Help needed for upgrading letsencrypt cert for seafile

anlima · March 11, 2019, 10:27pm

My domain is:

wolke.sout.de

I ran this command:

sudo certbot renew --dry-run

It produced this output:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/wolke.sout.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for wolke.sout.de
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (wolke.sout.de) from /etc/letsencrypt/renewal/wolke.sout.de.conf produced an unexpected error: Failed authorization procedure. wolke.sout.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://wolke.sout.de/.well-known/acme-challenge/5wqshct85ZGYASEZlG2Wa7URLQW8JxIOMCuUxoX-BGk: Error getting validation data. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/wolke.sout.de/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/wolke.sout.de/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: wolke.sout.de
   Type:   connection
   Detail: Fetching
   http://wolke.sout.de/.well-known/acme-challenge/5wqshct85ZGYASEZlG2Wa7URLQW8JxIOMCuUxoX-BGk:
   Error getting validation data

My web server is (include version):

 nginx-light               1.10.3-1+deb9u2

The operating system my web server runs on is (include version):

Debian 9.8 (Stretch)

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.28.0

The domain wolke.sout.de is a KVM virtual machine. It has only a public IPv6 address, no IPv4 address. It is running seafile behind an nginx webserver. It is used for no other purposes that providing seafile. Therefore HTTP is not used.

Any help is appreciated!

rg305 · March 11, 2019, 10:46pm

HTTP is required for (the simplest) authentication.
You have already obtained a cert (presumably by TLS-SNI-01 [HTTPS] authentication).
If you need to continue that method, the easiest workaround is to have an HTTP listener that redirects all HTTP to HTTPS.
Provided that your ISP allows port 80.
Then LE can follow that redirection and renew as you had in the past.

anlima · March 11, 2019, 10:52pm

Sorry, that was an misunderstanding.

HTTP is not used, but redirects to HTTPS:

server {
  listen 80 http2;
  listen [::]:80 http2;
  server_name wolke.sout.de;

  rewrite ^ https://$http_host$request_uri? permanent;  #force redirect HTTP to HTTPS
  server_tokens off;
}

I do the same on other virtual hosts running apache and upgrading the LetsEncrypt certificates works there. So I assume the same is possible with nginx. And as you write

the easiest workaround is to have an HTTP listener that redirects all HTTP to HTTPS.

this seems to be the case.

Still, I have a problem upgrading the certificate...

rg305 · March 11, 2019, 10:54pm

Something “WEIRD” is going on…

curl -Ikig http://wolke.sout.de/
curl: (8) Weird server reply

_az · March 11, 2019, 10:55pm

In addition to fixing the above (your port 80 doesn't seem to talk HTTP at all), try:

Change this to:

location / {
  rewrite ^ https://$http_host$request_uri? permanent; #force redirect HTTP to HTTPS
}

and try using certbot --nginx again.

rg305 · March 11, 2019, 10:58pm

or:
return 301 https://$http_host$request_uri; #force redirect HTTP to HTTPS

rg305 · March 11, 2019, 11:11pm

wget http://wolke.sout.de/
--2019-03-11 23:10:17--  http://wolke.sout.de/
Resolving wolke.sout.de (wolke.sout.de)... 2a01:4f8:120:5222::100:101
Connecting to wolke.sout.de (wolke.sout.de)|2a01:4f8:120:5222::100:101|:80... failed: Connection refused.

anlima · March 11, 2019, 11:26pm

I have played around with the config and stopped and restarted seafile and nginx.

curl still produces the above mentioned error, but this seems to be a problem with curl, since wget downloads a correct html file and accessing it via browser works, too.

Still, the certbot error persists...

_az · March 11, 2019, 11:30pm

A bold claim ... it's by far the most popular HTTP client in the world. If it doesn't work, it's no surprise that other headless clients (like Let's Encrypt) don't.

anlima · March 11, 2019, 11:32pm

Might be, but why is wget and browser access working? Both get correctly redirected to HTTPS. What is wrong there?

schoen · March 11, 2019, 11:34pm

wget is falling back to an assumption that the response is HTTP/0.9 because it doesn't have HTTP headers:

HTTP request sent, awaiting response... 200 No headers, assuming HTTP/0.9

By contrast, curl isn't doing so.

schoen · March 11, 2019, 11:36pm

(…I wonder if the response is really HTTP/2, sent in response to a non-HTTP/2 capable client?)

_az · March 11, 2019, 11:38pm

It could be literally any protocol - you can use wget against something like sshd and it reports a similar HTTP/0.9 ‘success’.

I would guess, from the leading bytes 0000 1204, it is using maybe h2c or nginx PROXY protocol, this comes up in Google results: https://serverfault.com/questions/777961/nginx-proxy-0000-1204-0000-0000-0000-0300-0000-8000

_az · March 11, 2019, 11:40pm

Oh, duh. That's h2c. Get rid of the http2.

anlima · March 11, 2019, 11:46pm

Thanks! That was the problem.

So, http2 is wrong, because http2 always wants to be encrypted?

But, what is h2c? I never heard of it. And googling actually didn't provide me some info about what it is.

_az · March 11, 2019, 11:47pm

h2c is HTTP/2 cleartext. Browsers only support HTTP/2 over TLS.

A reasonable person might expect nginx to ~~downgrade its response to HTTP/1.1~~ only upgrade its responses to HTTP/2 when the client supports h2c, but that’s an open bug: https://trac.nginx.org/nginx/ticket/816

anlima · March 11, 2019, 11:48pm

Ah, ok.
Then again: Many thanks for your help!

system · April 10, 2019, 11:49pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.