Certbot renew --dry-run fails with 502

onyeibo · January 1, 2024, 1:06pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: schemefusion.com

I ran this command: certbot renew --dry-run

It produced this output:

Domain: schemefusion.com
Type:   unauthorized
Detail: xxxx:xxxx::xxxx:xxxx:xxxx:xxxx: Invalid response from http://schemefusion.com/.well-known/acme-challenge/8VCz1h6N_MkHqlMhBfUWk2SiRwzLqr6zMInMM1Oi-lA: 502

My web server is (include version): nginx/1.24.0

The operating system my web server runs on is (include version): fedora 38

My hosting provider, if applicable, is: linode/akamai

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.8.0

MikeMcQ · January 1, 2024, 3:10pm

Welcome @onyeibo

You should check any firewall or network routing gear. It looks like something is rejecting ACME Challenge requests with an HTTP 502 error. We see something similar with people using Palo Alto brand firewalls with certain settings. This does not look exactly like what we see with Palo Alto but it is similar.

# A reasonable 301 response
curl -I4 http://schemefusion.com/.well-known/acme-challeng
HTTP/1.1 301 Moved Permanently
Server: nginx/1.24.0
Location: https://schemefusion.com/.well-known/acme-challeng

# But a 502 when using the full challenge path
curl -I4 http://schemefusion.com/.well-known/acme-challenge
HTTP/1.1 502 Bad Gateway
Server: nginx/1.24.0

# An actual challenge will also include a challenge token 
# Test404 is not valid but should get a 404 Not Found response not 502
curl -I4 http://schemefusion.com/.well-known/acme-challenge/Test404
HTTP/1.1 502 Bad Gateway
Server: nginx/1.24.0

Update: Above used your IPv4 address. I got the same results with your IPv6 address

bruncsak · January 1, 2024, 4:03pm

Another option that you may have a backend system to answer the ACME challenges. If this is the case then the backend seems to be unreachable. You may want to check your nginx configuration where are the challenges reverse-proxied?

onyeibo · January 1, 2024, 6:31pm

upstream certbot {
    server 127.0.0.1:8000;
}

server {
    listen  [::]:80;
    listen  80;
    server_name _;
    root    /var/www/letsencrypt;

    location /.well-known/acme-challenge/ {
        proxy_pass http://certbot/.well-known/acme-challenge/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

I probably did something wrong above. Otherwise, I have tried renewing with the following script:

export DOMAINS="-d site.com -d www.site.com -d aaa.site.com -d bbb.site.com -d ccc.site.com -d xxx.site.com -d yyy.site.com -d zzz.site.com"
export CERTDIR=/var/www/letsencrypt
letsencrypt certonly --server https://acme-v02.api.letsencrypt.org/directory -a webroot --webroot-path=$CERTDIR --agree-tos $DOMAINS
service nginx reload

The script worked in the past (for creating the certs but not for renewals).

rg305 · January 1, 2024, 6:33pm

What is there?
Is it still working?

onyeibo · January 1, 2024, 6:50pm

Nothing really

I am trying to set up a temporary proxy server to respond to the challenge. This worked in the past. The server should accept certs at /var/www/letsencrypt as in the script above

No. ping 127.0.0.1:8000 gives me "Name or service not known"

bruncsak · January 1, 2024, 6:58pm

That is a service supposed to run locally on the host itself. What does the command:

ss -pan | grep 8000

give?

onyeibo · January 1, 2024, 7:01pm

Nothing

bruncsak · January 1, 2024, 7:04pm

So the service is not running. You have to know or figure out what process supposed to start this service.

9peppe · January 1, 2024, 7:07pm

http://certbot without a path will probably be enough.

If you search the forum there's probably a config that does what you're trying to do.

rg305 · January 1, 2024, 7:39pm

Why?

Try adding to your certbot request:
--standalone --http-01-port 8000

onyeibo · January 1, 2024, 7:59pm

Thanks a lot!

That worked!. Certificates for all domains are now renewed.

system · January 31, 2024, 7:59pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Acme client, certbot and very poor/confusing instructions Help	12	3128	February 18, 2019
Renew problem with certbot renew --dry-run Help	5	442	October 12, 2022
Certbot Renew --dry-run fails with a 400 message Help	3	771	August 9, 2020
Certificate renewal problem with acme dns challenge Help	17	1709	September 5, 2022
SSLCertVerificationError of acme-v02.api.letsencrypt.org causes certbot renewal failure Help	37	1453	August 18, 2023

Certbot renew --dry-run fails with 502

Related topics