Update cert fails with weird domain for check

Help
1

I am no longer able to update my domain (home.vester.org). My ISP updated the firmware on my router. That seems to be involved with the issue.

I host it myself.

The OS is Raspbian Jessie

The command I ran was:
certbot-auto certonly --webroot --webroot-path /var/www --domains home.vester.org -m <my email> --renew-by-default --text --non-interactive

The response I got was:

IMPORTANT NOTES:
 - The following errors were reported by the server:
   
   Domain: home.vester.org
   Type:   connection
   Detail: Fetching
   http://homebox/2.5/gui/?item=.well-known/acme-challenge/XuG8chyrHktW5Q1fxwBk-1DCPR1yyN7e4FqchAldrY8:
   Error getting validation data

When I run:
certbot-auto -v renew --dry-run

I get this in the output:

Sending GET request to https://acme-staging.api.letsencrypt.org/acme/authz/*****************************.

In the response the validationRecord contains two elements:

  "validationRecord": [
    {
      "url": "http://homebox/2.5/gui/?item=.well-known/acme-challenge/******************************",
      "hostname": "homebox",
      "port": "80",
      "addressesResolved": [],
      "addressUsed": "",
      "addressesTried": []
    },
    {
      "url": "http://home.vester.org/.well-known/acme-challenge/******************************",
      "hostname": "home.vester.org",
      "port": "80",
      "addressesResolved": [
        "176.20.161.236"
      ],
      "addressUsed": "176.20.161.236",
      "addressesTried": []
    }
  ]

I'm not sure where it gets http://homebox/2.5/gui/?item=.well-known/acme-challenge/****************************** from. That is the address to the webinterface of my ISP supplied router but it is only reachable from my local network.

2

Your site is redirecting to homebox:
wget home.vester.org
–2017-09-04 11:35:07-- http://home.vester.org/
Resolving home.vester.org (home.vester.org)… 176.20.161.236
Connecting to home.vester.org (home.vester.org)|176.20.161.236|:80… connected.
HTTP request sent, awaiting response… 307 Temporary Redirect
Location: http://homebox/2.5/gui/ [following]
–2017-09-04 11:35:08-- http://homebox/2.5/gui/
Resolving homebox (homebox)… failed: Temporary failure in name resolution.
wget: unable to resolve host address ‘homebox’

3

Just to be super-explicit about this, there’s no way for Let’s Encrypt to use the name “homebox” because it’s a name that only makes sense within your local network, not for the public Internet.

4

Thank you for your help.
I was pretty sure that "homebox" was from my router.

I can somewhat reproduce the 307 redirect when accessing the router internally as well:

wget 192.168.1.1
--2017-09-04 21:58:44--  http://192.168.1.1/
Connecting to 192.168.1.1:80... connected.
HTTP request sent, awaiting response... 307 Temporary Redirect
Location: /2.5/gui/ [following]
--2017-09-04 21:58:44--  http://192.168.1.1/2.5/gui/
Reusing existing connection to 192.168.1.1:80.
HTTP request sent, awaiting response... 200 OK
Length: 3253 (3,2K) [text/html]
Saving to: ‘index.html’

When I try to connect to it from another network I do not get the 307.

wget home.vester.org
URL transformed to HTTPS due to an HSTS policy
--2017-09-04 22:09:04--  https://home.vester.org/
Resolving home.vester.org... 176.20.161.236
Connecting to home.vester.org|176.20.161.236|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2017-09-04 22:09:04 ERROR 404: Not Found.

I guess I will have to try another router or contact my ISP.
Thank you for the input. It was helpful.

5

HTTP gives the "homebox" redirect, HTTPS gives the 404 page.

The Let's Encrypt HTTP-01 validator makes its initial request over HTTP. It follows redirects (including to HTTPS) but ignores HSTS.

6

Thanks - good observation. I can use that.

7

If the HTTPS 404 is coming from the router as opposed to from your web server, you can't use it because the validation method that uses port 443 requires that you run the Let's Encrypt client directly on the machine that terminates the TLS connection. You don't get to select the port to be used by either of these validation methods.

If it's forwarding port 443 directly to your web server instead of running a TLS listener on the router, then yes, you should be able to use the other method (TLS-SNI-01).

8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.