400 error when renewing certificate

My domain is: api.quickchat.ai

I ran this command: certbot renew

It produced this output: 400 The plain HTTP request was sent to HTTPS port

My web server is (include version): nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04.1 LTS

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

I am running HTTPS on port 80, in that case, how do I go about renewing the certificate? Thank you!

1 Like

Hi @piotrgrudzien

that's a wrong configuration. Change that. Port 80 - http, nothing else.

You can't, if you want to use http validation.

1 Like

Could you briefly explain how I should change the port setup in the Nginx config? Below is excerpt from Nginx conf:

http {

upstream channels-backend {
		server localhost:443;
}

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# SSL Settings
##

ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
ssl_certificate /etc/letsencrypt/live/api.quickchat.ai/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.quickchat.ai/privkey.pem;

##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Gzip Settings
##

gzip on;

# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

##
# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
# include /etc/nginx/sites-enabled/*;

server {
		location / {
    		try_files $uri @proxy_to_app;
		}
		location @proxy_to_app {
    		proxy_pass https://channels-backend;

    		proxy_http_version 1.1;
    		proxy_set_header Upgrade $http_upgrade;
    		proxy_set_header Connection "upgrade";

    		proxy_redirect off;
    		proxy_set_header Host $host;
    		proxy_set_header X-Real-IP $remote_addr;
    		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    		proxy_set_header X-Forwarded-Host $server_name;

		proxy_ssl_certificate /etc/letsencrypt/live/api.quickchat.ai/fullchain.pem;
    		proxy_ssl_certificate_key /etc/letsencrypt/live/api.quickchat.ai/privkey.pem;
	}
}	
}

Daphne is run using command:

command=daphne -u /run/daphne/daphne%(process_num)d.sock -e ssl:443:privateKey=/etc/letsencrypt/live/api.quickchat.ai/privkey.pem:certKey=/etc/letsencrypt/live/api.quickchat.ai/fullchain.pem --access-log - quickchat.asgi:application
1 Like

You say:

But show:

So it seems to me that you are running HTTPS on port 443 and nothing on port 80.

If you want to use HTTP authentication, you will need to ensure that TCP port 80 (HTTP) is allowed through the firewalls and can reach your web server.
You don't have to make any changes to the web server.
You can simply just use certbot in standalone mode and it will serve the HTTP authentication content directly.

1 Like

That's what you think. That's not what nginx uses.

Use

nginx -T

to see your real configuration.

And

  • there is no port 80 vHost, you have to create one
  • additional you may have a wrong port forwarding port 80 extern -> port 443 intern. That's wrong, must be

port 80 extern -> http port intern (normally 80)
port 443 extern -> https port intern (normally 443)

PS: Conclusion: You can have a correct nginx configuration with port 80 and port 443, but a wrong port forwarding port 80 extern -> https port intern blocks http -> you can't create a certificate via http validation.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.