Cannot renew expired certificate

waldecker · June 21, 2022, 7:03pm

Hello,

i cannot renew my expired certificate please help!

My domain is: dstream.tiemann.support
cert

I ran this command:
certbot renew --dry-run
original command to request cert was:
certbot certonly --webroot -w /var/www/html -d dstream.tiemann.support
It produced this output:
certbot renew
logs

My web server is (include version):
pihole

The operating system my web server runs on is (include version):
debian/pi

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.12.0

MikeMcQ · June 21, 2022, 10:32pm

Welcome to the community @waldecker

Your sample output shows the http challenge was redirected from HTTP to HTTPS (notice the https url in the error message). That is fine but right now I cannot connect to your server using port 80. All http challenges start with an http request. Let's Encrypt recommends keeping port 80 open.

Also see test result from Let's Debug site

The http 404 error in your sample output usually means the webroot path folder is not the same as the document root folder your server uses. I don't know pihole so not sure how you specify that.

rg305 · June 22, 2022, 3:29am

(Possibly) a wasted opportunity to have handled the challenge requests then and there [within HTTP].

waldecker · June 22, 2022, 7:26am

thank you i made sure the pi is now reachable via TCP port 80 but with the same outcome
i used the following howto to setup the cert for the first time Enabling HTTPS for your Pi-hole Web Interface - FAQs / Community How-to's - Pi-hole Userspace

MikeMcQ · June 22, 2022, 2:00pm

How does your lighttpd fit in? Do you proxy requests from pi-hole to lighttpd?

The request from Let's Encrypt to check your domain has a format like this. You redirect that to HTTPS. It would be better if you did not redirect and simply had your HTTP (port 80) server respond with the proper value. But, redirecting should work too.

curl -Ik http://dstream.tiemann.support/.well-known/acme-challenge/ForumTest123
HTTP/1.1 301 Moved Permanently
Location: https://dstream.tiemann.support/.well-known/acme-challenge/ForumTest123
Date: Wed, 22 Jun 2022 13:54:40 GMT
Server: lighttpd/1.4.59

When I then try the new location I get a 404 Not Found. Which is expected because ForumTest123 does not exist on your server. But, usually I would see Server: lighttpd header like with the first request. If you make these requests do you see them both in your lighttpd server logs?

curl -Ik https://dstream.tiemann.support/.well-known/acme-challenge/ForumTest123
HTTP/1.1 404 Not found
Content-length: 50
Connection: close

If lighttpd should be responding, is the server.document-root value /var/www/html as you used in the -w option?

Also note, the cert returned from your dstream domain is not expired. It was issued on Jun11 but is for a domain name of tunnel.tiemann.support

waldecker · June 22, 2022, 2:52pm

Thanks for your help MikeMcQ!
I changed the lighttpd external conf temporarly to the following and it worked!

$HTTP["host"] == "pihole.example.com" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":80" {
    ssl.engine = "disable"
    ssl.pemfile = "/etc/letsencrypt/live/pihole.example.com/combined.pem"
    ssl.ca-file =  "/etc/letsencrypt/live/pihole.example.com/fullchain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"       
  }

  # Redirect HTTP to HTTPS
  #$HTTP["scheme"] == "http" {
  #  $HTTP["host"] =~ ".*" {
  #    url.redirect = (".*" => "https://%0$0")
  #  }
  #}
}