404 on certificate renewal

Help
21

PS: May be you can't see that because you use your website from an internal ip address.

Chrome Version 44 - 2015-07-21
Firefox 51 was released on January 24, 2017
IE 8 - 19. März 2009

That's nothing to use.

2 Likes
22

@TheWojtek Does "SIGNUM Home Server" ring a bell? Could that also be the thing listening on port 80?

2 Likes
23

Now I see a redirect to the login and a new Letsencrypt certificate.

Looks like you have found that old blocking thing :+1:

2 Likes
24

@Osiris - you nailed it when you provided what can you actually see from the outside. While I take the blame for this (should have been checking from the outside world), it seems we have found a bug in Ubiquity USG firmware.

Now for the explanation:

  1. I VPN to a customer location. The local DNS is set up to resolve hq.zajc.pl to 192.168.1.10 so from the inside of the customer network both 80 and 443 connections to this address go to the local Owncloud server.
  2. The port mappings in USG were set accordingly - from outside world the ports 80 and 443 were mapped to 192.168.1.10 80 and 443 respectively.
  3. About a month ago I was asked to enable UPNP on the router (and this is my reason for blame, shouldn't have done that)
  4. Another server (a security camera viewer or is it a home automation device) hijacked the port 80 mapping using UPNP which should not ever happen! This caused the challenges from Certbot to be directed to a completely different machine.
  5. The bug: the USG controller UI still shows all the static port mappings as if they were OK, with 192.168.1.10 as the target for ports 80 and 443, even if the mapping for port 80 was hijacked by the security camera viewer already.
  6. Solution: disabling UPNP on the USG, setting the port mapping again.

Result: Certbot challenge performed flawlessly.

Ps: as I see in the --standalone logs, the logged inability to bind to port 80 on IPv4 is expected behavior.

1 Like
25

Well, UPnP should not be able to hijack manual portmaps in the first place in my opinion! That's just terrible. IMO that's not on you, but on Ubiquity.

Luckily we found the issue! :smiley:

That's true if you're already running something on port 80, yes. --standalone really is only for servers without any form of HTTP webserver, such as hosts only running a mail daemon.

2 Likes
26

@Osiris @JuergenAuer - thank you both for keeping me awake and for your input, wouldn't have fixed it without you both.

2 Likes
27

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.