Certbot TLS-SNI-01 issue

jamesarm97 · January 18, 2019, 2:14pm

Sorry, I just received the email about certbot / letsencrypt and the TLS-SNI-01 security issue. I followed the other topics (which are now closed) but have an issue where our firewall and apache server do not allow port 80 (http) so the webroot apache method using http-01 is failing because I cannot get it to use https to connect to our domain. Has there been a work around for this yet or something I overlooked?

My domain is: twrnoc.com

I ran this command:
certbot --authenticator webroot --installer apache --webroot-path /var/www/html/portal -d twrnoc.com

It produced this output:
Failed authorization procedure. twrnoc.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://twrnoc.com/.well-known/acme-challenge/l6ZlTGUKpd3BrrPUXiFTyP8l02Y1JDZYFAsnx8hlQDg: Timeout during connect (likely firewall problem)

My web server is (include version):
Apache

The operating system my web server runs on is (include version):
FC23

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

JuergenAuer · January 18, 2019, 4:31pm

Hi @jamesarm97

this is a public website. Why is port 80 closed? Every website should answer with port 80 and port 443.

But if you can't open port 80, you have to use dns-01 validation. Or the new tls-alpn-validation.

But dns-01 validation requires a dns txt entry, every 60 - 85 days new. So without an API it's terrible.

jmorahan · January 18, 2019, 8:01pm

This may help you (the PPA obviously won’t work on Fedora and I don’t know if there’s an equivalent for 23, but the other options may work).

system · February 17, 2019, 8:07pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.