How to renew a ceritifcate with port 443 forwarded to 2443?


#1

I’ve forwarded my port 443 to 2443 and don’t want to change it. When I try to renew my cert with the command sudo /opt/certbot/certbot-auto renew --agree-tos, I get the error:

Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for mydomain.tld
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/mydomain.tld.conf produced an unexpected error: Failed authorization procedure. mydomain.tld (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested f1d0b68727da7083578bebdc3df42938.c53eb484043945313deaef887e388413.acme.invalid from MY.SER.VER.IP:443. Received 2 certificate(s), first certificate had names "mydomain.tld". Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mydomain.tld/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

Anyone knows a solution without changing the forwarding?


#2

The easiest route may be to use one of the other challenges. If port 80 is open, use the http-01 challenge or if you have an API where you can easily add a token to your DNS, try the DNS challenge.


#3

Thanks for the info. I only found this command: --standalone-supported-challenges http-01
How do I add it for sudo /opt/certbot/certbot-auto renew --agree-tos?


#4

You would create a new certificate with the http-01 challenge ( so not a renew) In future though, the “renew” will use the http-01 challenge, because that’s what you used to generate the certificate ( if that makes sense ).


#5

Ah, I understand. Thanks!


#6

to explain this a bit more

when you for example run this command

certbot certonly --manual -d test1.firecube.xyz --preferred-challenges “dns,http”

letsencrypt creates a folder under /etc/letsencrypt called renewal

if you have a look at one of the confis files you can see all the relevant paramaters are stored in this file

if you are brave you can just update this file or as serverco said issue a new certificate with the right paramaters


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.