TLS-SNI-01 Renew - Could not bind to port 80


#1

After reading this site: How to stop using TLS-SNI-01 with Certbot I followed the description and when trying point 3 - Renew Certificate - I get the described problem with port 80.
My Apache is configured for Listening to Port 80, but the message still appears.
Since my only knowledge was on how to setup letsencrypt the first time and how to renew the certificate using certbot, I am not quite sure on how to proceed know, as I cannot do anything and have no idea on how to switch to DNS-01 Challenge or use another ACME?!?

My domain is: afterguard.de

I ran these commands:
sudo sh -c “sed -i.bak -e ‘s/^(pref_challs.)tls-sni-01(.)/\1http-01\2/g’ /etc/letsencrypt/renewal/; rm -f /etc/letsencrypt/renewal/.bak”
sudo certbot renew --dryrun

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/jira.afterguard.de.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jira.afterguard.de
Cleaning up challenges
Attempting to renew cert (jira.afterguard.de) from /etc/letsencrypt/renewal/jira.afterguard.de.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6… Skipping.


Processing /etc/letsencrypt/renewal/afterguard.de.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for afterguard.de
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (afterguard.de) from /etc/letsencrypt/renewal/afterguard.de.conf produced an unexpected error: Failed authorization procedure. afterguard.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://afterguard.de/.well-known/acme-challenge/sTUl4qNT9dy2piHWLH1aOicF5Xy_Vad0gyYWICSci2E [2a02:2350:5:100:4180:0:cd18:d4eb]: 403. Skipping.


Processing /etc/letsencrypt/renewal/confluence.afterguard.de.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for confluence.afterguard.de
Cleaning up challenges
Attempting to renew cert (confluence.afterguard.de) from /etc/letsencrypt/renewal/confluence.afterguard.de.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/jira.afterguard.de/fullchain.pem (failure)
/etc/letsencrypt/live/afterguard.de/fullchain.pem (failure)
/etc/letsencrypt/live/confluence.afterguard.de/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/jira.afterguard.de/fullchain.pem (failure)
/etc/letsencrypt/live/afterguard.de/fullchain.pem (failure)
/etc/letsencrypt/live/confluence.afterguard.de/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


3 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): apache2

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: Hetzner

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0


#2

standalone is for when you have no webserver running at all.

Assuming you have Apache running on 80 (and not Varnish), you should be able to just run:

certbot renew -a apache --dry-run

#3

You are correct, when first initalising the certificates I did this standalone. As the whole process was much easier…
I later added the apache to the configuration, but stayed on the standalone.

When using you command, I receive the following:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/jira.afterguard.de.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jira.afterguard.de
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (jira.afterguard.de) from /etc/letsencrypt/renewal/jira.afterguard.de.conf produced an unexpected error: Failed authorization procedure. jira.afterguard.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://jira.afterguard.de/.well-known/acme-challenge/LGVvB6J1he3BdHHuJaVCoU5qfdXionXEDVBPgnjg0fY [2a02:2350:5:100:4180:0:cd18:d4eb]: 403. Skipping.


Processing /etc/letsencrypt/renewal/afterguard.de.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for afterguard.de
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (afterguard.de) from /etc/letsencrypt/renewal/afterguard.de.conf produced an unexpected error: Failed authorization procedure. afterguard.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://afterguard.de/.well-known/acme-challenge/CMdXHdeCIkfAauK8iigLCS17V07Hm2ljOf3fkA3lkVQ [2a02:2350:5:100:4180:0:cd18:d4eb]: 403. Skipping.


Processing /etc/letsencrypt/renewal/confluence.afterguard.de.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for confluence.afterguard.de
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (confluence.afterguard.de) from /etc/letsencrypt/renewal/confluence.afterguard.de.conf produced an unexpected error: Failed authorization procedure. confluence.afterguard.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://confluence.afterguard.de/.well-known/acme-challenge/wuELZ9s0wwl9QbIL2WuH0daAPEEEY8xSXj9neKadlFw [2a02:2350:5:100:4180:0:cd18:d4eb]: 403. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/jira.afterguard.de/fullchain.pem (failure)
/etc/letsencrypt/live/afterguard.de/fullchain.pem (failure)
/etc/letsencrypt/live/confluence.afterguard.de/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/jira.afterguard.de/fullchain.pem (failure)
/etc/letsencrypt/live/afterguard.de/fullchain.pem (failure)
/etc/letsencrypt/live/confluence.afterguard.de/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


3 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

Is there a way to get the standalone version to work via port80, as this was always pretty simple?


#4

well technically you can just set Apache to not listen on port 80, but that will obviously disable site access by http.


#5

Hi @DonMarco

you have ipv4- and ipv6 - addresses (checked with https://check-your-website.server-daten.de/?q=afterguard.de ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
afterguard.de A 46.30.213.6 yes 1 0
AAAA 2a02:2350:5:100:4180:0:cd18:d4eb yes
www.afterguard.de A 46.30.213.6 yes 1 0
AAAA 2a02:2350:5:100:4180:0:cd18:d4eb yes

But a list of curious answers:

Domainname Http-Status redirect Sec. G
http://afterguard.de/
46.30.213.6 503 0.090 S
Service Unavailable
http://afterguard.de/
2a02:2350:5:100:4180:0:cd18:d4eb 503 0.086 S
Service Unavailable
http://www.afterguard.de/
46.30.213.6 503 0.090 S
Service Unavailable
http://www.afterguard.de/
2a02:2350:5:100:4180:0:cd18:d4eb 503 0.073 S
Service Unavailable
https://afterguard.de/
46.30.213.6 503 1.710 S
Service Unavailable
https://afterguard.de/
2a02:2350:5:100:4180:0:cd18:d4eb 503 1.373 S
Service Unavailable
https://www.afterguard.de/
46.30.213.6 503 1.420 S
Service Unavailable
https://www.afterguard.de/
2a02:2350:5:100:4180:0:cd18:d4eb 503 1.406 S
Service Unavailable
http://afterguard.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
46.30.213.6 403 0.084 M
Forbidden
http://afterguard.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2a02:2350:5:100:4180:0:cd18:d4eb 403 0.073 M
Forbidden
http://www.afterguard.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
46.30.213.6 403 0.070 M
Forbidden
http://www.afterguard.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2a02:2350:5:100:4180:0:cd18:d4eb 403 0.084 M
Forbidden

So there are a lot of “Service Unavailable” messages, but /.well-known/acme-challenge/unknown-file answers with a 403 - Forbidden.

The headers are shorter. Why is there such an answer?


#6

Are your DNS records correct?

Is http://afterguard.de/ supposed to return some sort of One.com ‘this web spage has expired and is suspended’ page?


#7

Yes, the afterguard.de and the www.afterguard.de are currently unused, as they are completly work in progress. That’s why these links show in the void.

The only thing I am trying to get to back to working (for the moment) are jira.afterguard.de and confluence.afterguard.de


#8

The webpage is being moved tomorrow away from one.com to hetzner. That shouldn’t raise a problem today, but I have to check…


#9

The third domain has the same picture. Service Unavailable and Forbidden in /.well-known/…

So your server isn’t really online.

Then we should wait and check it tomorrow again.


#10

Solved… the webspaces move procedure has been started before schedule. Before I was able to change the certificates. Everything is working!


closed #11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.