Website offline after renewal

Techrese · January 14, 2021, 4:18pm

current domain https://git.timclinckemalie.me

Renewed my certificates using certbot renew -d git.timclinckemalie.me

I'm running ubuntu 18.04.5lts with nginx:latest (1.14.0)

So I got an email that my certificates will expire in 10 days so logged in my server did certbot renew -d git.timclinckemalie.me
first attempt failed because port 80 is not forwarded on my router to my vm.
open up port 80 and ran again worked, however site went offline
I restarted nginx and even the vm.

The nginx is working as a reverseproxy which passes to my git server running on another vm.

I think it has something to do with the location of the certs as after renewal it transfers to archive folder but i cannot make something of it.

lets encrypt log

for the log file look at 2021-01-11 at roughly 14.00 o'clock

Any ideas what might cause the server to go down? i can access my git server locally but not via the reverseproxy -> it is using tlsv1.3

second question:

I saw many autorenewal attempt which fails obviously because my port 80 wasn't open.
how can you safly open port 80 for letsencrypt to access it for renewal or can that be transfered to https?

JuergenAuer · January 14, 2021, 4:26pm

Hi @Techrese

your port 80 answers with a redirect to https / port 443.

But your 443 has a timeout - https://check-your-website.server-daten.de/?q=git.timclinckemalie.me

Domainname	Http-Status	redirect	Sec.	G
• http://git.timclinckemalie.me/ 94.227.65.222	301	https://git.timclinckemalie.me/ Html is minified: 107,78 %	0.077	A

• https://git.timclinckemalie.me/ 94.227.65.222	-14		9.997	T
Timeout - The operation has timed out

Is there a correct port 443 router forward? Or a blocking firewall?

Works https internal?

curl https://git.timclinckemalie.me/

from that machine?

rg305 · January 14, 2021, 4:30pm

You should change your http config to handle the challenge requests there (and not redirect them to https).

Techrese · January 14, 2021, 9:28pm

normally port 443 is forwarded to my reverse proxy yes and after the renewal i disabled the port forwxard of port 80

griffin · January 14, 2021, 9:37pm

Techrese · January 14, 2021, 9:45pm

so if i understand corectly i can open up port 80 and forward http to https?

griffin · January 14, 2021, 10:08pm

Absolutely, and you certainly should.

Techrese · January 15, 2021, 7:49am

hmm thanks and auto renewal will still work i guess?

griffin · January 15, 2021, 7:52am

As long as you maintain the necessary conditions for authentication and have an automated call (e.g. crontab) setup, I see no reason why not.

certbot renew --dry-run

Techrese · January 15, 2021, 8:21am

@griffin thanks for the reply this is the solution to fix the renewal error
@JuergenAuer thanks for the info.
it was my stupidity myself in disabled 443 in my router insteadof 80 whoops .....

system · February 14, 2021, 8:21am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.