Question posted in 
I am facing the following error when I try to renew my ssl certificate using
certbot renew
Challenge failed for domain ***********.com
Some challenges have failed.
The following errors were reported by the server:
Domain: arjunbroker.com
Type: connection
Detail: Fetching
http://arjunbroker.com/.well-known/acme-challenge/F9nlyrRQBpJGOpPLHGPCj1vzdJOd_rBISU7q2aX7t_o:
Timeout during connect (likely firewall problem)
I have checked UFW and firewalld. And both port 80 and 443 are open.
5
Answers
I finally realised that prior to installing SSL on this server, I used to forward port 80 to port 8080 using
So I simply forwarded port 80 back to port 80.
Lesson learnt, for Certbot to work port 80 forwarding should be in place.
I finally realized that I ONLY had http/https open to my test client machines. I opened them wide for the certbot run then closed them again. I’ll try to determine what IP needs to be open for letsencrypt probes so I can automate the certbot renewals.
For me the issue was that Let’s Encrypt uses IPv6 if possible to do the http challenge and my site worked fine over IPv4 but not over IPv6 (as I had it setup wrong). You can use this site to test your IPv6 setup.
I solved this by disabling ‘Permanent SEO-safe 301 redirect from HTTP to HTTPS’ (in Hosting Settings for Plesk / CentOS Linux 7.9).
LetsEncrypt wouldn’t assign or renew its SSL certificates otherwise. Spent a day re-configuring, DNS, panel.ini, firewall, etc., and eventually pinpointed this as the specific cause.
The issue surfaced about 10 months ago and we only realised what was happening recently.
I fixed that in AWS EC2 updating the Group Security like this:
More about EC2 Group Security: https://docs.aws.amazon.com/pt_br/AWSEC2/latest/UserGuide/ec2-security-groups.html