What if port 80 is inaccessible and stopping TLS-SNI-01 with Certbot


#1

The page that explains how to stop the [TLS-SNI-01] it (How to stop using TLS-SNI-01 with Certbot) mentions this:

Ideally your web server should allow both ports. If that’s not possible, for instance because your ISP blocks port 80, you’ll need to switch to the dns-01 challenge, or use an ACME client that supports tls-alpn-01.

Unfortunately there is no link to a p[age that explains how to do this.

Steps taken: I changed port-forwarding of my router. It redirects external port 80 (and external port 443) to internal port 443. Unfortunately that does not work.

My domain is: https://blucap.no-ip.org

I ran this command:

sudo certbot renew --dry-run

It produced this output:

Timeout after connect (your server may be slow or overloaded) To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) … If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.

My web server is (include version): Apache/2.4.7 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu trusty (14)

My hosting provider, if applicable, is: no-ip.org

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

The version of my client is Certbot is version 28


Timeout after connect switching to HTTP-01
#2

Hi @blucap

that can’t work. Redirect your external port 80 to your internal port 80 and your external 443 to your internal port 443. Redirecting two different protocols to the same destination is always bad.

Now you have timeouts ( https://check-your-website.server-daten.de/?q=blucap.no-ip.org ):

Domainname Http-Status redirect Sec. G
http://blucap.no-ip.org/
219.89.59.50 -14 10.017 T
Timeout - The operation has timed out
https://blucap.no-ip.org/
219.89.59.50 302 https://blucap.no-ip.org/login 8.593 B
https://blucap.no-ip.org/login 200 5.284 B
http://blucap.no-ip.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
219.89.59.50 -14 10.030 T
Timeout - The operation has timed out

So Letsencrypt can’t check a file in /.well-known/acme-challenge

The online check should see a http status 404 / Not found.

Your webserver may have a redirect http -> https, Letsencrypt follows these redirects. So port 80 sends only http redirects.


#3

PS:

A check on https://www.yougetsignal.com shows that port 80 is open … .

What check did you used?

Using

https://www.yougetsignal.com/tools/open-ports/

with your domain name:

Port 80 is closed on blucap.no-ip.org


#4

Router drives me nuts, port forwarding to port 80 did work, but not now.


#5

Hi Jürgen, not an experienced hand myself, how to make Apache co-operate and allow it to accept traffic on http?


#6

Do you have a VirtualHost? In your /sites-enabled/ - subdirectory?

A file with something like

Listen 80
<VirtualHost *:80>
    DocumentRoot "/www/example1"
    ServerName blucap.no-ip.org

    # Other directives here
</VirtualHost>

There a redirect http -> https.


#7

There is a couple of them: https://i.imgur.com/00S9xuR.png
Some of them generated by letsencrypt I presume.
Can I just add a simple file in that folder with the redirect you pointed out?


#8

It may be simpler to add the name to a block that already redirects all http to https.
[if one exists]

Or to add an http vhost config block to a similar file that is already included in the config.

Put in simplest form, you could have one file for all http blocks and one file for all https blocks.
And the http blocks might be able to be all merged into just one super simple block that redirects all http to https.

I can’t see what names have already been used in which files, so it is difficult to say where you could best add anything.


#9

The most important thing: Combinations of port and ServerName / Alias should be unique.

There are a lot of problems with configurations, that have two or three definitions with overlapping servernames.


#10

You would be a great help by showing what line, characters, strings, or text to put where to make it work. No offense, but as a newbie (and other newbies may read this post too), I just don’t understand “There a redirect http -> https” or other suggestions in this thread.

My setup is very simple, I run Apache for a Nextcloud server on one machine. That machine relies on on https (port 443). Another machine runs a simple http site (port 80), but I don’t really use that site - and since yesterday my router fails to redirect to that port anyways. :frowning:

Below are contents of the Nextcloud machine 000-default.conf file, default-ssl.conf.

Thank you

<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
	SSLEngine on
	SSLCertificateFile	/etc/ssl/certs/ssl-cert-snakeoil.pem
	SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
	<FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
	</FilesMatch>
	<Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
	</Directory>	
	BrowserMatch "MSIE [2-6]" \
	nokeepalive ssl-unclean-shutdown \
	downgrade-1.0 force-response-1.0
	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
	</VirtualHost>
</IfModule>

#11

This isn’t a simple setup, this is a complex setup if you use two different servers to handle port 80 / port 443.

So you must change the VirtualHost of the other machine. But this other machine doesn’t answer, there is a timeout.

No open port 80 -> no http-01 - validation.


#12

The biggest problem (now) is that port 80 doesn’t respond from the Internet.
Without it you won’t be able to validate via HTTP-01 (which is soon to be required).
[you will need to seek alternate auth methods]


#13

Okay, but the server on port 80 is often down, it’s a machine that I once in a while switch on. Most of the time it is just off.
Therefore, ignoring that machine, the closed port, and the faulty router (I will replace it), what do you mean with: "There a redirect http -> https

By offering the relevant configuration lines you would help me and others greatly.


#14

At some point (when it was up), the https site would redirect to https.
Try searching for it with:
grep -Eri 'premanent|rewrite|redirect|rule' /etc/apache2


#15

It responds, among some generic lines: RewriteCond %{SERVER_NAME} =blucap.no-ip.org


#16

Show that file (or that whole part of it).


#17
<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =blucap.no-ip.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

#18

There is already your complete redirect port 80 / http to port 443 / https.

But that doesn’t work if your router sends the http traffic to the other machine.

So this port 80 is not existent.


#19

These are the lines that do the redirection:

And they look proper.
Of course, they can only redirect connections that reach it.

So, if port 80 is blocked, or reaches another system, then this system will never be able to do anything for those port 80 requests.


#20

Thank you.

Would it work by asking the router (provided it will works) to send http traffic to the Nextcloud machine?