Is this supposed to work? I don’t plan on leaving tcp/80 open. On one of my setup, I was able to certbot renew --dry-run with only 443 port open on firewall (verified tcp/80 closed on firewall)
ipv6.example.com
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ipv6.example.com
Waiting for verification…
Cleaning up challenges
ipv6.example.net
On another setup (certbot previously installed from pip, but both showing 0.22.2). It was complaining and the renewal http-01 was using tcp/80
/usr/lib/python3/dist-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signer = key.signer(self.padding, self.hash)
Performing the following challenges:
http-01 challenge for ipv6.example.net
Waiting for verification...
/usr/lib/python3/dist-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signer = key.signer(self.padding, self.hash)
Cleaning up challenges
/usr/lib/python3/dist-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signer = key.signer(self.padding, self.hash)
I tried to purge all certbot packages and installed python-certbot-nginx from ppa, but nothing changed.
ipv6.example.com and ipv6.example.net are both on Ubuntu 16.04 LTS, server_name only have AAAA record
ipv6.example.com on nginx 1.15.0
ipv6.example.net on nginx 1.14.0
Is http-01 over https supported? How can I make sure it uses https?