Certbot failed to authenticate domains: Invalid port in redirect target

ciropom · December 22, 2024, 11:16am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: vegani.me, mail.vegani.me

I ran this command: (both produce the same result)

certbot renew --nginx
certbot certonly --webroot --webroot-path /var/www/html/ -d vegani.me -d mail.vegani.me

It produced this output:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: mail.vegani.me
  Type:   connection
  Detail: 45.151.88.100: Fetching https://mail.vegani.me:2305/.well-known/acme-challenge/BfTQmiUx2E38G0mU4opoZzDsdfD8MPGjXVaQqVIpBeI: Invalid port in redirect target. Only ports 80 and 443 are supported, not 2305

  Domain: vegani.me
  Type:   connection
  Detail: 45.151.88.100: Fetching https://vegani.me:2305/.well-known/acme-challenge/jMIPTfqqIX7_ipfofbPDvrvlqOD57-Ngb6Kmi6VdR-Q: Invalid port in redirect target. Only ports 80 and 443 are supported, not 2305

My web server is (include version): nginx 1.24.0

The operating system my web server runs on is (include version): Ubuntu noble (24.04)

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.9.0

I added to both mail.vegani.me and vegani.me nginx conf the following code

# Required for LE certificate enrollment using certbot
    	location '/.well-known/acme-challenge' {
        	default_type "text/plain";
        	root /var/www/html;
    	}

I created a file /var/www/html/.well-known/acme-challenge/test
and tried to download it successfully with

curl https://vegani.me:443/.well-known/acme-challenge/test

But still when using certbot both in nginx and webroot mode fails for a redirect to a port I've never seen nor configuerd anywhere.

Recently I upgraded my system and reinstalled everything.
I copied the /etc/letsencrypt folder from my older OS (symlinks included)
and simply copied it into the new OS.

It was at that point that renew stopped working, while everything else is working correctly.
I'm quite lost, I don't know howto look for this redirect to port 2305 that I can't reproduce outside of certbot commands.

Thank you very much for your kind help.
Danilo

Nekit · December 22, 2024, 11:31am

Edit: It appears Osiris cracked it down below

Hi! HTTP-01 challenge always starts at port 80 and follows redirects. If the redirect target is a different domain, or has a port other than 80 or 443 (as in your case) then validation will fail. This is what I see:

$ curl -v http://vegani.me/.well-known/acme-challenge/test
* Host vegani.me:80 was resolved.
* IPv6: (none)
* IPv4: 45.151.88.100
*   Trying 45.151.88.100:80...
* Connected to vegani.me (45.151.88.100) port 80
* using HTTP/1.x
> GET /.well-known/acme-challenge/test HTTP/1.1
> Host: vegani.me
> User-Agent: curl/8.11.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 302 Found
< Location: https://vegani.me:2305/.well-known/acme-challenge/test
< Connection: close

ciropom:

I added to both mail.vegani.me and vegani.me nginx conf the following code

# Required for LE certificate enrollment using certbot
    	location '/.well-known/acme-challenge' {
        	default_type "text/plain";
        	root /var/www/html;
    	}

~~This code should be in the server {} block that handles (listens) port 80 of your domains.~~

~~If you want people of this forum to take a further look, you should post the entire output of nginx -T command.~~

Osiris · December 22, 2024, 11:34am

It's your TP-Link router doing the redirecting. Frankly, your router should NOT be accessible from the world wide web, especially as TP-Link is known for it's many, many vulnerabilities in their firmwares.

You should make sure external port 80 is not used by your TP-Link, but properly portmapped to your nginx. And probably need to shield access to that port 2305 from the world wide web too.

ciropom · December 22, 2024, 12:46pm

Oh my.. Indeed I changed also the router, that had a default port open to the world.. that is 2305..
I haven't noticed it
Removing the remote access, and mapping port 80 as you told me solved the issue.

I don't know why I don't see the same output as you for curl -v but I suspect it's because I'm in the local LAN network.

By the way thank you very much for the guidance and for exposing a vlunerability in my configuration.

Thank you again and have a nice day
Danilo

system · January 21, 2025, 12:46pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Invalid empty hostname in redirect target Help	4	1286	December 26, 2020
Invalid host in redirect target Help	3	1805	August 23, 2021
Certbot fails with "Certbot failed to authenticate some domains" Help	7	949	May 24, 2023
Certbot failed to authenticate some domains Help	4	503	May 5, 2022
Certbot Error getting validation data Help	4	1004	August 22, 2022

Certbot failed to authenticate domains: Invalid port in redirect target

Related topics