Certbot with no port 80 and no DNS TXT records

derekpock · January 17, 2019, 5:55am

My domain is:
[redacted]

I ran this command:
certbot --apache -d [redacted] --preferred-challenges tls-sni --staging

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

My web server is (include version):
apache2 (Apache/2.4.29)

The operating system my web server runs on is (include version):
Ubuntu Server 18.04.1 LTS

Certbot version:
0.23.0

My hosting provider, if applicable, is:
DNS Hosting: noip (https://www.noip.com/)
I own and have physical connection to the web-server.

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

Issue Summary
I am hosting my server behind a residential ISP that blocks port 80. I can access http using port 8080 if desired. Port 443 however is not blocked at all.

I am using a free DNS service from https://www.noip.com/ to get my domain name [redacted]. This service does not allow me to create DNS TXT records.

My server is currently accessible, and is using a self-generated temporary certificate.

Previously, I was running my web-server on a raspberry pi and was able to successfully setup a certificate for it using the certbot tool. The certificate was re-issued half a year ago. I don't remember the exact process I used to get the original certificate, since it has been a few years since the original certificate was issued.
I decided to upgrade to a slightly more powerful server. I setup apache in the same way and "replaced" the raspberry pi server. However, I am having trouble getting certbot to successfully complete a challenge.

Here's where I'm at:

I cannot use http-01 challenge since port 80 is blocked. I tried creating another DNS domain using noip to redirect port 80 to 443, but certbot complained about the redirection. Certbot also can't use alternate http ports, it only uses port 80 as far as I know.
I cannot use the dns-01 challenge since I cannot create DNS TXT records with noip.
I am trying to get the tls-sni-01 challenge to work, but I'm getting the error issued above. I've also tried manual and standalone authenticators, but they error in similar ways.

I've read that the tls-sni-01 was disabled due to a security concern a long time ago. Has it been re-enabled? If so, where is my issue coming from? If not, why is the documentation still showing it as a valid challenge (https://certbot.eff.org/docs/challenges.html).

Any tips or suggestions would be greatly appreciated, thanks!

_az · January 17, 2019, 6:00am

It's not available for new issuances, and it's never coming back. The docs need to be updated .

To use the replacement validation method (TLS-ALPN, also on port 443) with Apache, you will need to stop Apache, issue/renew the certificate, then start Apache again.

To add, Certbot does not support TLS-ALPN. The most accessible client that does is acme.sh.

I have been documenting methods to use TLS-ALPN without downtime, but Apache will probably never be supported due to its architecture as an HTTP-only server (whereas others like nginx are far more flexible).

What you might do is:

systemctl stop apache2
acme.sh --issue -d [redacted] --alpn
systemctl start apache2

Not ideal, but there it is.

Edit: As a slight enhancement, acme.sh itself can stop and start Apache for you as part of renewal using pre/post hooks, so you don't have to manually do anything and have everything automated via acme.sh --cron.

derekpock · January 17, 2019, 6:02am

Got it.
Considering the bounds I’m under (free DNS and residential ISP), I’m not worried about downtime at all.

I’ll look into acme then and see if that works at all.

mnordhoff · January 17, 2019, 6:08am

You could also switch to a dynamic DNS provider that does allow you to set TXT records, such as Duck DNS.

(For that example, Certbot doesn’t have Duck DNS integration, so you would probably also want to switch to a client that does – such as acme.sh!)

derekpock · January 17, 2019, 6:22am

acme.sh worked like a charm. Thanks so much!
Now I’ll have to experiment with getting auto-renewals working.

system · February 16, 2019, 6:22am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.