Certbot nginx renewal http-01 over https

Is this supposed to work? I don’t plan on leaving tcp/80 open. On one of my setup, I was able to certbot renew --dry-run with only 443 port open on firewall (verified tcp/80 closed on firewall)

ipv6.example.com

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ipv6.example.com
Waiting for verification…
Cleaning up challenges

ipv6.example.net

On another setup (certbot previously installed from pip, but both showing 0.22.2). It was complaining and the renewal http-01 was using tcp/80

/usr/lib/python3/dist-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
  signer = key.signer(self.padding, self.hash)
Performing the following challenges:
http-01 challenge for ipv6.example.net
Waiting for verification...
/usr/lib/python3/dist-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
  signer = key.signer(self.padding, self.hash)
Cleaning up challenges
/usr/lib/python3/dist-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
  signer = key.signer(self.padding, self.hash)

I tried to purge all certbot packages and installed python-certbot-nginx from ppa, but nothing changed.

ipv6.example.com and ipv6.example.net are both on Ubuntu 16.04 LTS, server_name only have AAAA record
ipv6.example.com on nginx 1.15.0
ipv6.example.net on nginx 1.14.0

Is http-01 over https supported? How can I make sure it uses https?

For now, you'll need to ensure that port 80 remains open, even if all it does is redirect to 443.

Let's Encrypt's HTTP validation method must start at port 80, due to some security issues with shared hosting.

There is an upcoming validation method to allow port 443-based validation, but it's not yet arrived.

If this isn't acceptable, you also have the choice to use DNS validation.

This was probably just the authorization being cached. It won't work reliably.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.