Website offline after renewal

current domain https://git.timclinckemalie.me

Renewed my certificates using certbot renew -d git.timclinckemalie.me

I'm running ubuntu 18.04.5lts with nginx:latest (1.14.0)

So I got an email that my certificates will expire in 10 days so logged in my server did certbot renew -d git.timclinckemalie.me
first attempt failed because port 80 is not forwarded on my router to my vm.
open up port 80 and ran again worked, however site went offline
I restarted nginx and even the vm.

The nginx is working as a reverseproxy which passes to my git server running on another vm.

I think it has something to do with the location of the certs as after renewal it transfers to archive folder but i cannot make something of it.

lets encrypt log

for the log file look at 2021-01-11 at roughly 14.00 o'clock

Any ideas what might cause the server to go down? i can access my git server locally but not via the reverseproxy -> it is using tlsv1.3

second question:

I saw many autorenewal attempt which fails obviously because my port 80 wasn't open.
how can you safly open port 80 for letsencrypt to access it for renewal or can that be transfered to https?

Hi @Techrese

your port 80 answers with a redirect to https / port 443.

But your 443 has a timeout - https://check-your-website.server-daten.de/?q=git.timclinckemalie.me

Domainname Http-Status redirect Sec. G
• http://git.timclinckemalie.me/ 94.227.65.222 301 https://git.timclinckemalie.me/ Html is minified: 107,78 % 0.077 A
• https://git.timclinckemalie.me/ 94.227.65.222 -14 9.997 T
Timeout - The operation has timed out

Is there a correct port 443 router forward? Or a blocking firewall?

Works https internal?

curl https://git.timclinckemalie.me/

from that machine?

You should change your http config to handle the challenge requests there (and not redirect them to https).

1 Like

normally port 443 is forwarded to my reverse proxy yes and after the renewal i disabled the port forwxard of port 80

1 Like

so if i understand corectly i can open up port 80 and forward http to https?

Absolutely, and you certainly should.

1 Like

hmm thanks and auto renewal will still work i guess?

2 Likes

As long as you maintain the necessary conditions for authentication and have an automated call (e.g. crontab) setup, I see no reason why not.

certbot renew --dry-run

2 Likes

@griffin thanks for the reply this is the solution to fix the renewal error
@JuergenAuer thanks for the info.
it was my stupidity myself in disabled 443 in my router insteadof 80 whoops ..... :confused:

3 Likes