Persistent non-standard port in renewal

I moved a gitlab+nginx server using a letsencrypt cert to a non-standard port. When it came time to renew the cert I found that it's not possible to do it that way. I then moved the server back from the non-standard port and reopened the firewall. sudo letsencrypt renew still fails:

Attempting to renew cert (neilger.org) from /etc/letsencrypt/renewal/neilger.org.conf produced an unexpected error: Failed authorization procedure. neilger.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://neilger.org:7918/.well-known/acme-challenge/UDxBQDXLFmIovF4OT2glusdHJw0BMhiF-xysB6j2szo: Invalid port in redirect target. Only ports 80 and 443 are supported, not 7918. Skipping.

I can't find where the renewal request is finding the non-standard part, it's not in the server config, which is served normally at 443.

Attempting to debug this has also led to:

Attempting to renew cert (neilger.org) from /etc/letsencrypt/renewal/neilger.org.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt. Skipping.

How can I remove the non-standard port from the request, and how can I reset my request limit?

Hi @neilger

there is such a redirect. Your old check - https://check-your-website.server-daten.de/?q=neilger.org - has only timeouts.

Rechecked your domain all is redirected to that port.

Domainname Http-Status redirect Sec. G
http://neilger.org/ 50.17.204.175 301 https://neilger.org:7918/ Html is minified: 109,46 % 0.226 A
http://www.neilger.org/ 50.17.204.175 301 https://neilger.org:7918/ Html is minified: 109,46 % 0.230 E
https://neilger.org:7918/ 302 https://neilger.org:7918/users/sign_in Html is minified: 100,00 % 3.723 A

Same with /.well-known/acme-challenge.

Find and remove that redirect you have created.

Thank you for the rapid response. I had missed a reconfiguration step, after correcting that the renewal went through. I appreciate the pointer to my oversight.

If port 80 is free, you can use

certbot renew \
  --standalone \
  --pre-hook "command to open the firewall on port 80" \
  --post-hook "command to reverse the former" \
  --deploy-hook "service nginx reload"

to tell certbot to spin up its own webserver to do its validations without touching your nginx.

2 Likes

Ah, nice, very helpful, I had missed that alternative.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.