Auto-certbot renew failure with message about firewall


#1

I have been renewing my certificate with letsencrypt for some time without a problem on my ubuntu 10.04 server on a consumer internet connection using dynamic dns. I have renewed the certificate 4 or 5 times with no problem. All of a sudden it is failing with the following message.

The following errors were reported by the server:

Domain: stevesullam.com
Type: connection
Detail: Fetching
http://stevesullam.com/.well-known/acme-challenge/agvBe_mF0Utf5GFP5J-m7lng2YON2-9WcHrpJkh6Yt4:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client.

This all works because I can get to my web site when I am away from home.

If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.


#2

That might be, but I’m not able to connect to the IP 74.88.217.83 either. So it’s not a Let’s Encrypt specific issue.

Please check if the IP address is correct and/or any firewall or router is dropping specific connections.


#3

This is running on a consumer internet connection where port 80 is blocked. I have been using for decades. try https://stevesullam.com or if you insist use https://74.88.217.83. It works from the tor browser for me.


#4

The http-01 challenge, which is currently being used, uses port 80, exclusively.

Perhaps you’ve used the tls-sni-01 challenge in the past. But that challenge is deprecated b/c of security issues.

You’re advised to use the http-01 challenge (but that isn’t an option for you, as your port 80 is blocked) or the dns-01 challenge. The tls-sni-01 challenge will be disabled somewhere in 2019.


#5

thank you for this last reply which was informative. It sounds like letsecrypt just made this change because thie method I was using had worked as recently as August.
Is any chance you would be able to direct me to a link for people who are trying to solve my problem? Thanks!


#6

Another option which can work over port 443 is the tls-alpn-01 challenge, which is supported by the Let’s Encrypt server since July 12, 2018.

Unfortunately, the list of ACME clients which support tls-alpn-01 is rather limited at the moment (in particular, certbot does not yet support it), and configuring the web server to respond to a tls-alpn-01 challenge may require server software changes or upgrades.


#7

I found the solution that was really simple and just worked. It was just a matter of updating and to discontinue using the certbot-auto script.
apt-add-repository ppa:/certbot/certbot
apt update
apt install python-certbot-apache
certbot --apache
This worked on ubuntu 10.04 32bit for whomever else is running it on that.
tls-sni-01
I just ran it with the --dry-run option since it is already up to date and it ran with the tls-sni-01 option which is supposed to stop working?


#8

The tls-sni-01 challenge was deprecated since January, but only recently Certbot started preferring the http-01 challenge for renewals instead of tls-sni-01. By installing from the repo for 10.04 rather than certbot-auto, you probably got an old version that hadn’t made that change yet (note that Ubuntu 10.04 has reached its end of life and no longer receives updates). You could alternatively have forced certbot-auto to use tls-sni-01 using the --preferred-challenges option. But either way, that’s only a temporary solution - you will still need to switch to one of the other challenges before 13 February 2019, as the CA will stop supporting tls-sni-01 entirely at that point. You should really also consider updating to a supported version of Ubuntu.

If you can’t open port 80, you have two options: switch to a client that supports tls-alpn-01 as @sigprof suggested, or use DNS validation.


#9

Third option: Pay for your cert(s) - LOL


#10

TBH, this is a test home server and I virtualized it and tried upgrading it twice and everything broke and i don’t have the time and energy to work out all the problems in order to upgrade it. in addition to that it is running on a 32bit system which Ubuntu will be discontinuing support for in future distributions.
i tested it using the manual option with DNS validation and that also seemed to work.


#11

I am kind of liking this forum. My ability to edit the last post must have expired, because I meant to edit it rather than reply to it like this.I meant to say that I tested out updating cert manually using DNS validation and that worked too for now. I suppose that won’t work after February. I wonder what other options I will have besides upgrading the server to update the cert.


#12

DNS validation will still work after February, but ideally you could find a way to automate it with a script.

TLS-SNI-01 validation (using an inbound connection on port 443) is what won’t work in the future.


#13

I don’t think that should be too difficult. thanks