Certbot - Renewal using HTTP-01 Doesn't Work Because Port 80 is Blocked

MatTheCat · June 10, 2017, 10:00am

Hi

I ran this command: certbot renew --dry-run

It produced this output:

Attempting to renew cert from /etc/letsencrypt/renewal/www.tronatic-studio.com.conf produced an unexpected error: Failed authorization procedure.

backoffice.tronatic-studio.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to backoffice.tronatic-studio.com,

assets.tronatic-studio.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to assets.tronatic-studio.com,

media.tronatic-studio.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to media.tronatic-studio.com,

thumbnails.tronatic-studio.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to thumbnails.tronatic-studio.com. Skipping.

My web server is : nginx 1.13.1

The operating system my web server runs on is : Archlinux 4.9.30-1-lts (from archlinux.mirrors.ovh.net)

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine : yes

I'm using a control panel to manage my site : no

History:

I ran

certbot certonly --webroot
-w /srv/http/atalow/tronatic-studio.com/web -d www.tronatic-studio.com -d tronatic-studio.com -d backoffice.tronatic-studio.com
-w /srv/http/atalow/tronatic-studio.com/web/assets -d assets.tronatic-studio.com
-w /srv/http/atalow/tronatic-studio.com/web/upload -d media.tronatic-studio.com
-w /srv/http/atalow/tronatic-studio.com/web/thumbnails -d thumbnails.tronatic-studio.com

All domains are CNAME of tronatic-studio.com which had only an A record at this time.

I added an AAAA record for tronatic-studio.com
I added a default server for disabling ipv6only

server {
    listen [::]:80 ipv6only=off default_server;
    listen [::]:443 ssl ipv6only=off default_server;
    server_name _;
    ssl_certificate /etc/letsencrypt/live/www.matthecat.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.matthecat.com/privkey.pem;
    return 444;
}

I updated servers config, eg. media.tronatic-studio.com

server {
    listen [::]:443 ssl http2;
    server_name media.tronatic-studio.com;

    ssl_certificate /etc/letsencrypt/live/www.tronatic-studio.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.tronatic-studio.com/privkey.pem;

    root /srv/http/atalow/tronatic-studio.com/web/upload;

    expires max;
    add_header Cache-Control public;
}

Now I can't figure why could www.tronatic-studio.com be renewed and not other CNAME

Any idea? Thanks!

sahsanu · June 10, 2017, 12:24pm

Hi @MatTheCat,

You are trying to renew the certificates using http-01 challenge but your web server returns an empty reply if you try to reach it using port 80.

$ curl -IkL6 http://backoffice.tronatic-studio.com
curl: (52) Empty reply from server

If you use the https version it answers correctly:

$ curl -IkL6 https://backoffice.tronatic-studio.com
HTTP/1.1 302 Found
Server: nginx
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: PHPSESSID=p5om6s3g6kvsj4cd8ccbev9fmc; path=/
Cache-Control: no-cache, private
Date: Sat, 10 Jun 2017 12:22:03 GMT
Location: https://backoffice.tronatic-studio.com/connexion
Strict-Transport-Security: max-age=63072000

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: PHPSESSID=b3e7j9bnols158385244udhd31; path=/
Cache-Control: private, must-revalidate
Date: Sat, 10 Jun 2017 12:22:03 GMT
Last-Modified: Fri, 09 Jun 2017 11:07:38 GMT
Strict-Transport-Security: max-age=63072000

You need to configure nginx to answer correctly using port 80 for the selected domains.

Cheers,
sahsanu

MatTheCat · June 10, 2017, 1:30pm

Oh you mean nginx must be listening port 80 for all my hosts? But I have other hosts available only through port 443 for which renewal works

sahsanu · June 10, 2017, 1:35pm

For all no, but for the ones using http-01 challenge yes.

Maybe you are not using http-01 challenge for them or you have renewed them before 30 days after they were issued, Let's Encrypt keeps the validation for 30 days so if you renew during these first 30 days it won't revalidate your domain.

MatTheCat · June 10, 2017, 1:41pm

I used http-01 challenge for all my domains. As I run renew with dry-run option I thought it would revalidate? All of my certificates were issued less than 30 days ago.

Take http://thumbnails.skyzune-art.com eg. (through IPv4) it is not accessible on port 80 but renew doesn’t output any error for this domain. Is this normal?

EDIT:

Anyways I followed your advice redirecting domains accessed from port 80 to port 443 and renewal worked, thanks a lot!

system · July 10, 2017, 1:53pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.