[Solved] Problems with migration to http-01 auth

os: ubuntu 16.04
server: nginx
authorization: standalone

background: the server is configured to handle 20+ “known” domains (hardcoded into nginx) and an infinite number of unknown (whitelabel serviced domains) using 2 acme clients for letsencrypt (different storage/deployment policies).

the problem i’m having is with the selection of domains handled by certbot. we previously did tls(non-http) auth for a handful of domains. this was to simplify the logical partitioning within nginx config files of what gets handled where.

we’ve reconfigured nginx to route the right domains into the right place, and the way we want. the intention is to bind certbot’s standalone webserver to port 81 for http-01, and proxy the port 80 request to the local 81. automated tests confirm nginx works as expected.

my problem is that the expected command isn’t working as intended:

./certbot-auto renew --standalone --http-01-port=81 --force-renewal

this strategy has worked in the past. [I’m doing the --force-renewal to make sure the client runs against acme and successfully renews on port80, as I have time to do this now but won’t next month.]

this is resulting in a problem binding to port 443:

Processing /etc/letsencrypt/renewal/internetfunzone.com.conf
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for internetfunzone.com
Cleaning up challenges
Attempting to renew cert (internetfunzone.com) from /etc/letsencrypt/renewal/internetfunzone.com.conf produced an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6.. Skipping.

this is where I get lost. tsl wasn’t mentioned in the renewalparams. i know, because I had just removed all the pre/post hooks in everything (we no longer start/stop nginx as part of renewal. it’s handled elsewhere during the day). just to be safe and not seem crazy, I double checked

# renew_before_expiry = 30 days
version = 0.19.0
cert = /etc/letsencrypt/live/internetfunzone.com/cert.pem
privkey = /etc/letsencrypt/live/internetfunzone.com/privkey.pem
chain = /etc/letsencrypt/live/internetfunzone.com/chain.pem
fullchain = /etc/letsencrypt/live/internetfunzone.com/fullchain.pem
archive_dir = /etc/letsencrypt/archive/internetfunzone.com

# Options used in the renewal process
authenticator = standalone
installer = None
account = --------------

I can’t figure out why it’s still trying to run tls challenges against 443. i’m using certbot-auto too, so it should be auto updating.

i haven’t touched the certbot client in a while, so I’m just lost. does anyone know what config options I’m missing or screwed up?

Standalone authenticator still uses tls-sni-01 - you should either change that to webroot and add the webroot path flags (if you’re already running a web server on this host), or add preferred challenge of http-01.


WONDERFUL! thank you.

I added --preferred-challenge=http-01 and I was able to renew everything.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.