[ale] let's encrypt cert renewals?
Kyle Brieden
kyle at txmoose.com
Thu May 11 09:22:20 EDT 2017
I run my Nextcloud instance at home and use a LE cert to encrypt it. I
had it running on 80 and 443 to the world, with 80 doing a hard 301 to
443 for everything. That broke cert renewals for whatever reason, so I
had to add an exception for the /.well-known/* path for LE. Later, I
started running an OpenVPN instance on port 80, because the work
firewall ONLY allows 80 and 443 out. Once I stopped PAT'ing 80 to my
nginx server, the next renewal broke.
Short story is this: For whatever reason, LE servers *must* be able to
reach your site at 80 and 443. I assume this has something to do with
issuing a cert for a site that currently does not have a cert? I never
really thought about it much.
This block appears in my HTTP server block, with the first location
block appearing in my HTTPS block as well.
location ~ ^/.well-known/acme-challenge/* {
allow all;
}
# enforce https
location ~ / {
return 301 https://$server_name:$request_uri;
}
As far as remedy, every 2 and a half months, I jump onto my router,
switch the PAT from 80 -> OpenVPN to 80 -> nginx server, do the LE cert
renewal, then switch it back. I will make it a more sane process later,
but for now... well https://xkcd.com/1205/
---
Very respectfully,
Kyle Brieden
On 10-05-2017 20:40, DJ-Pfulio wrote:
> Anyone else having trouble renewing let's encrypt certs?
>
> Apache2 on Ubuntu 16.04.
>
> Failing tls-sni-01 challenge.
>
> I have 2 sites on the same machine. Both have renewed 3 times without
> issues. Today, they both failed. The script that always worked before:
>
> #!/bin/sh
> export
> PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
> /usr/bin/letsencrypt renew
>
>
>
> I've been through the log file(s). Not anything useful, just:
>
> FailedChallenges: Failed authorization procedure. site.domain.com
> (tls-sni-01): urn:acme:error:connection :: The server could not connect
> to the client to verify the domain :: Failed to connect to
> 50.xx.xx.xx:443 for tls-sni-01 challenge
>
> DNS is correct.
> Site is up on 443, but not on 80.
> I opened the site to everyone. Normally, only allow a few specific
> subnets.
>
> Ideas?
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x89C9D831.asc
Type: application/pgp-keys
Size: 3071 bytes
Desc: not available
URL: <http://mail.ale.org/pipermail/ale/attachments/20170511/9fc59ae6/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://mail.ale.org/pipermail/ale/attachments/20170511/9fc59ae6/attachment.sig>
More information about the Ale
mailing list