Renew existing certificates with acme.sh on 443

My domain is: mrbs.dut.ac.za

I ran this command: acme.sh --renew -d mrbs.dut.ac.za

It produced this output: 'mrbs.dut.ac.za' is not an issued domain, skip.

My web server is (include version): Apache/2.4.18

The operating system my web server runs on is (include version): Linux Ubuntu 16.04

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): acme.sh

I believe that I can use acme.sh to renew certificates without having to use port 80. I need to do this because our IT dept will not permit port 80 traffic to the server.

The server already has a certificate installed. I have installed acme.sh and copied the certificates from /etc/letsencrypt/live/ to the acme-sh directory, and I used the email address associated with the certificate when installing acme.sh.

How do I convince acme.sh that mrbs.dut.ac.za is a registered domain; and am I on the right track to finding a way to renew certificates without port 80?

1 Like

Hi @seanc

please read

Your IT is wrong. A blocked port 80 has nothing to do with a "secure system". So your IT should change that position.

See

2 Likes

Hi @JuergenAuer

Thanks for the response.

I did read the Challenge Types page as well as several others, which led me to believe that TLS-ALPN-01 would provide a solution and that it is implemented in acme.sh. But that's where my understanding ends.

I spent some time arguing with the vendor IT has hired to implement security. But their stance remains 'port 80 is insecure'. I tried to explain that all port 80 communication gets redirected, to which they responded that then there should be no reason to keep that port open.

The only solution our IT department has offered at this point is to purchase certificates that I can use instead of letsencrypt.

2 Likes

They could direct all incoming port 80 connections to a system they manage and all it needs to say is:
"redirect all http to https"

1 Like

That's possible, then use the ALPN validation. But your IT must allow that.

Then they should buy a certificate. Problem solved. But that's not IT, that's ... amateur.

I agree about IT's response, and I'd be really sorry to no longer be able to use Letsencrypt. I think it may be one of the best initiatives for the web since the Apache web server.

On a related note, why is it necessary for the renewal to use port 80? I think I understand the need for registration to take place on port 80: there's no secure server at that point. But I don't understand why renewal can't use 443.

1 Like

There is no need to define two ports. One is enough.

You can redirect http -> https.

There is no real difference between first and later certificates. A certificate is always new -> validation is required. If the client saves the settings of the first certificate creation and re-uses these settings later, that's a client thing - not something of the protocol.

1 Like

Hi @seanc, I believe the problem is that acme.sh is refusing to "renew" the certificate because you originally obtained it with a different client (certbot?) and so it has no record of the settings that should be used for the renewal, including which challenge to use.

The solution is to forget about the existing certificate and use acme.sh to issue a new one, which it should then be able to automatically renew from then on.

But I'd still advise simply opening port 80 instead, if you can.

The redirection is the reason; without the port open, the traffic will not be redirected.

EDIT
So yeah, I answered based on reading the question rather than checking the domain; I should know better. Looks like it's currently serving a Sectigo wildcard certificate, not a Let's Encrypt certificate. Are you sure the domain is pointed at your server and not some other piece of infrastructure controlled by the IT department? Because if it's the latter, TLS-ALPN-01 probably won't work.

1 Like

Thanks, @jmorahan. I revoked and deleted the certificate. That did get me a bit further with acme.sh. Unfortunately, as you suspected, the F5 firewall does appear to be getting in the way: mrbs.dut.ac.za:Verify error:Cannot negotiate ALPN protocol.

Thanks also, to @JuergenAuer. As you said, apparently IT has to permit ALPN validation.

1 Like

Please don't revoke certs unnecessarily.