Certbot TLS-SNI-01 issue


#1

Sorry, I just received the email about certbot / letsencrypt and the TLS-SNI-01 security issue. I followed the other topics (which are now closed) but have an issue where our firewall and apache server do not allow port 80 (http) so the webroot apache method using http-01 is failing because I cannot get it to use https to connect to our domain. Has there been a work around for this yet or something I overlooked?

My domain is: twrnoc.com

I ran this command:
certbot --authenticator webroot --installer apache --webroot-path /var/www/html/portal -d twrnoc.com

It produced this output:
Failed authorization procedure. twrnoc.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://twrnoc.com/.well-known/acme-challenge/l6ZlTGUKpd3BrrPUXiFTyP8l02Y1JDZYFAsnx8hlQDg: Timeout during connect (likely firewall problem)

My web server is (include version):
Apache

The operating system my web server runs on is (include version):
FC23

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes


#2

Hi @jamesarm97

this is a public website. Why is port 80 closed? Every website should answer with port 80 and port 443.

But if you can’t open port 80, you have to use dns-01 validation. Or the new tls-alpn-validation.

But dns-01 validation requires a dns txt entry, every 60 - 85 days new. So without an API it’s terrible.


#3

This may help you (the PPA obviously won’t work on Fedora and I don’t know if there’s an equivalent for 23, but the other options may work).


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.