Let's Encrypt unable to renew (SH v5.4.5)

Been having issues the last couple of weeks where the cert will not renew. The error is ‘…unable to renew…attempted to contact your server on port 80 but was unable to reach it.’

Port 80 is open. Works on any web browser from different networks to access. Disabled https to attempt. Also tried to manually re-create a new one via the ‘Set a SSL Certificate’ option in SH, but same error.

I am not in a position right now to upgrade SH - currently running 5.4.5 w/o maintenance to upgrade (Classic 20).

I have had to do it manually before. Only 443 is open to my SimpleHelp box so I used a DNS challenge.

certbot certonly --key-type rsa --manual --preferred-challenges=dns -d yoursite.com

Grab privkey1.pem, cert1.pem, and fullchain1.pem from /etc/letsencrypt/live/yoursite.com. Upload those manually with the SimpleHelpAdmin account.

Hope this helps :slight_smile:

Thanks. Still unable to get a certificate created though. The ‘Server Health’ scan shows everything as green and accessible.

I did go ahead and upgrade to version 5.5.5, but the auto-setup for certificate still fails. They do include a manual/DNS challenge now, and when I set that up and the text record it provides, still nothing. I am assuming the webroot folder is still the ‘html’ folder, from what I recall.

It’s by no means critical, but certainly a head-scratcher, as most of the machines are not connecting to the server now (well over 500), since the old certificate expired out. The machines that were still set up on http-only and not https are connecting fine, but there are only around 90 of those (some had both http and https configured - wish I would had just left them all like that).

Been running SH since 2011-2012, with little to zero issues (and any had were super-minor), but this might change things going forward if this function continues to be broken, for my nothing-special configuration.

I had issues with GeoIP impacting the ability to perform the validation. I had to remove my restrictions on my firewall to allow traffic coming from the external validation site.

I’ll check on that to see where it thinks I am coming from, but I also completely disabled the firewall, for good measure, just in case; same errors.

Also have seen this… I usually geo limit my incoming connections, but in my firewall I have to remove those limitations to renew SSL. Let’s encrypt will try reach your system from multiple points around the world when it renews.

As a quick update to this, and this was resolved about a month ago, was it turns out that our CAA records were recently locked down to just a few specific providers - Let’s Encrypt was not one of them. Instead of whitelisting them, I did just go ahead and manually install a cert from our preferred cert manager, and everything worked out fine: all devices connected back up fine to the server, etc.

The only inconvenience (which is not much of one) will be instead of letting the server take care of the auto-renews with Let’s Encrypt, I’ll just have to obtain a new certificate every 1-2 years.

I’d like to also thank Chris Bonn from SH Support for assisting with this and pointing me in the right direction with a couple of ideas for resolving.