Unable to find a virtual host listening on port 80

Taryck · January 30, 2019, 3:43pm

Hi,

After recieving "Action required: Let's Encrypt certificate renewals" email.
I've run : certbot renew --dry-run
And get this message :

Attempting to renew cert (xxx) from /etc/xxxxx produced an unexpected error: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/xxxxxxxxx/fullchain.pem (failure)

Well none of my site accept http request on port 80. They all redirect the user to https port with such apache configurations :
<Directory /usr/xxx/>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
< / Directory>

So I'm a little confused on my certificate renewal... Will it works ?
How to solve such a situation ?

Thanks in advance for your recomendations.

JuergenAuer · January 30, 2019, 3:47pm

Hi @Taryck

if you block port 80 (which has nothing to do with a "more secure system"), you can't use http-01 validation.

So you must use dns-01 validation ort switch to tls-alpn-01 - validation. This isn't supportet by Certbot, acme.sh supports that.

Or configure port 80, add a normal redirect http -> https, Letsencrypt follows this redirect to validate a file created in

/.well-known/acme-challenge

Taryck · January 30, 2019, 4:00pm

Error disapears after adding :

<VirtualHost *:80>
ServerName xxxx.xxxxx.xxx
Redirect permanent / https://%{HTTP_HOST}%{REQUEST_URI}
< / VirtualHost>

I do not block port 80 I do not want any used of unsecured communications.

How dns-01 and tls-alpn-01 works ?
Where do I find documentation about that ?

JuergenAuer · January 30, 2019, 4:07pm

Start there:

mnordhoff · January 30, 2019, 4:15pm