Auto-renew with certbot without stopping my nodejs server

Help
1

I followed the instructions here: Certbot Instructions | Certbot and I used the --webroot route

It produced this output: `Failed to renew certificate www.jumblgram.com with error: Missing command line flag or config entry for this setting:
Input the webroot for www.jumblgram.com:

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/www.jumblgram.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)`

My web server is (include version): NodeJS

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is: Hetzner

I can login to a root shell on my machine (yes or no, or I don't know): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.11.0

3

What was the command issued to certbot?

3 Likes
4

exactly the ones in the cerbot instructions link I sent, so i installed snapd, then did these commands:

sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot certonly --webroot
sudo certbot renew --dry-run (the error was thrown from this command)

5

There seems to be an issue with your IPV6:

Here is what I see for your DNS
A records for www.jumblgram.com: ['188.245.74.241']
AAAA records for www.jumblgram.com: ['2a01:4f8:c2c:ea35::1']

But it seems you can use DNS to acquire your certificate...

Your ports are open so that looks good.
I am not sure if your dns provider allows a DNS challenge type:
https://eff-certbot.readthedocs.io/en/latest/using.html#dns-plugins
Might look in to that...

4 Likes
6

Here is more information on using the webroot plugin:
https://eff-certbot.readthedocs.io/en/latest/using.html#webroot

Look for this section:

certbot certonly --webroot -w /var/www/example -d www.example.com -d example.com -w /var/www/other -d other.example.net -d another.other.example.net

2 Likes
7

You're missing a -w /path/to/webroot argument.

I don't know how node.js treats that. If node.js only listens on 443, you can have something else listen on 80 to perform validation.

4 Likes
8

Agreed:

curl -Ii6 www.jumblgram.com/.well-known/acme-challenge/Test_File-1234
curl: (7) Failed to connect to www.jumblgram.com port 80 after 130 ms: Connection refused

But, as LE may fall back to IPv4 on such a failure, I decided to check that as well...
And found it to also have issue:

curl -Ii4 www.jumblgram.com/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 403 Forbidden     <<<<<<<<<<<<<<<<<<<<<<<<< all requests are FORBIDEN
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 38
ETag: W/"26-5CgstkXaOmyU++CQZVFmF/4Z97w"
Date: Mon, 29 Jul 2024 18:37:09 GMT
Connection: keep-alive
Keep-Alive: timeout=5
3 Likes
9

NodeJS, at least for how im using it, is listening on both port 80 and 443, and if anyone tries connecting on http (via port 80) they get redirected to https

1 Like
10

I get the same :face_with_spiral_eyes:

Failed to connect to www.jumblgram.com port 80 after 557 ms: Connection refused
1 Like
11

I see your ports as open... so there must be an opportunity to examine your redirect.

2 Likes
12

Not me :frowning:

curl -Ii4 www.jumblgram.com
HTTP/1.1 403 Forbidden     <<<<<<<<<<<<<<<<<<<< all requests are FORBIDEN
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 38
ETag: W/"26-5CgstkXaOmyU++CQZVFmF/4Z97w"
Date: Mon, 29 Jul 2024 18:36:14 GMT
Connection: keep-alive
Keep-Alive: timeout=5
3 Likes
13

hmm...

OR

Maybe all the HEAD requests are FORBIDEN...

2 Likes
14 
http://www.jumblgram.com:80
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    60  100    60    0     0    177      0 --:--:-- --:--:-- --:--:--   178
100   139  100   139    0     0    153      0 --:--:-- --:--:-- --:--:--   408
https://www.jumblgram.com/
1 Like
15 
Retrieving SSL certificate details for www.jumblgram.com...

SSL certificate details for www.jumblgram.com:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:84:26:48:f5:12:3e:bc:14:86:ce:a0:5b:5c:2d:fc:49:3d
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C = US, O = Let's Encrypt, CN = E5
        Validity
            Not Before: Jul 29 16:37:44 2024 GMT
            Not After : Oct 27 16:37:43 2024 GMT
        Subject: CN = www.jumblgram.com

Looks like we got a cert.

1 Like
16

well atm im making any request that doesnt start with /.well-known/acme-challenge/ not return anything. Nothing should be forbidden anymore i dont think

1 Like
17

yeah yeah but its just that I cant renew it without stopping my nodejs server

1 Like
18

Weird:

It seems to be connected and is waiting for something...

curl -4 www.jumblgram.com
help
me
I'm
stranded
on
a
deserted
island
curl: (52) Empty reply from server

Then replies with nothing and closes the connection.

2 Likes
19

Oh wait yeah, ill just make any requests that arent to the acme challenge forbidden

2 Likes
20

Then put a test file in the expected challenge location.
So we can test that path out.

2 Likes
21

accesed
accesed861×248 24.9 KB

2 Likes