Certbot renewal firewall problem


#1

I am having a terrible time trying to get my certificates renewed. When I run the test it creates the challenge file in my web root directory at .well-known/acme-challenge/{challenge-file}. When I run the renew I am able to go into that folder quickly and grab the new file name and am able to hit the address at www.creativebagwedding.com/.well-known/acme-challenge/{challenge-file} and it brings up the contents. I also looked into the apache access logs and found 3 requests for that file.

13.58.30.69 - - [14/Feb/2019:15:30:16 -0700] “GET /.well-known/acme-challenge/Ss5j-_eOLGW1Oi_P3FkqS08wek0rwYERH_FXP3Ug4-s HTTP/1.1” 200 338 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)” -

34.213.106.112 - - [14/Feb/2019:15:30:17 -0700] “GET /.well-known/acme-challenge/Ss5j-_eOLGW1Oi_P3FkqS08wek0rwYERH_FXP3Ug4-s HTTP/1.1” 200 310 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)” -

52.29.173.72 - - [14/Feb/2019:15:30:17 -0700] “GET /.well-known/acme-challenge/Ss5j-_eOLGW1Oi_P3FkqS08wek0rwYERH_FXP3Ug4-s HTTP/1.1” 200 310 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)” -

All the requests are returning 200 however I still get the error that there is something in my firewall blocking my challenge. I did have to unblock those 3 ip’s from the firewall. Could there be more ip’s from letsencrypt that my firewall is blocking. We do have a fairly large list of ip’s that we block because we block any ip’s that hit are server too much.

Also I should mention that -webroot is really the only challenge that will work for us as we don’t own all the domains that we need to get certificates for. Many of the domains are just pointed to our server.

My domain is:
www.creativebagwedding.com

I ran this command:
sudo certbot renew --dry-run --cert-name www.creativebagwedding.com

It produced this output:

Processing /etc/letsencrypt/renewal/www.creativebagwedding.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.creativebagwedding.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (www.creativebagwedding.com) from /etc/letsencrypt/renewal/www.creativebagwedding.com.conf produced an unexpected error: Failed authorization procedure. www.creativebagwedding.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.creativebagwedding.com/.well-known/acme-challenge/w1iNKHuXGKKP0GESgxouzhCq4kEDbAGk2x9k77SzTmE: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.creativebagwedding.com/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.creativebagwedding.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


Running post-hook command: apachectl -k restart
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.creativebagwedding.com
    Type: connection
    Detail: Fetching
    http://www.creativebagwedding.com/.well-known/acme-challenge/w1iNKHuXGKKP0GESgxouzhCq4kEDbAGk2x9k77SzTmE:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version):
apache2

The operating system my web server runs on is (include version):
ubuntu 16.04

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0


#2

Hi @spenwall

that’s possible. And read

The feature we’re most excited about is multi-perspective validation. Currently, when a subscriber requests a certificate, we validate domain control from a single network perspective. This is standard practice for CAs. If an attacker along the network path for the validation check can interfere with traffic they can potentially cause certificates to be issued that should not be issued. We’re most concerned about this happening via BGP hijacking, and since BGP is not going to be secured any time soon, we needed to find another mitigation. The solution we intend to deploy in 2019 is multi-perspective validation, in which we will check from multiple network perspectives (distinct Autonomous Systems).

So Letsencrypt will change to a configuration with checks from different networks.

Checking your domain via https://check-your-website.server-daten.de/?q=creativebagwedding.com there is another error:

Domainname Http-Status redirect Sec. G
http://creativebagwedding.com/
174.129.241.16 301 https://creativebagwedding.com/ 0.220 A
http://www.creativebagwedding.com/
174.129.241.16 301 https://www.creativebagwedding.com/ 0.220 A
https://creativebagwedding.com/
174.129.241.16 301 https://www.creativebagwedding.com/ 6.796 N
Certificate error: RemoteCertificateNameMismatch
https://www.creativebagwedding.com/
174.129.241.16 200 2.500 N
Certificate error: RemoteCertificateChainErrors
http://creativebagwedding.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
174.129.241.16 301 https://creativebagwedding.com/index.php 0.220 A
http://www.creativebagwedding.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
174.129.241.16 301 https://www.creativebagwedding.com/index.php 0.200 A
https://creativebagwedding.com/index.php 301 https://creativebagwedding.com/ 5.924 N
Certificate error: RemoteCertificateNameMismatch
https://www.creativebagwedding.com/index.php 301 https://www.creativebagwedding.com/ 5.924 N
Certificate error: RemoteCertificateChainErrors

Your http + /.well-known/acme-challenge is redirected to your https + index.

Perhaps this redirect is missing if the file exists.

But the standard solution is to send a http status 404, if the file doesn’t exist.


#3

I found the last ip that our firewall was blocking. I did a dry run with the firewall turned off (yikes), and found the ip in the access log that was being blocked. It looks like it is working now.


#4

LE IPs can (and will) change at any moment.
You really need to reconsider your firewall stance.
If you are already allowing port 443, blocking port 80, will not increase your “security”.


closed #5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.