Certbot: I am puzzled


#1

I am trying to setup certbot with apache and did it successfully, I got a cert and everything works fine with it.

After that, I removed the virtual host section for port 80. And closed that port on the firewall.

When I do a dry-run: $ certbot renew --dry-run

I get “Unable to find a virtual host listening on port 80”, which is correct, since there is none.

When I add a virtual host, dry-run runs without errors.

When I do a “$ certbot --apache -d my.domain” I get a new cert.

BUT: Port 80 is blocked by the firewall all the time. I cannot connect to it from outside.

So I do not understand, why certbot complains about the missing virtual host for port 80 when a connection to this port is not needed for a renewal.


#2

For renewal, Let’s Encrypt has to validate all the hostnames again and uses port 80 for the http-01 challenge.

The alternative is to use the dns-01 challenge, but that would only be a viable option if your DNS provider has an API to add and remove the required records.


#3

No, it uses the key pair for verification. Read here https://letsencrypt.org/how-it-works/ under “Certificate Issuance and Revocation”. It can do so, because it knows the public key already from the first invocation, where it already successfully tested, whether the holder of the key pair controls the domain.

If it would do a http-01 challenge, it should have failed, since port 80 is not open. But I have got a new cert. So it did work though it should not, if you are right.


#4

Renewal requires a DNS-01, HTTP-01 or (deprecated) TLS-SNI-01 challenge.

However, authorizations can currently be reused for up to 30 days.

However however, Certbot’s UI doesn’t show this.

The new certificate was probably issued based on an authorization from earlier, without actually validating again, so it was successful even if validation would presently fail.


#5

Thanks. That explains everything. The first certificate was issued two days ago.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.