Using http-01 to renew not working?


#1

Hi!

After an email telling me that in 20 days my certificate would expire I’ve tried to renew it.

This is my config file:

# renew_before_expiry = 30 days
version = 0.9.3
cert = /etc/letsencrypt/live/mydomain/cert.pem
privkey = /etc/letsencrypt/live/mydomain/privkey.pem
chain = /etc/letsencrypt/live/mydomain/chain.pem
fullchain = /etc/letsencrypt/live/mydomain/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = None
account = myaccountid

After running sudo /opt/letsencrypt/certbot-auto renew this is the output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mydomain.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for mydomain
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/mydomain.conf produced an unexpected error: Could not bind TCP port 443 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.. Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mydomain/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

This is ok because I have a webserver running on that port. The problem is that I don’t have too much control on that server so I’ve tried to change the Let’s encrypt port to 80 instead of 443. To do this I’ve changed my config file to this:

# renew_before_expiry = 30 days
version = 0.9.3
cert = /etc/letsencrypt/live/mydomain/cert.pem
privkey = /etc/letsencrypt/live/mydomain/privkey.pem
chain = /etc/letsencrypt/live/mydomain/chain.pem
fullchain = /etc/letsencrypt/live/mydomain/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = standalone
standalone-supported-challenges = http-01
installer = None
account = myaccountid

But when I run the sudo /opt/letsencrypt/certbot-auto renew command again it seems that the http-01 line is not being used because the output is exactly the same:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mydomain.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for mydomain
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/mydomain.conf produced an unexpected error: Could not bind TCP port 443 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.. Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mydomain/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

So, how should I force the http-01 challenge so I can use port 80?

Thank you very much!


#2

The dashes in the CLI command options are underscores in the renewal configuration files, so that’s probably why certbot doesn’t try the http-01 challenge: it doesn’t find standalone-supported-challenges as it is searching for standalone_supported_challenges (subtle difference).

But I’m not sure if that’s going to help you. Most webservers also run on port 80, so that port would be occupied too, right?

Isn’t the webroot plugin an option?


#3

Hi Osiris!

Thank you for your answer, you are right twice:

  • There was a syntax problem with the dashes.
  • With this change I get the same error but this time with port 80.

Regarding to using webroot, I was considering this option but servers are not my specialty, I don’t have too much access to the website and since I need to set a webroot path pointing to the website I was very afraid to break something ;-).

Since I don’t understand very well how webroot works, if I use it:

  • What should I put in the webroot_path? I’m using Parse Server if this helps.
  • Is it possible that I break the website if I set a wrong path?

Thank you very much again!


#4

That’s quite essential information, yes :slight_smile:

I really have no idea :flushed: Normally, with a “dumb” webserver like Apache/nginx, you have a directory where all the files for your site reside, e.g. /var/www/vhost/example.com/public_html/. And all the files in there can be accessed (sort of) through http(s)://example.com/.... That directory would be your webroot or “webroot path”.
Parse isn’t such a thing. Wikipedia tells me it’s a Mobile backend as a service, whatever that may be. I’ve actually got no idea if it contains such a webroot thing, but I’m inclined to say “no”.

If that’s indeed the case, you’ve got a few options:

  • Keep using the standalone plugin and temporary stop your Parse Server, so port 80 and/or 443 will become available for that short amount of time;
  • Keep using the standalone plugin and if it’s possible, let your Parse Server only listen to port 443. That way it will only be available through HTTPS, but if I’m reading Wikipedia correct, it’s used as some sort of cloud service to mobile apps and those apps probably only use HTTPS. I hope… Mobile networks and open access WiFi and lack of TLS aren’t exactly my best friends. And if port 80 is available, you can use certbot with the http-01 challenge;
  • Use the dns-01 challenge. This challenge is used through the manual plugin with certbot. That’s quite a hassle, as it requires you to put the challenge token in a specific TXT record in your DNS zone every time you renew the certificate. However, there are many third party clients available with the Bash clients acme.sh and GetSSL supporting the dns-01 challenges. Especially acme.sh has a great list of DNS API scripts with great documentation! So if your domains DNS server has an API listed among those scripts, you can use such a client.

#5

Hi Osiris!

And thank you very much! It’s working now.

I’ve been investigating the webroot mode in a server with Parse Server and Parse Dashboard and I’ve found a tutorial talking about it.

With this config file the renewal is now working:

# renew_before_expiry = 30 days
version = 0.9.3
cert = /etc/letsencrypt/live/mydomain/cert.pem
privkey = /etc/letsencrypt/live/mydomain/privkey.pem
chain = /etc/letsencrypt/live/mydomain/chain.pem
fullchain = /etc/letsencrypt/live/mydomain/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
webroot_path = /usr/share/nginx/html
installer = None
account = myaccountid

#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.