Can't renew certificate (probably due to https redirect)

Help
1

Hi there,

I’m quite a newbie to letsencrypt. I’ve installed a certificate a few months ago, but now I have to renew it. I’m getting a timeout error. After some searching and fiddling, I’m turning to this great community.

Thanks in advance for the help!

Best,

Jerome

Site : https://kanboard.private.zone
certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /usr/local/etc/letsencrypt/renewal/kanboard.private.zone.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for kanboard.private.zone
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (kanboard.private.zone) from /usr/local/etc/letsencrypt/renewal/kanboard.private.zone.conf produced an unexpected error: Failed authorization procedure. kanboard.private.zone (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://kanboard.private.zone/.well-known/acme-challenge/Yg_u1TAuAzeX3IuOPcVKtzTOZuHysWnQY90KbTpB0es: Timeout. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/usr/local/etc/letsencrypt/live/kanboard.private.zone/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/usr/local/etc/letsencrypt/live/kanboard.private.zone/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: kanboard.private.zone
    Type: connection
    Detail: Fetching
    http://kanboard.private.zone/.well-known/acme-challenge/Yg_u1TAuAzeX3IuOPcVKtzTOZuHysWnQY90KbTpB0es:
    Timeout

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

#wget http://kanboard.private.zone/.well-known/acme-challenge/Yg_u1TAuAzeX3IuOPcVKtzTOZuHysWnQY90KbTpB0es:
URL transformed to HTTPS due to an HSTS policy
–2018-01-21 18:52:06-- https://kanboard.private.zone/.well-known/acme-challenge/Yg_u1TAuAzeX3IuOPcVKtzTOZuHysWnQY90KbTpB0es:
Resolving kanboard.private.zone (kanboard.private.zone)… 54.72.91.76
Connecting to kanboard.private.zone (kanboard.private.zone)|54.72.91.76|:443… connected.
HTTP request sent, awaiting response… 404 Not Found
2018-01-21 18:52:06 ERROR 404: Not Found.

2

I can connect to https://kanboard.private.zone/, but http://kanboard.private.zone/ times out.

It’s fine if the HTTP site redirects to the HTTPS site. But HTTP-01 validation won’t work if the HTTP site is down.

Check your firewall, security groups, and web server configuration?

2 Likes
3

Also, in case you missed it:

wget respects HSTS by default, which means if it's previously encountered a Strict-Transport-Security header from your site, it will remember it and automatically request HTTPS next time even if you supply a HTTP URL. If you want to bypass this behaviour (eg. to test HTTP is working for ACME validation) you can use the --no-hsts option.

3 Likes
4

Thanks, I indeed missed it. There’s probably something wrong with my apache conf (I’m new to apache too). Here is what I have in my httpd.conf:

<VirtualHost *:80 *:443>
  ServerName kanboard.private.zone
  DocumentRoot /usr/local/www/kanboard
  SSLCertificateFile "/usr/local/etc/letsencrypt/live/kanboard.private.zone/cert.pem"
  SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/kanboard.private.zone/privkey.pem"
  SSLCertificateChainFile "/usr/local/etc/letsencrypt/live/kanboard.private.zone/fullchain.pem"
</VirtualHost>

Am I missing something?

Thanks again.

Jerome

5

Hmm. mnordhoff said he was able to connect to your site over HTTPS, but I can’t - did you change something? It looks like your server is serving HTTP on port 443, which is what I’d expect from the configuration you posted.

You’re serving both ports 80 and 443 using the same VirtualHost, and Apache doesn’t handle that well - normally you want one VirtualHost for port 80 and another for 443. That way you can put all the SSL configuration directives in the port 443 vhost (including SSLEngine on, which you’re missing), and they won’t interfere with HTTP on port 80.

However, this still doesn’t explain why we’re getting no response at all on port 80. Check that you have a Listen 80 somewhere in your apache config? If that’s not missing, it may be a firewall or similar issue. Check your EC2 security groups to make sure you’re allowing incoming traffic on port 80.

6

It was doing HTTPS on port 443 when I posted before. Now it's doing HTTP.

2 Likes
7

Many thanks. Me dumb, I had completely forgotten that I had only granted access on port 443 in my EC2 inbound rules.

Certificate has been renewed successfully. Thanks again.

Jerome

1 Like
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.