Certbot renew on VPS changed IP address

nomorewindows · 2021-01-28 18:12:08

My VPS changed my machine (I think they locate it in a different datacenter now), and my IP is different.

I'm running certbot renew and it tells me with --standalone or --apache either one that I don't have a port 80 open.

I'm thinking this is because it is trying to open my verification using the old IP address instead of the new IP address.

Do I need to revoke the old certificate and start over with a new certificate?

Anybody have any ideas on that?

mpan · 2021-01-28 19:25:06

Do not revoke your certificates. That will only make people unable to use your server.

In HTTPS environment, a certificate is used to authenticate the domain name (listed as “Common Name” in “Subject name”). It doesn’t care about the actual IP address.

certbot must be able to offer a token file to the outside world for verification, on port 80. For that purpose it either runs its own server (--standalone) or uses an existing one (--apache). That file must be available at the domain for which you are trying to obtain the certificate. Therefore ensure that:

The domain name actually points to the server on which you run certbot. Keep in mind that, depending on your TTL, it may take some time for the change to propagate. In particular some web hosting providers, who also manage domains, may enforce long TTLs (up to 24h) or push changes made in the webapp to DNS in batch once a hour, a few times a day or even once a day.
If using --apache: that it is listening on port 80 for the target domain name and that the token files published by certbot are actually accessible.
That your firewall is not blocking connections to port 80.
If using --standalone: that nothing else is using port 80 at the time. Though that would probably result in a different error, but worth checking.

Also: pleae copy and paste the exact error message you are receiving. Possibly with some context, if no sensitive information is leaked that way. Tell us if you receive it from certbot itself while invoking it or you see that message elsewhere; or that it’s your interpretation of some other event.

Last edited by mpan (2021-01-28 19:28:50)

nomorewindows · 2021-01-28 21:28:19

Hmm...this is weird...

I've stopped httpd, and usually I have to wait until httpd stops in order to do --standalone.

My httpd server appears to still be running although my wordpress went blank.

I have ps -C httpd processes still running.

Systemctl reported that httpd was dead.

And I ran certbot --standalone renew and it went ahead with a renewal.

Certbot showed that new certificate would be loaded on restart of httpd.

So restarted httpd a couple of times, and it restarted finally.

The whole certbot thing has been really strange process.

Last edited by nomorewindows (2021-01-28 21:31:28)

nomorewindows · 2021-01-28 21:32:51

mpan wrote:

Do not revoke your certificates. That will only make people unable to use your server.
In HTTPS environment, a certificate is used to authenticate the domain name (listed as “Common Name” in “Subject name”). It doesn’t care about the actual IP address.
certbot must be able to offer a token file to the outside world for verification, on port 80. For that purpose it either runs its own server (--standalone) or uses an existing one (--apache). That file must be available at the domain for which you are trying to obtain the certificate. Therefore ensure that:
The domain name actually points to the server on which you run certbot. Keep in mind that, depending on your TTL, it may take some time for the change to propagate. In particular some web hosting providers, who also manage domains, may enforce long TTLs (up to 24h) or push changes made in the webapp to DNS in batch once a hour, a few times a day or even once a day.
If using --apache: that it is listening on port 80 for the target domain name and that the token files published by certbot are actually accessible.
That your firewall is not blocking connections to port 80.
If using --standalone: that nothing else is using port 80 at the time. Though that would probably result in a different error, but worth checking.
Also: pleae copy and paste the exact error message you are receiving. Possibly with some context, if no sensitive information is leaked that way. Tell us if you receive it from certbot itself while invoking it or you see that message elsewhere; or that it’s your interpretation of some other event.

I'm invoking certbot manually from the terminal.

The domain name points to the server. From DNS with certbot? Certbot doesn't care what IP is as long as it can do the http challenge against it?

Didn't do revoke.

Last edited by nomorewindows (2021-01-28 21:33:40)

mpan · 2021-01-28 22:01:11

What you have described in the penultimate post looks like an issue with Apache httpd, not certbot. certbot seemed to be blocked by the httpd still hanging around. For the --apache option it couldn’t use it, as the server was already down and not accepting connections on port 80. For the --standalone it couldn’t use port 80 because either httpd was still listening on it or the port was in the TIME_WAIT state (dunno if certbot tries to use SO_REUSEADDR).

nomorewindows wrote:

Certbot doesn't care what IP is as long as it can do the http challenge against it?

certbot has nothing to do with addresses: either IP addreses or domain names. It doesn’t care, but it doesn’t care simply because it doesn’t have to care: it never makes connections to your server.

BTW: there is no need to put each and every sentence in its own paragraph. It’s hard to read.

Last edited by mpan (2021-01-28 22:03:49)

nomorewindows · 2021-01-29 06:42:32

mpan wrote:

What you have described in the penultimate post looks like an issue with Apache httpd, not certbot. certbot seemed to be blocked by the httpd still hanging around. For the --apache option it couldn’t use it, as the server was already down and not accepting connections on port 80. For the --standalone it couldn’t use port 80 because either httpd was still listening on it or the port was in the TIME_WAIT state (dunno if certbot tries to use SO_REUSEADDR).
nomorewindows wrote:
Certbot doesn't care what IP is as long as it can do the http challenge against it?
certbot has nothing to do with addresses: either IP addreses or domain names. It doesn’t care, but it doesn’t care simply because it doesn’t have to care: it never makes connections to your server.
BTW: there is no need to put each and every sentence in its own paragraph. It’s hard to read.

I just figured since subdomains and domains had their separate IPs typically it would certify each host. The challenge would be associating an IP against the host name in DNS. And then there's the wildcard certificate. But it won't do a certificate for an IP only host without an associated DNS entry of some kind. Then there's the self signed certificate you'd use on your intranet more than the internet facing host.

Looks like it is all going now. Wordpress just needed an update to the database and an old theme expired. Wouldn't show anything without an active theme.

nomorewindows · 2021-01-30 06:50:49

It could be that the browser is what determines the discrepency difference between the certificate and the address you put in the bar.

And openssl -connect just gives you what the certificate indicates, but makes no determination on whether it matches.

Last edited by nomorewindows (2021-01-30 06:53:19)

Arch Linux

#1 2021-01-28 18:12:08

Certbot renew on VPS changed IP address

#2 2021-01-28 19:25:06

Re: Certbot renew on VPS changed IP address

#3 2021-01-28 21:28:19

Re: Certbot renew on VPS changed IP address

#4 2021-01-28 21:32:51

Re: Certbot renew on VPS changed IP address

#5 2021-01-28 22:01:11

Re: Certbot renew on VPS changed IP address

#6 2021-01-29 06:42:32

Re: Certbot renew on VPS changed IP address

#7 2021-01-30 06:50:49

Re: Certbot renew on VPS changed IP address

Board footer