Failed renewal http to https forwarding how to disable


#1

My domain is: efabs.london

I ran this command:certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/efabs.london.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for efabs.london
http-01 challenge for www.efabs.london
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (efabs.london) from /etc/letsencrypt/renewal/efabs.london.conf produced an unexpected error: Failed authorization procedure. efabs.london (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://efabs.london/.well-known/acme-challenge/wnVRh72qfeOQL7HYXkL31kg6nn6GPUyxhS0FXAZ6eqw: Connection refused, www.efabs.london (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.efabs.london/.well-known/acme-challenge/BQU3RR-zI7NR99hQS1-iKoZ_LEBTjSmW4aeuRxKII8M: Connection refused. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/efabs.london/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/efabs.london/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version):apache 2.4.35

The operating system my web server runs on is:

Distributor ID: Debian
Description: Debian GNU/Linux 9.5 (stretch)
Release: 9.5
Codename: stretch

My hosting provider, if applicable, is:

N/A

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

my apache config file :

> <VirtualHost *:80>
>     ServerName efabs.london
>         ServerAlias efabs.london www.efabs.london
>         ServerAdmin karolis.vigelis@efabs.co.uk
>         DocumentRoot /var/www/nextcloud
> Redirect permanent / https://efabs.london/
>         <Directory /var/www/nextcloud>
>             Options Indexes FollowSymLinks
>             AllowOverride All
>             Require all granted
>         </Directory>
>         ErrorLog ${APACHE_LOG_DIR}/site-a_error.log
>         CustomLog ${APACHE_LOG_DIR}/site-a_access.log combined
> </VirtualHost>
> 
> 
> <IfModule mod_ssl.c>
> <VirtualHost *:443>
>     ServerName efabs.london
>         ServerAlias efabs.london www.efabs.london
>         <IfModule mod_headers.c>
>         Header always set Strict-Transport-Security "max-age=0; includeSubDomains"
>         </IfModule>
>         ServerAdmin karolis.vigelis@efabs.co.uk
>         DocumentRoot /var/www/nextcloud
>         <Directory /var/www/nextcloud>
>             Options Indexes FollowSymLinks
>             AllowOverride All
>             Require all granted
>         </Directory>
>         ErrorLog ${APACHE_LOG_DIR}/site-a_error.log
>         CustomLog ${APACHE_LOG_DIR}/site-a_access.log combined
> 
> Include /etc/letsencrypt/options-ssl-apache.conf
> SSLCertificateFile /etc/letsencrypt/live/efabs.london/fullchain.pem
> SSLCertificateKeyFile /etc/letsencrypt/live/efabs.london/privkey.pem
> </VirtualHost>
> </IfModule>

#2

Hi @karolis

your server doesn’t answer with port 80. Is there a firewall or something else?

Port 443 works.


#3

for one or other reason it forwards all to https even if comment Redirect permanent / https://efabs.london/
my guess its something to do with

    <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=0; includeSubDomains"
    </IfModule>

but not sure


#4

This will cause some confusion when testing with a browser.

The browser will obey the Strict-Transport-Security header and never try to connect to port 80. This hides the problem that in fact port 80 is not open on this server and connections to port 80 (such as by the Let’s Encrypt CA) will fail.


#5

just noticed that i can not access server on local network

but my UFW status

ufw status
Status: active

To Action From


80 ALLOW Anywhere

i am completely confused


#6

You have something active blocking the connection.

D:\temp>download http://www.efabs.london/ -h
Error (1): Die Verbindung mit dem Remoteserver kann nicht hergestellt werden.
ConnectFailure
3
Es konnte keine Verbindung hergestellt werden, da der Zielcomputer die Verbindung verweigerte 62.6.219.186:80

1175,87 milliseconds
1,18 seconds

Message is german, it’s the same as “Connection refused”. https answers in 0,37 second. Firewall, .htaccess or something else.


#7

ok could not open port 80 in the end as my DDWRt ip tables must be buged and need rewriting. was thinking to do dns cert with command
certbot -d www.efabs.london; efabs.london --manual --preferred-challenges dns certonly
it came with successful certificate for www.efabs.london but command not found for efabs.london. why it changed plugin to apache ? I made mistake in command (:wink: should be -d.

root@efabs:/etc/apache2/sites-enabled# certbot -d www.efabs.london; efabs.london --manual --preferred-challenges dns certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.efabs.london
Waiting for verification…
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/efabs.london-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1


Congratulations! You have successfully enabled https://www.efabs.london

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.efabs.london

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/www.efabs.london/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/www.efabs.london/privkey.pem
    Your cert will expire on 2019-01-08. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

bash: efabs.london: command not found

PS im completely confused


#8

There is a semicolon instead of a comma:

And it looks that your certbot is old.

The tls-sni-01 challenge is deprecated and will be removed in one year. And you can’t change the set of domain names, you can use this only to renew existing certificates.

Now you have one certificate with one domain name, not both.

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:www.efabs.london&lu=cert_search

Try the command again

certbot -d www.efabs.london -d efabs.london --manual --preferred-challenges dns certonly

#9

how can i use tls-sni-01 on efabs.london
i would like to have one certificate for www.efabs.london & efabs.london.
yes cert bot is old as debian dose not have any newer version.


#10

i am giving up now godaddy is not updating dns record with TXT record

|Type|Name|Value|TTL|Actions|

|TXT|_acme-challenge.www.efabs.london|sZiGWsxatfRd1HEzFpCO2Rky7fpFjK3wRYS23H72w5I|1 Hour|Edit|
|TXT|_acme-challenge.efabs.london|jUJ__yIaLXyQJR00YMPDjO89e41EUjuyT90sWWBO_z0|1 Hour|

any one got experience with that?


#11

The name fields should be “_acme-challenge.www” and “_acme-challenge”, respectively. GoDaddy automatically adds “.efabs.london” to the end, so you currently have these two records:

_acme-challenge.www.efabs.london.efabs.london. 3600 IN TXT "sZiGWsxatfRd1HEzFpCO2Rky7fpFjK3wRYS23H72w5I"
_acme-challenge.efabs.london.efabs.london. 3600 IN TXT "jUJ__yIaLXyQJR00YMPDjO89e41EUjuyT90sWWBO_z0"

#12

You can’t get a certificate via tls-sni-01 with a new domain name.

You can only renew an existing certificate. That’s the limitation of tls-sni-01.

So, if you need a new set of domain names, you have to use http-01 or dns-01.


#13

ok i renewed certificate over DNS but now efabs.london shows wrong certificate. :slight_smile:
they both point to www.efabs.london for one or other reason. any thoughts on that ?


#14

ok managed to sort it out by adding to my config

SSLCertificateFile /etc/letsencrypt/live/efabs.london/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/efabs.london/privkey.pem

and systemctl restart apache2
so i take its two certificates one for domain and one for sub-domain.

thanks every one for help. still dont know why my server redirects all over 443 and i can not access site over local ip on 80. if i get to bottom of it will post my findings.


#15

If www and non-www are the same and one is redirected to the other domain, normally I would prefer a solution with

  • one vHost with both domain names
  • one certificate with both domain names

instead of two vHosts and two different certificates.


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.