Hi, I've noticed that on one of my email servers expired the Letsencrypt today and when I tried to run it manually so I can see what was causing the problem I get: Code: root@email1:~# certbot -q renew Attempting to renew cert (email1.mydomain.com.) from /etc/letsencrypt/renewal/email1.mydomain.com.conf produced an unexpected error: Failed authorization procedure. email1.mydomain.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://email1.mydomain.com/.well-known/acme-challenge/svlIcn_gu4qnYkof16_NshEGSj9wXaG4XyfLvKawlZ0: Timeout during connect (likely firewall problem). Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/email1.mydomain.com/fullchain.pem (failure) How can I pass to the renew script the option to not look for a domain in order to work as the server has only email, not apache at all. Thanks
How did you create that LE cert? renewal uses the same way that was used to originally create it. There are several ways that LE uses, e.g. an installed Apache or nginx server or LE can start a standalone server, if standalone mode has been used. In any case, you must allow port 80 access to the server to be able to renew the cert in the same way it was possible during le cert creation.
I run certbot -q renew --standalone and it worked but I had to open 443 port. This is why it was failing to renew. One question please. How can I check that the certificate it is indeed renewed and is working? I tried: echo | openssl s_client -connect myhostname:443 2>/dev/null | openssl x509 -noout -dates but it returns: Code: unable to load certificate 139840759460992:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
I found an interesting site which show if it works properly. It it the: https://www.sslshopper.com/ssl-checker.html in case anyone need it in the future.
You can check it with openssl as well, but your command connected to port 443, and you said this is a mail server, not a web server - you need to connect to 25, 465, 587, 110, 143, 993 and 995 (with appropriate -starttls options for 25, 587, 110 and 143).