New letsencrypt auto-renewal is trying to us port 80 rather than 443

Maturity · December 27, 2018, 12:01am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: kahli.net

I ran this command: Certbot auto update

It produced this output: Unable to find a virtual host listening on port 80

My web server is (include version): 2.2.15 (CentOS)

The operating system my web server runs on is (include version): Centos 6

My hosting provider, if applicable, is: Rogers

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The previous auto update by certbot would appear to use port 443 to update and this would be in the log/email

Performing the following challenges:
tls-sni-01 challenge for kahli.net
Encountered vhost ambiguity when trying to find a vhost for kahli.net but was unable to ask for user guidance in non-interactive mode. Certbot may need vhosts to be explicitly labelled with ServerName or ServerAlias directives.
Falling back to default vhost *:443…
Waiting for verification…
Cleaning up challenges

Now it seems to only use port 80 which is blocked by the ISP and results in this messages

Performing the following challenges:
http-01 challenge for kahli.net
Cleaning up challenges
Attempting to renew cert (kahli.net) from /etc/letsencrypt/renewal/kahli.net.conf produced an unexpected error: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/kahli.net/fullchain.pem (failure)

How can I configure cerbot to use the https port rather than the http port? All the previous updates over port 443 happened perfectly.

Many thanks, Mike

jsha · December 27, 2018, 12:10am

The port 443 challenge, “tls-sni-01”, has been deprecated and replaced with the http-01 challenge. Please see the API Announcements page for details. You’ll need to add a vhost on port 80 in order to renew.

rg305 · December 27, 2018, 12:52am

Although not as easy to use, you can still use DNS challenge method to renew your certs.

Maturity · December 27, 2018, 10:17pm

@jsha can you point me to this page, I’m not finding it. I’d like to understand how exposing a site over HTPP rather than just HTTPS makes sense, thanks. I will work with my ISP to try and open port 80 but IIRC that was part of a “business” plan when I got connected yarns ago.

@rg305 I have seen references to and examples of letsencrypt-auto but I’m not finding any solid documentation. Do you have recommendations in this regard? I hope that it does not mean changing the DNS records every time a cert needs to be updated - if that is the case then I’d opt to go back to self-signed certs.

Many thanks, M

mnordhoff · December 27, 2018, 10:25pm

The API Announcements category of this forum:

And this topic, among others:

Let's Encrypt validation aside, websites typically leave HTTP enabled so that they can redirect it to HTTPS.

rg305 · December 27, 2018, 11:01pm

DNS authentication will require an update to the external DNS zone for each renewal.
The easy out is finding an API for the DNS service in use - then it can all be automated.
If you can’t find a match you should consider the complexity of changing DNS service providers.

system · January 26, 2019, 11:03pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.