FUCK _YOU_ AWS

I can't renew certificates via certbot because something is blocking the port 80. Easy enough problem:

ufw status -> inactive

iptables -L -n -> default policy for all chains (ACCEPT)

checked Security Group: 80, 443, 22 allowed.

Nginx is running on 0.0.0.0:80, connecting locally is a success, connecting via IP even on the same server does not.

I had to manually renew the server certificate.

So again, FUCK _YOU_ AWS.

Well certbot can't renew because nginx is running
I guess?

Thanks for your message. That'll be $20 in spot fees and $2.50 in outbound data transfer

@jonas-w

Uh no

@Linux certbot tries to listen on port 80 to renew the cert but fails because nginx already listens, this would be the default if you don't specify anything else

You might wanna check with ss (socket stats) or netstat ...

Otherwise: DNS challenge.

AFAIK when you set up certbot you have the option for it to stop apache2/nginx before renewing certificates, update their config and restart them.

How is this an AWS issue?

@lungdart I tried updating the Security Group to allow everything inbound but it still didn't work. Nginx is running and I'm certain of it because port 443 works internally and externally while port 80 works internally but not externally.

@jonas-w

People are actually using certbot standalone? Not with the nginx or dns challenge?????

Cerbot-nginx maybe?

@Linux well if i need certificates for something else than nginx this is the way to go and it is quicker than dns challenge, dns challenge is the way to go for wildcards.

@jonas-w

I just spin up an Apache server and use the Apache plugin

@Linux Yes.

We have an full PKI and only use certbot with DNS challenge....

... Though this is not for a single AWS instance, more like a few hundred DNS domains.