Certbot unable to bind to port 80 in IPv4

Hello there !

I'm coming to you for an issue in certificate renewal that I can't seem to be able to solve. It has to do, I believe, with Cerbot being unable to bind to a port in IPv4, as I will explain.

My certificate is for my domain and a couple of subdomains (alt domains).
I have been trying to renew my certificate with the standalone mode and a http-01 challenge, listening both on default port (that is, 80) and on unprivileged ports. Neither work, because Certbot fails to bind to the IPv4 port, but does bind to IPv6, which can't be solved by let's encrypt bot (I do not have an IPv6 address and do not wish to have one or add an AAAA entry in my DNS zone).

My domain is:

• forceistrongwithisone.fr (with alt subdomains)

I am running :

• Debian 10 (the problem was also here with Debian 9, I updated recently, hoping that it would change something)
• Apache 2.4.25 (turned off during renewal process)
• certbot 0.31.0
• openssl 1.1.1c

The log file is as follows :

• For the part concerning binding

2019-07-20 12:24:44,601:DEBUG:acme.standalone:Successfully bound to :80 using IPv6
2019-07-20 12:24:44,602:DEBUG:acme.standalone:Certbot wasn't able to bind to :80 using IPv4, this is often expected due to the dual stack nature of IPv6 socket implementations.

• For the error log and the python error output (sorry, blockquote because it seems like I can't manage to make it use preformated text, it comes out as an indented block):

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. forceistrongwithisone.fr (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://forceistrongwithisone.fr/.well-known/acme-challenge/rOHLb3wiDCiyD0XnmR3lwIUIDTL5ji-hxwdBe8iNauQ: Error getting validation data, cloud.forceistrongwithisone.fr (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://cloud.forceistrongwithisone.fr/.well-known/acme-challenge/UJkBDRyNcHcFPUmyRVS0wmP5l86yQBrBkv8B4eeJEOA: Error getting validation data, plex.forceistrongwithisone.fr (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://plex.forceistrongwithisone.fr/.well-known/acme-challenge/VRwBkoFwnMYhOWgKDRegINQSWbNEz3-qCZl6_VmZ8iA: Error getting validation data

2019-07-20 12:24:48,869:DEBUG:certbot.error_handler:Calling registered functions
2019-07-20 12:24:48,869:INFO:certbot.auth_handler:Cleaning up challenges
2019-07-20 12:24:48,870:DEBUG:certbot.plugins.standalone:Stopping server at :::80...
2019-07-20 12:24:49,114:WARNING:certbot.renewal:Attempting to renew cert (forceistrongwithisone.fr) from /etc/letsencrypt/renewal/forceistrongwithisone.fr.conf produced an unexpected error: Failed authorization procedure. forceistrongwithisone.fr (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://forceistrongwithisone.fr/.well-known/acme-challenge/rOHLb3wiDCiyD0XnmR3lwIUIDTL5ji-hxwdBe8iNauQ: Error getting validation data, cloud.forceistrongwithisone.fr (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://cloud.forceistrongwithisone.fr/.well-known/acme-challenge/UJkBDRyNcHcFPUmyRVS0wmP5l86yQBrBkv8B4eeJEOA: Error getting validation data, plex.forceistrongwithisone.fr (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://plex.forceistrongwithisone.fr/.well-known/acme-challenge/VRwBkoFwnMYhOWgKDRegINQSWbNEz3-qCZl6_VmZ8iA: Error getting validation data. Skipping.
2019-07-20 12:24:49,117:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 452, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1193, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 310, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. forceistrongwithisone.fr (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://forceistrongwithisone.fr/.well-known/acme-challenge/rOHLb3wiDCiyD0XnmR3lwIUIDTL5ji-hxwdBe8iNauQ: Error getting validation data, cloud.forceistrongwithisone.fr (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://cloud.forceistrongwithisone.fr/.well-known/acme-challenge/UJkBDRyNcHcFPUmyRVS0wmP5l86yQBrBkv8B4eeJEOA: Error getting validation data, plex.forceistrongwithisone.fr (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://plex.forceistrongwithisone.fr/.well-known/acme-challenge/VRwBkoFwnMYhOWgKDRegINQSWbNEz3-qCZl6_VmZ8iA: Error getting validation data

2019-07-20 12:24:49,117:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2019-07-20 12:24:49,118:ERROR:certbot.renewal: /etc/letsencrypt/live/forceistrongwithisone.fr/fullchain.pem (failure)
2019-07-20 12:24:49,118:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1272, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 477, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

I have root access on the machine, CLI interface (bash).

I checked out the code, and it doesn't seem like there is a way to just make it bind to IPv4, and see what happens, right ? The class object tries to make it bind to both and only stops if both fail ?

If someone has an idea, I'd be glad to hear it. Thanks for your great work.

Best regards,
Me

Hi @Naboochodonosor

your port 80 is blocked ( https://check-your-website.server-daten.de/?q=forceistrongwithisone.fr ):

What's running there? It's not a webserver, it's something else.

It's possible to connect with telnet, but then the connection is closed.

You must stop that instance if you want to use --standalone.

Hum, yes, my bad… That is a bit stupid on my end. The server is behind a router, which has currently no NAT rule for port 80. I will add that to it ASAP, however I doubt that it is the issue. Aside from that, there is no website currently at forceistrongwithisone.fr, I’m (for now) only using my subdomains.

When launching Certbot while checking with ss, Certbot only listens to port 80 (::80) on the IPv6 local address (fe80::), not on :80. Unless I’m mistaken (which is quite possible), not having a NAT rule for port 80 shouldn’t prevent certbot from listening on port 80 on the server itself ? Or does it check that it is reachable before ?

Also, you’ve started a telnet connection with 82.244.57.42 on port 23 ? It shouldn’t be open, doesn’t appear to be and I can’t connect, nor does nmap shows . If you could confirm or infirm that, that’d be great

Maybe. But if you have only an A-record, not an AAAA, Letsencrypt can't check your website.

So: Only A-Record -> your port 80 must be visible.

No, I've checked port 80 to see, if there is an answer.

telnet yourdomain 80

Yep, I realize that IPv6 is useless here, I don't actually want to use it
Thanks for your answer. I can't currently change the port 80 on my router to redirect to my webserver, as it is used by my VPN (to prevent port filtering), which I'm using, but I'll do it as soon as I get back and update then.

Thank you !

Update :
It would seem that certbot does need an open connection to :80 to start listening to it on the local machine. Thanks a lot for your help, @JuergenAuer, and sorry about not seeing that one.

This is solved

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.