Certbot renewal without HTTP Port

glennda37 · January 25, 2019, 3:43pm

I ran this command: certbot renew --dry-run

It produced this output:
Attempting to renew cert (cctv.tnwestpoint.co.uk) from /etc/letsencrypt/renewal/cctv.tnwestpoint.co.uk.conf produced an unexpected error: Failed authorization procedure. cctv.tnwestpoint.co.uk (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://cctv.tnwestpoint.co.uk/.well-known/acme-challenge/DIc2ImfNPDgDLVJVkBNh6jfafang9mjSSnYrxD0VzH4: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cctv.tnwestpoint.co.uk/fullchain.pem (failure)

My web server is (include version): Apache 2.2

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): n/a

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

My webserver I’ve configured to only allow HTTPs connections inbound and ideally I don’t want to be opening HTTP.

The above means I can only have the renewal since updating from 0.17 to 0.28.0 by enabling http inbound to the server. Is it possible to auto-renew with HTTPs only?

JuergenAuer · January 25, 2019, 3:46pm

Hi @glennda37

yes, if you use http-01 validation.

You can use tls-alpn-01 - validation. But Certbot doesn't support that, acme.sh does.

Or you use dns-01 validation.

Why isn't it possible to open port 80? Security is a wrong argument, you can use redirects http -> https.

glennda37 · January 25, 2019, 3:54pm

its a single box sat in my house and the only port needed was 443 (as its an app connecting to it, rather than browsers) which is why I was keeping the ports down, If it accepts http>HTTPS redirection I’ll leave 80 open and just use the redirect.

I’d initially just configured it on 443, so I had to add the 80 binding to get it to work.

JuergenAuer · January 25, 2019, 4:05pm

Yes, that's the solution. Add a 80-port binding and a redirect. But check that your redirect is correct, so that

http://yourdomain.com/.well-known/acme-challenge/1234

is redirected to

https://yourdomain.com/.well-known/acme-challenge/1234

not to

https://yourdomain.com/

(sometimes seen).

glennda37 · January 25, 2019, 4:11pm

Yes, I’ll ensure the requested page is re-written.

Thanks

system · February 24, 2019, 4:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot Renew Certificate Issue Help	28	1866	March 30, 2019
Renewal problems after upgrading certbot Help	13	1884	March 18, 2019
Issues renewing a domain with proxypass and certbot-apache Help	3	973	May 4, 2021
Renew standalone does not use http01_port Server	7	5330	April 20, 2018
Have renewed certificate fine for years but now i can't renew it Help	28	1505	March 6, 2023

Certbot renewal without HTTP Port

Related topics