We have an issue with certbot SSL renewal. We have several sites under /etc/nginx/sites-available/
.
We have this location block for .well-known directory
location ~ /\.well-known {
auth_basic off;
root /etc/letsencrypt;
allow all;
}
and we have renewal configurations for each site under /etc/letsencrypt/renewal
directory.
This is an example for one of them.
#renew_before_expiry = 30 days
version = 2.7.4
archive_dir = /etc/letsencrypt/archive/redacted.com
cert = /etc/letsencrypt/live/redacted.com/cert.pem
privkey = /etc/letsencrypt/live/redacted.com/privkey.pem
chain = /etc/letsencrypt/live/redacted.com/chain.pem
fullchain = /etc/letsencrypt/live/redacted.com/fullchain.pem
#Options used in the renewal process
[renewalparams]
allow_subset_of_names = True
account = 670273d7a9a89f2d3494cf6e38739b1c
rsa_key_size = 4096
post_hook = /bin/systemctl reload nginx
authenticator = webroot
webroot_path = /etc/letsencrypt,
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa
[[webroot_map]]
redacted.com = /etc/letsencrypt
Our certbot version is 2.7.4 we upgraded from 1.32.0 and didnt work either.
We know our issue is related with ip6tables but we already have ACCEPT rules for 443 and 80 ports.
When we try to access acme-challenge files during certbot renew --dry-run
we can successfully access the files. So 80 and 443 port shouldn’t be the problem.
When we change the ip6tables INPUT filter from DROP to ACCEPT all sites can renew but when we use INPUT DROP filter most of the sites fails to renew with this error.
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: redacted.com
Type: connection
Detail: xxx.xxx.xxx.xxx: Fetching https://redacted.com/.well-known/acme-challenge/EIJFF3UFqtZJCZtG_Kv9Ca7BGA5LiuBdb9JIWxXIhVg: Timeout during connect (likely firewall problem)
We already tried with minimum set of rules and tried to add 80 and 443 ports ACCEPT rules on top of the input chain but didnt work either. So we stuck in here.
Example nginx configuration can be found in following lines.
server {
listen [::]:80;
server_name .redacted.com;
return 301 https://redacted.com$request_uri;
}
server {
listen [::]:443 ssl http2;
server_name redacted.com;
access_log /var/www/log/access/redacted.access.log main buffer=32k;
error_log /var/www/log/error/redacted.com.error.log notice;
limit_conn gulag 200;
root /var/www/web/redacted.com/web;
index index.php;
ssl_certificate /etc/letsencrypt/live/redacted.com/fullchain.pem;
ssl_trusted_certificate /etc/letsencrypt/live/redacted.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/redacted.com/privkey.pem;
include ssl_params;
## Standard site protection
include snippets/standard.conf;
location ~ /\.well-known {
auth_basic off;
root /etc/letsencrypt;
allow all;
}
## Deny illegal Host headers
if ($host !~* ^(redacted.com|redacted.com)$ ) {
return 444;
break;
}
## Drupal configuration
include snippets/drupal7-php7.4.conf;
## php handling
include snippets/php7.4.conf;
}
By the way we can see HTTP 200 codes in nginx logs for acme files during the certbot renewal.