Certbot Auto renew without HTTP and without TLS-SNI-01

wwwiesel · January 12, 2018, 11:06pm

Hello,

i am new here and i can not renew my certificate due the disabled TLS-SNI-01.

My firewall and my webserver only listen to port 443, any suggestions how to get this working again? webroot needs http port 80 which i do not want to open.

Thanks in advanced.

/Weasel

_az · January 12, 2018, 11:21pm

Hello,

The http-01 challenge must be sent on port 80 (though it will follow redirects to 443). Unless you can do this, it is not an option for you.

The remaining option is the dns-01 challenge (--preferred-challenges dns-01). For automatic renewal using this challenge, Certbot supports a number of DNS providers and you also have the option of providing script hooks to automatically perform the DNS validation updates.

wwwiesel · January 12, 2018, 11:33pm

hi, thx…

i checked the dns-01 option and getting this:

None of the preferred challenges are supported by the selected plugin

_az · January 12, 2018, 11:34pm

It is probably relating to the way you are invoking Certbot.

Could you show your command, as well as your /etc/letsencrypt/renewal/xxx.conf file for the domain?

wwwiesel · January 12, 2018, 11:40pm

sure...

/usr/sbin/certbot-auto --preferred-challenges dns-01

# renew_before_expiry = 30 days
version = 0.19.0
archive_dir = /etc/letsencrypt/archive/XXX.firewall-gateway.de
cert = /etc/letsencrypt/live/XXX.firewall-gateway.de/cert.pem
privkey = /etc/letsencrypt/live/XXX.firewall-gateway.de/privkey.pem
chain = /etc/letsencrypt/live/XXX.firewall-gateway.de/chain.pem
fullchain = /etc/letsencrypt/live/XXX.firewall-gateway.de/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = apache
installer = apache
account = 12345807bf2af52d3X3466fd0b4f6d4c

_az · January 13, 2018, 12:05am

Do you control the DNS for XXX.firewall-gateway.de, or whatever the real domain is?

To do a manual request for a cert using dns-01:

certbot-auto certonly --preferred-challenges dns \
--manual --manual-public-ip-logging-ok \
-d XXX.firewall-gateway.de

In order to automate this, you would need to either use one of the DNS plugins implemented by Certbot (assuming your nameservers are compatible with one of them) or provide scripts to implement the DNS updates for the domain validation.

wwwiesel · January 13, 2018, 12:15am

thx for the fast responsed... i control the DNS record yes, but i can only control the A (AAAA) records and not the TXT records...

_az · January 13, 2018, 12:18am

If you can put a CNAME record, then you can point the _acme-challenge record to another domain for which you can control the TXT record.

Otherwise I think you are out of luck .

wwwiesel · January 13, 2018, 12:26am

sry, no only A record…

ok, but thank you for your time! maybe there will be a solution in the future

system · February 12, 2018, 12:26am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.