[ale] let's encrypt cert renewals?

Kyle Brieden kyle at txmoose.com
Thu May 11 09:22:20 EDT 2017 

I run my Nextcloud instance at home and use a LE cert to encrypt it.  I 
had it running on 80 and 443 to the world, with 80 doing a hard 301 to 
443 for everything.  That broke cert renewals for whatever reason, so I 
had to add an exception for the /.well-known/* path for LE.  Later, I 
started running an OpenVPN instance on port 80, because the work 
firewall ONLY allows 80 and 443 out.  Once I stopped PAT'ing 80 to my 
nginx server, the next renewal broke.

Short story is this:  For whatever reason, LE servers *must* be able to 
reach your site at 80 and 443.  I assume this has something to do with 
issuing a cert for a site that currently does not have a cert?  I never 
really thought about it much.

This block appears in my HTTP server block, with the first location 
block appearing in my HTTPS block as well.

location ~ ^/.well-known/acme-challenge/* {
         allow all;
     }

     # enforce https
     location ~ / {
         return 301 https://$server_name:$request_uri;
     }

As far as remedy, every 2 and a half months, I jump onto my router, 
switch the PAT from 80 -> OpenVPN to 80 -> nginx server, do the LE cert 
renewal, then switch it back.  I will make it a more sane process later, 
but for now... well https://xkcd.com/1205/
---
Very respectfully,
Kyle Brieden

On 10-05-2017 20:40, DJ-Pfulio wrote:
> Anyone else having trouble renewing let's encrypt certs?
> 
> Apache2 on Ubuntu 16.04.
> 
> Failing tls-sni-01 challenge.
> 
> I have 2 sites on the same machine.  Both have renewed 3 times without
> issues.  Today, they both failed. The script that always worked before:
> 
> #!/bin/sh
> export 
> PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
> /usr/bin/letsencrypt  renew
> 
> 
> 
> I've been through the log file(s). Not anything useful, just:
> 
> FailedChallenges: Failed authorization procedure. site.domain.com
> (tls-sni-01): urn:acme:error:connection :: The server could not connect
> to the client to verify the domain :: Failed to connect to
> 50.xx.xx.xx:443 for tls-sni-01 challenge
> 
> DNS is correct.
> Site is up on 443, but not on 80.
> I opened the site to everyone. Normally, only allow a few specific 
> subnets.
> 
> Ideas?
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x89C9D831.asc
Type: application/pgp-keys
Size: 3071 bytes
Desc: not available
URL: <http://mail.ale.org/pipermail/ale/attachments/20170511/9fc59ae6/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mail.ale.org/pipermail/ale/attachments/20170511/9fc59ae6/attachment.sig>

More information about the Ale mailing list