I have one web server that is not typically publicly accessible. When I originally created its certificate, I opened the firewall for that host in order to use tls-sni-01 authorization. After the certificate was created, I returned the firewall to its original state.
The “how it works” document at https://letsencrypt.org/how-it-works/ appears to indicate that renewals do not need to pass the same authentication. It states:
“Once the agent has an authorized key pair, requesting, renewing, and revoking certificates is simple—just send certificate management messages and sign them with the authorized key pair. … The agent also signs the whole CSR with the authorized key for example.com so that the Let’s Encrypt CA knows it’s authorized.”
However, evidence suggests that the renewal process described is not what is actually implemented. I can only renew certificates if I open the firewall again, which is a process that doesn’t fit well with automation.
What am I missing? Is it possible to renew certificates automatically for hosts that are not publicly reachable, as described in the “how it works” document?
My domain is:
darlington ee washington edu
I ran this command:
certbot certonly --quiet --standalone --keep-until-expiring
–email webmaster @ …edu
It produced this output:
Cert is due for renewal, auto-renewing…
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for darlington…
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/darlington…conf produced an unexpected error: Failed authorization procedure. darlington… (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout.
My web server is (include version):
rpm -q httpd
The operating system my web server runs on is (include version):
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):