I have HSTS enabled, LE can't get to 80

My domain is: zeronc.ddns.net

I ran this command: sudo certbot renew

It produced this output: {
"identifier": {
"type": "dns",
"value": "zeronc.ddns.net"
},
"status": "invalid",
"expires": "2024-07-28T10:19:07Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/379883362717/bcafZg",
"status": "invalid",
"validated": "2024-07-21T10:19:11Z",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "47.14.19.123: Fetching http://zeronc.ddns.net/.well-known/acme-challenge/VU8XOyOQFwuR4dWBsn6ZZXiSxsJsGK7PFi-VRLrIiqk: Timeout during connect (likely firewall problem)",
"status": 400
},
"token": "VU8XOyOQFwuR4dWBsn6ZZXiSxsJsGK7PFi-VRLrIiqk",
"validationRecord": [
{
"url": "http://zeronc.ddns.net/.well-known/acme-challenge/VU8XOyOQFwuR4dWBsn6ZZXiSxsJsGK7PFi-VRLrIiqk",
"hostname": "zeronc.ddns.net",
"port": "80",
"addressesResolved": [
"47.14.19.123"
],
"addressUsed": "47.14.19.123"
}
]
}
]
}Domain: zeronc.ddns.net
Type: connection
Detail: 47.14.19.123: Fetching http://zeronc.ddns.net/.well-known/acme-challenge/VU8XOyOQFwuR4dWBsn6ZZXiSxsJsGK7PFi-VRLrIiqk: Timeout during connect (likely firewall problem)

My web server is (include version): Apache Server version: Apache/2.4.61 (Debian)
Server built: 2024-07-07T12:53:54

The operating system my web server runs on is (include version): Linux nextcloudpi 6.1.21-v8+

My hosting provider, if applicable, is: me

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

I am new to certbot and RPI, but not linux. It seems I need port 80 open to renew my cert, but when I go to my site, i get the following " zeronc.ddns.net has a security policy called HTTP Strict Transport Security (HSTS), ..."

Do i need 80 for certbot to work? I could have sworn this had been working but I have not been running it all that long. If so, I need to disable HSTS I imagine? How do I do that?

1 Like

LE's validation agent isn't a web browser and does not honor HSTS

from letsdebug test it timeouts though

  1. is 47.15.19.123 right ip address? (lit looks so because https have expired cert
  2. is firewall open for port 80? (don't think about HSTS: clients need to see it once before they saw and upgrade to https)
4 Likes

Looking now how to open port 80 on nextcloud rpi, or is 80 open on ipv6 enough?

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:7867 0.0.0.0:* LISTEN
tcp6 0 0 :::4443 :::* LISTEN
tcp6 0 0 :::443 :::* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::25 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp 0 0 0.0.0.0:36065 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp6 0 0 :::5353 :::*
udp6 0 0 :::33630 :::*

do whatevery you did on port 443: and likely need to open from your router too

3 Likes

HSTS is a browser feature (knowing in advance to use https instead of http for your site), things like Let's Encrypts HTTP validation don't care about that but you do need port TCP 80 open. That means anything between your server and the internet needs to be actively allowing port 80 traffic and NATing to the right machine as necessary, e.g. your router, if hosting at home.

4 Likes

Thanks guys, I completely forgot about forwarding 80 from my router. Too much going on in life...

Appreciate the help. I forwarded 80 in my router and did a certbot renew, success!


Congratulations, all renewals succeeded:
/etc/letsencrypt/live/zeronc.ddns.net/fullchain.pem (success)


7 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.