Renew command fails

samushenkov · September 15, 2020, 1:41am

My domain is:

Actually it doesn't matter.

I ran this command:

certbot certonly --standalone --http-01-port 50080 --http-01-address 192.168.1.101 --preferred-challenges "http-01" --agree-tos --register-unsafely-without-email -d "mydomainname"

and it worked great. But then I tried to renew my new certificate with the next command

certbot renew --dry-run

It produced this output:

Problem binding to port 50080: Could not bind to IPv4 or IPv6.. Skipping.

I don't have any apps listening on this port. Removing existing certificate and running first command again works great.

The operating system my web server runs on is (include version):

I use Windows Subsystem for Linux (Debian GNU/Linux 10)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.31.0

rg305 · September 15, 2020, 2:17am

The renewal should have spun up a temporary web server to satisfy this request.
[as it did when you originally obtained the cert]

Something must NOT have been written down/remembered correctly about all those initial issuance parameters.

You can try to manually edit the corresponding renewal.conf file [not recommended at this point]
OR
rerun the renewal request and feed it all those "missing" parameters.

rg305 · September 15, 2020, 2:18am

Basically something like:

certbot renew --http-01-port 50080 --http-01-address 192.168.1.101 -d “mydomainname” --dry-run

Presuming the firewall is still set as it was then, this renewal should work just as the issuance did.

rg305 · September 15, 2020, 2:27am

I appologize in advance for not having the exact syntax and options for you; as even to me

renew
--standalone
--dry-run

Seem to overlap/contratict/negate each other.
So I’m not exactly sure how to state your desired request so that certbot can understand what to do.
[I mean I do understand you but cerbot is real picky about options/orders/etc.]

rg305 · September 15, 2020, 2:28am

Try also:

certbot --standalone --http-01-port 50080 --http-01-address 192.168.1.101 -d “mydomainname” --dry-run

samushenkov · September 15, 2020, 2:29am

Thank you for fast reply.

Running this command:

certbot renew --http-01-port 50080 --http-01-address 192.168.1.101 --dry-run

results with the same error message. If I add

-d rageful.me

then it shows me the next message

Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.

Also I forgot to add some more details - originally I didn't specify an external interface to use and cert bot showed me some other error. Verbose mode showed that certbot skipped IPv4 cause of the same error and used IPv6 insteed.

samushenkov · September 15, 2020, 2:31am

I have only one domain so -d option can be skipped (I think so). Adding --standalone didn’t change anything.

Thanks again for your help.

rg305 · September 15, 2020, 2:32am

I never get this combination right.
I know that even recently it was in another thread but I can’t wrap my head around it.
Do both of these fail:

certbot renew --http-01-port 50080 --http-01-address 192.168.1.101 -d “mydomainname” --dry-run
certbot --standalone --http-01-port 50080 --http-01-address 192.168.1.101 -d “mydomainname” --dry-run

rg305 · September 15, 2020, 2:33am

Not unless you use --cert-name {your.certs.name}

rg305 · September 15, 2020, 2:37am

You can also try certonly since you won’t need it installed.
as:

certbot certonly --standalone --http-01-port 50080 --http-01-address 192.168.1.101 -d rageful.me --dry-run

samushenkov · September 15, 2020, 2:51am

This gives me the same error.

Also I tried first command once more (without removing the existing certificate):

certbot certonly --standalone --preferred-challenges "http-01" --http-01-port 50080 --http-01-address 192.168.1.101 --agree-tos --register-unsafely-without-email -d "mydomainname"

Asked me what to do (to keep the existing one or to renew). I selected option number 2 and it worked fine. Just added --dry-run at the end and got the same error with port 50080.

samushenkov · September 15, 2020, 2:53am

Will wait several weeks and try renew command without --dry-run option. Thank you.

rg305 · September 15, 2020, 2:54am

So I’m not the only one…
It seems counterintuitive that you take a “perfectly good running command” and just add “–dry-run” to it (just for testing), and it then returns some “you can’t do that because…” err msg.

Again I do apologize for not knowing this, I mean, not knowing how to get around this.
But there is a way - of that I am sure.
Let me search through some recent topics for similar “problems”…

Osiris · September 15, 2020, 6:04am

You're still getting this error, right?

Problem binding to port 50080: Could not bind to IPv4 or IPv6… Skipping.

Does your host actually have the IP 192.168.1.101? I.e., could we see the output of ifconfig or ip addr list?

Or is perhaps something else listening on port 50080?

samushenkov · September 15, 2020, 7:11am

Actually host machine indeed has this IP address. Several days ago I updated wsl up to the second version. Looks like microsoft changed networking part for it (https://github.com/microsoft/WSL/issues/4150) and wsl doesn't see this interface.

I checked with netcat:

nc -l -s 192.168.1.101 -p 50080
Can't grab 192.168.1.101:50080 with bind : Cannot assign requested address

This doesn't answer how certbot managed to receive request without --dry-run option. Will dig into networking direction.

Thank you.

rg305 · September 15, 2020, 1:43pm

Have you tried running certbot explicitly with sudo ?
sudo certbot ...

system · October 15, 2020, 1:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.