Renew: timeout on :443

Help
1

Title and output say it all, web seems to be accessible anywhere from Czech Rep.
Domain: rict.cz
Command: sudo certbot renew (ver: 0.19.0-1, updated from buster rep.)
Webserver: nginx/1.10.3, no wordpress
OS: Linux 4.9.0-4-armmp-lpae #1 SMP Debian (Stretch) 4.9.51-1 (2017-09-28) armv7l GNU/Linux
Root: yes
Output: Processing /etc/letsencrypt/renewal/rict.cz.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Attempting to renew cert (rict.cz) from /etc/letsencrypt/renewal/rict.cz.conf produced an unexpected error: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ConnectTimeoutError(<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0xb6ac34f0>, 'Connection to acme-v01.api.letsencrypt.org timed out. (connect timeout=45)')). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/rict.cz/fullchain.pem (failure)
2

Looks like that is not a failure to connect to your site, but rather a failure of your server to connect to the letā€™s encrypt api. Do you have a firewall blocking outgoing connections?

3

Both ip(6)tables in both mangle/filter tables have the OUTPUT policy set to ACCEPT

4

Well, itā€™s working from here and thereā€™s no known outage reported https://letsencrypt.status.io/ currently. Can you access https://acme-v01.api.letsencrypt.org/directory from your server via curl/wget etc?

5

Without problem, but you were right with iptables (I have such a strict rulesā€¦), next error:

Attempting to renew cert (rict.cz) from /etc/letsencrypt/renewal/rict.cz.conf produced an unexpected error: Failed authorization procedure. rict.cz (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://rict.cz/.well-known/acme-challenge/1Kr2fvl5N5YPXtCA7n6LyztA_r1zsY20AnLIYltpG2Y: Timeout, www.rict.cz (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.rict.cz/.well-known/acme-challenge/PvoBn628AKRZMK8eiwislWbih-XE4yF9dLJLG0zt8aM: Timeout. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/rict.cz/fullchain.pem (failure)
6

I dunno why my server replies with forbiddenā€¦
Is it ok to have redirect from :80 to :443 ssl?

location ~ /.well-known/ {
            try_files $uri $uri/ =404;
}

Edit: it responses with 404 on /.well-known/acme-challenge/

7

Itā€™s fine to redirect from 80 to 443. Iā€™m not familiar enough with nginx to know if your configuration is correct. But the error message you got seems to indicate that the validation server didnā€™t even get as far as the 404ā€¦ which might possibly indicate a firewall issue again? Possibly specific to ipv6 as thatā€™s what the validation server uses if you have an aaaa record.

8

A post was split to a new topic: Timeout fetching HTTP-01 challenge

9

The LE error is not 404; it is timeout on port 80.
You can't redirect from 80 to 443 when 80 is blocked.
The server could not connect to the client to verify the domain :: Fetching http://www.rict.cz/.well-known/acme-challenge/PvoBn628AKRZMK8eiwislWbih-XE4yF9dLJLG0zt8aM: Timeout. Skipping.

I do see 404 from my systems...
As the site has multiple redirects (302 and 301 - see below) I would try placing a test.txt (with minimal content) file at:
http://www.rict.cz/.well-known/acme-challenge/test.txt
and if different location also at:
https://www.rict.cz/.well-known/acme-challenge/test.txt
I think the second redirect may be causing a problem.

MULTIPLE REDIRECTS:
wget http://www.rict.cz/
-2017-10-12 22:45:53-- http://www.rict.cz/
Resolving www.rict.cz (www.rict.cz)... 93.153.32.250, 2001:1ae9:5a:cd00:8e:4ff:fe03:2f6
Connecting to www.rict.cz (www.rict.cz)|93.153.32.250|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://rict.cz/ [following]
-2017-10-12 22:45:58-- https://rict.cz/
Resolving rict.cz (rict.cz)... 93.153.32.250, 2001:1ae9:5a:cd00:8e:4ff:fe03:2f6
Connecting to rict.cz (rict.cz)|93.153.32.250|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: Rict [following]
-2017-10-12 22:45:59-- Rict
Reusing existing connection to rict.cz:443.
HTTP request sent, awaiting response... 200 OK
Length: 125 [text/html]
Saving to: ā€˜index.htmlā€™

And as the site already has a valid cert (expiring soon), you could probably just use HTTPS auth and avoid (at least one of) the redirections.

10

These redirects are correct and well tested. So I can redirect http:80 to https:443 except /.well-kwown/acme-challenge/ location? Because on http:80 there is just location block that test if itā€™s public or home traffic and then redirects to https:443 for public or http:xxx for home traffic.
How can I change to tls-sni-01 challenge if Iā€™m using webroot plugin?

Edit: suggested test with test.txt files works for me perfectly.

11

To use port 443, you could try:
--preferred-challenges tls-sni

But I'm pretty sure webroot is only http.
That said, there may be another way, try having a look at:
http://letsencrypt.readthedocs.io/en/latest/using.html
or
https://certbot.eff.org/docs/using.html

12

I get zero bytes:
wget http://rict.cz/.well-known/acme-challenge/test.txt
URL transformed to HTTPS due to an HSTS policy
--2017-10-13 09:17:45-- https://rict.cz/.well-known/acme-challenge/test.txt
Resolving rict.cz (rict.cz)... 93.153.32.250, 2001:1ae9:5a:cd00:8e:4ff:fe03:2f6
Connecting to rict.cz (rict.cz)|93.153.32.250|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/plain]

Also, I see now that IPv6 is in use.
Please note that LE will prefer IPv6 over IPv4 and will not fallback to IPv4 should IPv6 fail.

13

I have read this a while ago. I guess I would need to recertificate this, but it would be great to not leave webroot plugin

14

YES - that would be preferred.

15

It was created with touch, but is accessible. IPv6 is online for one week without problem

16

Can you add ā€œthis worksā€ into the file and access it from the Internet via IPv6?

For the record: Even if it does work via IPv6, I still think that the way you have implemented the multiple redirects is part of the problem.
But maybe you can avoid all that by excluding /.well-known/acme-challenge/ from the redirection.

17

Done, just to make it clear: behind http/https and ipv4/ipv6 is still the same server (devided into http:80 and https:443, mentioned above) with same root folder

18

I do see ā€œthis worksā€ but Iā€™m using only IPv4ā€¦

So what is the current status of:
sudo certbot-auto renew
(not sudo certbot renew)

19 
> sudo certbot-auto renew
sudo: certbot-auto: command not found

> sudo certbot -auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/rict.cz.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The requested uto plugin does not appear to be installed
Attempting to renew cert (rict.cz) from /etc/letsencrypt/renewal/rict.cz.conf produced an unexpected error: The requested uto plugin does not appear to be installed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/rict.cz/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/rict.cz/fullchain.pem (failure)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)
20

please also show this log:
Saving debug log to /var/log/letsencrypt/letsencrypt.log