After reading this site: How to stop using TLS-SNI-01 with Certbot I followed the description and when trying point 3 - Renew Certificate - I get the described problem with port 80.
My Apache is configured for Listening to Port 80, but the message still appears.
Since my only knowledge was on how to setup letsencrypt the first time and how to renew the certificate using certbot, I am not quite sure on how to proceed know, as I cannot do anything and have no idea on how to switch to DNS-01 Challenge or use another ACME?!?
My domain is: afterguard.de
I ran these commands:
sudo sh -c “sed -i.bak -e ‘s/^(pref_challs.)tls-sni-01(.)/\1http-01\2/g’ /etc/letsencrypt/renewal/; rm -f /etc/letsencrypt/renewal/.bak”
sudo certbot renew --dryrun
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/jira.afterguard.de.conf
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jira.afterguard.de
Cleaning up challenges
Attempting to renew cert (jira.afterguard.de) from /etc/letsencrypt/renewal/jira.afterguard.de.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6… Skipping.
Processing /etc/letsencrypt/renewal/afterguard.de.conf
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for afterguard.de
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (afterguard.de) from /etc/letsencrypt/renewal/afterguard.de.conf produced an unexpected error: Failed authorization procedure. afterguard.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://afterguard.de/.well-known/acme-challenge/sTUl4qNT9dy2piHWLH1aOicF5Xy_Vad0gyYWICSci2E [2a02:2350:5:100:4180:0:cd18:d4eb]: 403. Skipping.
Processing /etc/letsencrypt/renewal/confluence.afterguard.de.conf
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for confluence.afterguard.de
Cleaning up challenges
Attempting to renew cert (confluence.afterguard.de) from /etc/letsencrypt/renewal/confluence.afterguard.de.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/jira.afterguard.de/fullchain.pem (failure)
/etc/letsencrypt/live/afterguard.de/fullchain.pem (failure)
/etc/letsencrypt/live/confluence.afterguard.de/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/jira.afterguard.de/fullchain.pem (failure)
/etc/letsencrypt/live/afterguard.de/fullchain.pem (failure)
/etc/letsencrypt/live/confluence.afterguard.de/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
3 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: afterguard.de
Type: unauthorized
Detail: Invalid response from
http://afterguard.de/.well-known/acme-challenge/sTUl4qNT9dy2piHWLH1aOicF5Xy_Vad0gyYWICSci2E
[2a02:2350:5:100:4180:0:cd18:d4eb]: 403To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version): apache2
The operating system my web server runs on is (include version): Ubuntu 18.04
My hosting provider, if applicable, is: Hetzner
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0