How can I configure Let's Encrypt to renew under STunnel?

My domain is:
bookthatfreight.com

The version of my client is (output of certbot --version ):
certbot 0.31.0

1 machine (Stunnel) + 1 machine (HTTP Web Server)

root@STunnel-HTTPS-Server:~# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/bookthatfreight.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for bookthatfreight.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (bookthatfreight.com) from /etc/letsencrypt/renewal/bookthatfreight.com.conf produced an unexpected error: Failed authorization procedure. bookthatfreight.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://bookthatfreight.com/.well-known/acme-challenge/oRZF2kgBr__w2kUbIC-A77QtIEfdqyOaAyk2ZN5e1Uo [104.163.179.44]: "404 Not Found<meta http-equiv=“Content-Type” content=“text/html; charset=utf-8”><link ". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/bookthatfreight.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/bookthatfreight.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

Does the webserver, that stunnel is fronting for, have a webroot on the filesystem?

Also, is it on the same physical machine?

Hi _az,

  1. G-Wan Webserver webroot is /www.
  2. STunnel & G-Wan Webserver on 2 different physical machines.

Ehhh, that combination doesn’t really leave you with great choices, unfortunately.

The problem is that

  1. stunnel is not HTTP-aware, so you can’t really perform the challenge on the proxy server without stopping stunnel entirely, and
  2. You can’t easily copy the challenge file, because it has to be deployed to a remote server

If I were you, I would swap out stunnel for something like nginx, configure as such:

server {
    listen 80;
    server_name bookthatfreight.com;
    location / {
        proxy_pass http://ip.of.gwan.server:80/;
    }

and then just do something like:

sudo certbot --nginx -d bookthatfreight.com
1 Like

Hi _az,
Appreciate for your input.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.