Unable to renew certificate due to HSTS

So I’ve got a personal webserver that I don’t always keep running. Now I’m learning about HTTPS and best security practices and I had enabled HSTS preloading for 2 years (mine is a subdomain but the guide I followed had includeSubdomains enabled. It doesn’t harm, does it?).
The problem is my certificate expired due to carelessness and I’m unable to renew my certificate now.
Any help?

My domain is: adityaruplaha.ddns.net
I ran this command: certbot renew
It produced this output:

Output

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/adityaruplaha.ddns.net.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for adityaruplaha.ddns.net
Cleaning up challenges
Attempting to renew cert (adityaruplaha.ddns.net) from /etc/letsencrypt/renewal/adityaruplaha.ddns.net.conf produced an unexpected error: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/adityaruplaha.ddns.net/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/adityaruplaha.ddns.net/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

My web server is (include version):

Server version: Apache/2.4.41 (Unix)
Server built: Aug 13 2019 22:44:41

The operating system my web server runs on is (include version): Manjaro 18.1 x64
My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.39.0

1 Like

Hi @adityaruplaha

there

is your answer. You need a port 80. Check the documentation of your Apache, create a port 80 vHost (there are samples) and restart your server.

Then

apachectl -S

to see, if that has worked.

That has nothing to do with HSTS.

Actually I do. I checked that. I’ve got port 80 opened on my NAT as well.
Also I’m an idiot for copy pasting commands off the internet.

EDIT:
Relevant section of the httpd.conf file:

httpd.conf
<VirtualHost *:80>
    DocumentRoot "/drives/server/http-root"
    ServerName adityaruplaha.ddns.net
    <Directory "/drives/server/http-root">
        Options Indexes FollowSymLinks
        Require all granted
        AllowOverride All
    </Directory>

    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
</VirtualHost>

<VirtualHost *:443>
    DocumentRoot "/drives/server/http-root"
    ServerName adityaruplaha.ddns.net
    <Directory "/drives/server/http-root">
        Options Indexes FollowSymLinks
        Require all granted
        AllowOverride All
    </Directory>

    SSLEngine on
    SSLCertificateFile "/etc/letsencrypt/live/adityaruplaha.ddns.net/fullchain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/adityaruplaha.ddns.net/privkey.pem"

    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
</VirtualHost>

OK so I fixed it. I use a custom server root with a seperate httpd.conf. Apparently LetsEncrypt doesn’t honour the ServerRoot directive. Creating a symlink fixed it.

@JuergenAuer thanks for your answer, it was somewhat correct.

Also I didn’t realize that Certbot locally analyses the file first. I expected that the LE server was unable to connect to me.

2 Likes

:wave: Hi @adityaruplaha,

Glad to hear you were able to figure out the root cause of your problem.

I just wanted to add an explicit note to confirm Let’s Encrypt’s validation processes aren’t affected by HSTS. Our systems will completely ignore HSTS.

I see. Well now I’ve fixed the issue and enabled auto-renewal. Shouldn’t be a problem.

Also thanks for allowing a hobbyist like me to explore the world of SSL and internet security. You guys rock!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.