No longer possible to renew SSL certificates

Hounddd · May 10, 2023, 2:43pm

Hi all,

While everything was working perfectly until now (more than 2 years), I am having problems renewing the SSL certificates of the sites on my server.

Suddenly the renewal attempts fail with the following message:
Timeout during connect (likely firewall problem)

Here is one of the example sites:

Renewing an existing certificate for coeursdechiens.ch and www.coeursdechiens.ch

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: coeursdechiens.ch
  Type:   connection
  Detail: 51.91.20.129: Fetching https://coeursdechiens.ch/.well-known/acme-challenge/e9yLcJ1oBtYelAFixN6GKK49MYkWBM1SZzbFSWGPNUA: Timeout during connect (likely firewall problem)

  Domain: www.coeursdechiens.ch
  Type:   connection
  Detail: 51.91.20.129: Fetching http://coeursdechiens.ch/.well-known/acme-challenge/oRqJFHmmBfcsy0XOeSHNq4_isuCGjmB9Eiv48qEUN1U: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.

I tried a renewal by disabling Fail2ban and FirewallD … Without success !
Still get the same issue.

I have tested than the server is accessible:

nmap -p 80,443 coeursdechiens.ch
Nmap scan report for coeursdechiens.ch (51.91.20.129)
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

I have spent a lot of time looking for a solution, but to no avail.
Do you have any ideas on how to solve this issue?

SYSTEM INFORMATION
OS type and version	CentOS Linux 8.5.2111
Virtualmin version	7.7

LuigiMdg · May 10, 2023, 5:28pm

Disable .htaccess, renew certificate and restore .htaccess

Hounddd · May 10, 2023, 5:44pm

It worked like a charm! Thanks a lot for the tip.

Do you know more about what can cause this issue?

LuigiMdg · May 10, 2023, 5:58pm

Yes, it is caused by Wordpress redirections which, instead of considering the link as reachable, show the 404 page, so as to show something concrete to the user, rather than a blank page

Hounddd · May 10, 2023, 6:11pm

Strange thing … the site isn’t using WordPress and all works fine a few days ago.
It use WinterCMS witch the default .htaccess file whitelist the .well-known folder and his children.

github.com

wintercms/winter/blob/95619bf30a905753e8456385c9814792978f190a/.htaccess#L37


      
          RewriteRule ^storage/cms/.* index.php [L,NC]
          RewriteRule ^storage/logs/.* index.php [L,NC]
          RewriteRule ^storage/framework/.* index.php [L,NC]
          RewriteRule ^storage/temp/protected/.* index.php [L,NC]
          RewriteRule ^storage/app/uploads/protected/.* index.php [L,NC]
          
          
##
          ## Paths explicitly handled by the server
          ##
          RewriteCond %{REQUEST_FILENAME} -f
          RewriteCond %{REQUEST_FILENAME} !/.well-known/*
          RewriteCond %{REQUEST_FILENAME} !/storage/app/uploads/public/.*
          RewriteCond %{REQUEST_FILENAME} !/storage/app/media/.*
          RewriteCond %{REQUEST_FILENAME} !/storage/app/resized/.*
          RewriteCond %{REQUEST_FILENAME} !/storage/temp/public/.*
          RewriteCond %{REQUEST_FILENAME} !/themes/.*/(assets|resources)/.*
          RewriteCond %{REQUEST_FILENAME} !/plugins/.*/(assets|resources)/.*
          RewriteCond %{REQUEST_FILENAME} !/modules/.*/(assets|resources)/.*
          RewriteRule !^index.php index.php [L,NC]
          
          
##

I tried to create a file in a subdirectory and access it, no redirection in action.
I’ll have to investigate a bit more when the next certificate renewal comes up on one of the server’s sites.

LuigiMdg · May 10, 2023, 11:56pm

You are sure? I see 404

jimr1 · May 11, 2023, 4:45am

This should be the first entry in the rewrite block

RewriteRule ^.well-known/ - [L,NC]

with the current set up all the other rules are still being read and this is why there is

with the current set up all the other rules are still being read and this is why there is a 404 error

Hounddd · May 11, 2023, 10:09am

@jimr1 @LuigiMdg It’s a rewrite condition, not a rule.
The [L] flag causes mod_rewrite to stop processing the rule set.

I’ve made a test file, that you can see at Test file

curl -I http://coeursdechiens.ch/.well-known/acme-challenge/6ucZ14qYKGuhZXCjfCJfHN4KBWig-ATB6YSMplrIJvM
HTTP/1.1 301 Moved Permanently
Location: https://coeursdechiens.ch/.well-known/acme-challenge/6ucZ14qYKGuhZXCjfCJfHN4KBWig-ATB6YSMplrIJvM

curl -I https://coeursdechiens.ch/.well-known/acme-challenge/6ucZ14qYKGuhZXCjfCJfHN4KBWig-ATB6YSMplrIJvM
HTTP/1.1 200 OK

The .htaccess rules have not changed since the creation of the site, the only change is Webmin has been updated on the server.

I will see if the error occurs again at the next renewal.
Thanks for your help.

jimr1 · May 11, 2023, 10:26am

That is what you want it to do rather than end up at the cms not found page

system · May 19, 2023, 10:27am

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.