Unable to renew with only port 443 open


#1

My domain is: www.adystech.com ; raspberrypi.adystech.com

I ran this command: sudo certbot certonly --webroot -w /home/adystech.com/certbot -d www.adystech.com -d raspberrypi.adystech.com

It produced this output:

  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 199, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. raspberrypi.adystech.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to raspberrypi.adystech.com, www.adystech.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to www.adystech.com


IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: raspberrypi.adystech.com
   Type:   connection
   Detail: Could not connect to raspberrypi.adystech.com

   Domain: www.adystech.com
   Type:   connection
   Detail: Could not connect to www.adystech.com

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My operating system is (include version):
Linux raspberrypi 4.4.50-v7+ #970 SMP Mon Feb 20 19:18:29 GMT 2017 armv7l GNU/Linux

My web server is (include version):
nginx

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I recently moved to USA, and unfortunately ISP (Cox) blocks port 80. So I can’t run the webserver on normal http. They allow https on 443, and my website is accessible over internet (https://raspberrypi.adystech.com/). But letsencrypt bot only expects the http on port 80, and fails to renew the cert. Any way to force the bot to use 443(https)?


#2

The webroot challenge uses port 80 only. Fortunately, you can use other methods to authorize your domain.

There is a nginx plugin, but it is quite beta. How did you install certbot? Any idea if you installed the nginx plugin or if it’s available?

Otherwise you might use the DNS plugin. But that’s a manual process when used with certbot.


#3

I got the certbot via apt-get on Raspbian. TO get the original certs I just ran the command with webroot, and modified Nginx config. I have not used any Nginx plugins yet. Could you please help me with the DNS based verification?


#4

Sure, just use -a manual --preferred-challenges dns as options in stead of the webroot options.

Hopefully your certbot is recent enough though!


#5

Thank you @Osiris, my certbot indeed supports it. Now just waiting for NameCheap DNS record to propagate :smiley:


#6

Unlike other situations, you shouldn’t generally need to wait for DNS propagation for the DNS challenges, because the Let’s Encrypt CA doesn’t rely on cached data but always goes directly to the authoritative DNS server to ask it for the challenge records.


#7

Good to know… I waited for 15 minutes for the TXT records to show up in nslookup, and proceeded with the certbot step(basically hit enter). I am all set for next 90 days…

Thank you very much for the great work guys… Without LetsEncrypt I can’t make my raspberry open to world with my restrictive ISP.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.