br />[Wed 25 Sep 09:31:11 BST 2024] _ret='0'<br />[Wed 25 Sep 09:31:11 BST 2024] code='200'<br />[Wed 25 Sep 09:31:11 BST 2024] Pending, The CA is processing your order, please just wait. (4/30)<br />[Wed 25 Sep 09:31:11 BST 2024] sleep 2 secs to verify again<br />[Wed 25 Sep 09:31:13 BST 2024] checking<br />[Wed 25 Sep 09:31:13 BST 2024] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023536/uPb9Rw'<br />[Wed 25 Sep 09:31:13 BST 2024] payload<br />[Wed 25 Sep 09:31:13 BST 2024] POST<br />[Wed 25 Sep 09:31:13 BST 2024] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023536/uPb9Rw'<br />[Wed 25 Sep 09:31:13 BST 2024] _CURL='curl --silent --dump-header /usr/sausalito/acme/data/http.header -L -g '<br />[Wed 25 Sep 09:31:14 BST 2024] _ret='0'<br />[Wed 25 Sep 09:31:14 BST 2024] code='200'<br />[Wed 25 Sep 09:31:14 BST 2024] www.<MYSITE>/:Verify error:<MYIP>: Fetching http://www.<MYSITE>/.well-known/acme-challenge/D6rvIsFhUi-ic-rr7qKKRWLG9xC_Lz0gYVj8qO2fHlM: Timeout during connect (likely firewall problem)<br />[Wed 25 Sep 09:31:14 BST 2024] Debug: get token url.<br />[Wed 25 Sep 09:31:14 BST 2024] GET<br />[Wed 25 Sep 09:31:14 BST 2024] url='http://www.<MYSITE>//.well-known/acme-challenge/D6rvIsFhUi-ic-rr7qKKRWLG9xC_Lz0gYVj8qO2fHlM'<br />[Wed 25 Sep 09:31:14 BST 2024] timeout=1<br />[Wed 25 Sep 09:31:14 BST 2024] _CURL='curl --silent --dump-header /usr/sausalito/acme/data/http.header -L -g --connect-timeout 1'<br />[Wed 25 Sep 09:31:14 BST 2024] ret='0'</p>
<p style="padding-left: 40px;">[Wed 25 Sep 09:31:14 BST 2024] Skip for removelevel:<br />[Wed 25 Sep 09:31:14 BST 2024] pid<br />[Wed 25 Sep 09:31:14 BST 2024] Using config home:/usr/sausalito/acme/data<br />[Wed 25 Sep 09:31:14 BST 2024] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'<br />[Wed 25 Sep 09:31:14 BST 2024] httpdconfname='conf/httpd.conf'<br />[Wed 25 Sep 09:31:14 BST 2024] httpdroot='/etc/httpd'<br />[Wed 25 Sep 09:31:14 BST 2024] httpdconf='/etc/httpd/conf/httpd.conf'<br />[Wed 25 Sep 09:31:14 BST 2024] httpdconfname='httpd.conf'<br />[Wed 25 Sep 09:31:15 BST 2024] Restored: /etc/httpd/conf/httpd.conf.<br />[Wed 25 Sep 09:31:15 BST 2024] Restored successfully.<br />[Wed 25 Sep 09:31:15 BST 2024] No need to restore nginx, skip.<br />[Wed 25 Sep 09:31:15 BST 2024] _clearupdns<br />[Wed 25 Sep 09:31:15 BST 2024] dns_entries<br />[Wed 25 Sep 09:31:15 BST 2024] skip dns.<br />[Wed 25 Sep 09:31:15 BST 2024] _on_issue_err<br />[Wed 25 Sep 09:31:15 BST 2024] Please check log file for more details: /var/log/letsencrypt/letsencrypt.log<br />[Wed 25 Sep 09:31:15 BST 2024] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023536/uPb9Rw'<br />[Wed 25 Sep 09:31:15 BST 2024] payload='{}'<br />[Wed 25 Sep 09:31:15 BST 2024] POST<br />[Wed 25 Sep 09:31:15 BST 2024] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023536/uPb9Rw'<br />[Wed 25 Sep 09:31:15 BST 2024] _CURL='curl --silent --dump-header /usr/sausalito/acme/data/http.header -L -g '<br />[Wed 25 Sep 09:31:15 BST 2024] _ret='0'<br />[Wed 25 Sep 09:31:15 BST 2024] code='400'<br />[Wed 25 Sep 09:31:16 BST 2024] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023526/19mPsQ'<br />[Wed 25 Sep 09:31:16 BST 2024] payload='{}'<br />[Wed 25 Sep 09:31:16 BST 2024] POST<br />[Wed 25 Sep 09:31:16 BST 2024] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023526/19mPsQ'<br />[Wed 25 Sep 09:31:16 BST 2024] _CURL='curl --silent --dump-header /usr/sausalito/acme/data/http.header -L -g '<br />[Wed 25 Sep 09:31:16 BST 2024] _ret='0'<br />[Wed 25 Sep 09:31:16 BST 2024] code='200'<br />[Wed 25 Sep 09:31:16 BST 2024] Diagnosis versions:<br />openssl:openssl<br />OpenSSL 1.1.1k FIPS 25 Mar 2021<br />apache:<br />Server version: Apache/2.4.37 (AlmaLinux)<br />Server built: Aug 12 2024 02:30:19<br />Server's Module Magic Number: 20120211:83<br />Server loaded: APR 1.6.3, APR-UTIL 1.6.1<br />Compiled using: APR 1.6.3, APR-UTIL 1.6.1<br />Architecture: 64-bit<br />Server MPM: prefork<br /> threaded: no<br /> forked: yes (variable process count)</p>
<p style="padding-left: 40px;">.....</p>
<p>Any more suggestions / ideas to debug it further?</p>
<p>Kind regards</p>
<p>Neil.</p>
<p><br /></p>
<p><br /></p>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"><br /><br />Hi Neil,<br /><br />
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">According to my httpd/access_log entry:<br /><br />www.<mysite>.co.uk 192.168.2.41 - - [23/Sep/2024:16:54:50 +0100] "GET <br />/.well-known/acme-challenge/MZivJl3jVnXTJ3a3nWyH-MrAZnBeLFJombDo9Ganb8Q <br />HTTP/1.1" 301 307 "-" "BlueOnyx-ACME-Client"<br />www.<mysite>.co.uk 192.168.2.41 - - [23/Sep/2024:16:54:50 +0100] "GET <br />/.well-known/acme-challenge/MZivJl3jVnXTJ3a3nWyH-MrAZnBeLFJombDo9Ganb8Q <br />HTTP/1.1" 200 87 "-" "BlueOnyx-ACME-Client"<br /><br />the server DID serve up the "page" (or thought it did) - with the 200 status</blockquote>
<br />Yeah, from the looks of it the verification file was indeed fetched.<br /><br />However: The "likely firewall problem" is perhaps also true. I've seen <br />it in the past. If you have APF (or Firewalld) enabled, try to disable <br />them and then do another cert request.<br /><br />If that then goes through, then please weed out your APF blacklist and <br />removed old entries before you restart it.<br /><br />-- <br />With best regards<br /><br />Michael Stauber<br /><br /></div>
</blockquote>
</body></html>