Can't renew SSL certificate for subdomain - HTTP Error 400

DerpFox · July 14, 2023, 8:57pm

My YunoHost server

Hardware: SFF Computer at home ( GB-BKi3A-7100)
YunoHost version: 11.1.22 (stable).
I have access to my server : Through SSH | through the webadmin | direct access via keyboard / screen
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : yes
If yes, please explain: modified /etc/nginx/conf.d/ssowat.conf to make it compartible with Crowdsec because of Nginx lua limitation.

Description of my issue

Hello,

a couple days ago one of my subdomains Let’sEncrypt certificate didn’t renewed automaticly. It was working before, the auto renewal never showed any problems or error message. Now it present an HTTP error 400 when trying to resolve the chalenge.

I tried to update it manually both from the webadmin and console, and got the same error message. I then tried to go back to a self signed certificate and create a new cert via LE. Same error again when trying to generate a LE cert.

Here is a log from my last attempt from the console https://paste.yunohost.org/raw/dudidefahi

Thanks you.

BluishHumility · July 15, 2023, 2:39am

Are you able to connect to the service hosted on that subdomain from an external network?

Is that domain a nohost.me domain, or otherwise have a DDNS service tracking its IP?

DerpFox · July 15, 2023, 8:50am

it’s my own domain on a fixed IP (v4 and v6). My home ISP offer a full v4 address for people who self host, and 8 v6 /64. Everything was working properly until now.

I “can” access what’s on that subdomain. It is just stop at the cert warning, as the self signed cert doesn’t correspond to the CAA of the domain. Before going back to a self signed cert I was blocked at the old LE cert that was too old. And before that again it worked.

BluishHumility · July 15, 2023, 3:07pm

Can you think of anything that has changed on your network in between it working and not working?

Does the provider of your domain handle the DNS configuration for it? If so, double-check with them that the domain is pointing to the correct IP.

This might be a long shot, but try removing and re-adding the domain in Yunohost admin portal.

DerpFox · July 15, 2023, 9:39pm

The DNS config is on DigitalOcean name servers and I checked nothing changed. And nothing changed on my network either, the server is alone in its own physical network.

I tried removing and recreating the subdomain again. And same thing.

DerpFox · July 15, 2023, 10:08pm

After some digging, I finally found the problem.

I wanted to be sure to eliminate any firewall issues; So I searched for Let’s Encrypt public IPs for cert validation. And create a firewall rule to make sure LE traffic is redirected to Yunohost.

Turn out they don’t publish their IPs, so I used nslookup to find one of them. They use Cloudflare IPs, so they might change from time to time. Cloud Flare IPs are considered USA IP blocks.

I use Max Mind’s GeoIP list to block unwanted traffic to my network, USA included. This list is automatically updated. So, I guess the IPs currently used by Let’s Encrypt ended on that list and/or all or part of the cloud flare IP blocks.

As this list is evolutive, that’s why it was never a problem until now. The 400 error completely confused me there, and I didn’t think to look elsewhere.

system · August 14, 2023, 10:08pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.