When I click on the log icon next to the Docker container there are no errors that show up there. When I look at the log inside appdata/letsencrypt I can see where the issue happens. Letsencrypt can't connect to my server over HTTP for verification. I have verified the firewall/port forwarding settings on my router are correct. HTTPS works as expected and when I go to the root URL over HTTP it gets redirected to HTTPS, so that's correct too. Trying to navigate to the full URL where the acme-challenge is in a browser I get a "connection refused" response. Is something messed up in my NGINX config I wonder?
I'm not sure where to look from here but I really appreciate the help.
Here's the log:
<------------------------------------------------->
cronjob running on Sun Dec 30 02:08:00 EST 2018
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Non-interactive renewal: random delay of 442 seconds
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/sub2.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Running pre-hook command: if ps aux | grep [n]ginx: > /dev/null; then s6-svc -d /var/run/s6/services/nginx; fi
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sub2.duckdns.org
http-01 challenge for sub1.duckdns.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (sub2.duckdns.org) from /etc/letsencrypt/renewal/sub2.duckdns.org.conf produced an unexpected error: Failed authorization procedure. sub1.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://sub1.duckdns.org/.well-known/acme-challenge/[HASH1]: Timeout during connect (likely firewall problem), sub2.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://sub2.duckdns.org/.well-known/acme-challenge/[HASH2]: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/sub2.duckdns.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/sub2.duckdns.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && sleep 1 && cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem
Hook command "if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && sleep 1 && cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem" returned error code 1
Error output from if:
cat: {privkey,fullchain}.pem: No such file or directory
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: sub1.duckdns.org
Type: connection
Detail: Fetching
http://sub1.duckdns.org/.well-known/acme-challenge/[HASH1]:
Timeout during connect (likely firewall problem)
Domain: sub2.duckdns.org
Type: connection
Detail: Fetching
http://sub2.duckdns.org/.well-known/acme-challenge/[HASH2]:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
<------------------------------------------------->