Let's Encrypt Unable To Renew Due To Port 80 Closed

[Don Draper]

I switched ISPs recently and now port 80 is closed and Let's Encrypt is unable to renew.
Looking for a way now to circumvent this, any help would be greatly appreciated.
Receiving the following errors:
Aug 15 17:05:10 kernel: /usr/sbin/acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: bad HTTP: 429
Aug 15 17:10:08 kernel: /usr/sbin/acme-client: transfer buffer: [{ "type": "urn:acme:error:rateLimited", "detail": "Error creating new authz :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/", "status": 429 }] (189 bytes)

Thank you ahead of time.

 

[MichaelCG]

Why do you think port 80 is closed? Nothing in the error message you shared references anything of the sort.

 

[dr_lucas]

I am having the same issue, were you able to resolve it?

 

[hubdog]

It's an ISP thing, at least for me. Cox Communication blocks port 80 and 443 due to their terms of service disallowing residential customers from operating web servers.

 

[Kamikaze01]

I stuck at the same point...

Updating...

Syslog says:

Oct 10 22:33:25 kernel: /usr/sbin/acme-client: SSL_read return 5: Success
Oct 10 22:33:25 kernel: /usr/sbin/acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: bad comm
Oct 10 22:33:25 kernel: /usr/sbin/acme-client: transfer buffer: [{ "8-fYNc2I0Bk": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "website": "https://letsencrypt.org" }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme
Oct 10 22:33:27 kernel: /usr/sbin/acme-client: SSL_read return 5: Success
Oct 10 22:33:27 kernel: /usr/sbin/acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: bad comm
Oct 10 22:33:27 kernel: /usr/sbin/acme-client: transfer buffer: [{ "8-fYNc2I0Bk": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "website": "https://letsencrypt.org" }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme

what does this mean ...

Can this happens, because I now use a static IP ?!

 

[RMerlin]

Your log entries are truncated, we can't see the error message. But I suspect it's tied to LE's deprecation of API V1.

 

[Kamikaze01]

Your log entries are truncated, we can't see the error message. But I suspect it's tied to LE's deprecation of API V1.

Hello and thank u for the response...

I changed my ISP and have to use a Fritz!Box7530 because of FTTH with and ONT Box on my Telephonjack.
This Fritz!Box is used in Bridge mode and behind i use my ASUS AC68U.

Befor i changed my ISP everything worked like a charme (Broadband cable ISP).

Now behind my Fritz!Box my LetsEncrypt stuck at update
How can i see the full error message? (i already changed the logs to "debug")...

I am not THAT experienced, but i belive it can be something with port 80?!
I try to goole this, but i dont know what LE's deprecation of API V1 mean or how to avoid this...

I have a static IP, but DDNS should still work, right?
Because in order to use LetsEncrypt, I must have activated DDNS ...

 

[RMerlin]

You probably didn't copy/paste the entire line from the log, unless it was too long to be logged and got truncated at the log level.

Anyway, your issue is more likely to be with the firmware than on your end. Let's Encrypt is gradually phasing out the old API that is used by the Asus client. Asus will have to update their client.

 

[Kamikaze01]

... Let's Encrypt is gradually phasing out the old API that is used by the Asus client. Asus will have to update their client.

Then i have to wait for the next update to use https ?!?
okay - thank u for the answer anyway

 

[RMerlin]

You can still use a self-signed certificate, just tell your browser to allow the connection to it.

 

[pypk]

I too am stuck on "updating ..."

Here is my system log.

Oct 11 15:27:26 rc_service: httpd 256:notify_rc restart_ddns_le
Oct 11 15:27:26 start_ddns: update WWW.ASUS.COM dyndns, wan_unit 0
Oct 11 15:27:26 ddns update: ez-ipupdate: starting...
Oct 11 15:27:26 ddns update: asus_private() interface =eth0
Oct 11 15:27:26 ddns update: g_asus_ddns_mode == 2
Oct 11 15:27:27 ddns update: connected to nwsrv-ns1.asus.com (103.10.4.108) on port 443.
Oct 11 15:27:27 ddns update: Asus update entry:: return: HTTP/1.1 200 OK^M Date: Fri, 11 Oct 2019 19:27:27 GMT^M Server: Apache^M X-Powered-By: PHP/5.6.30^M Content-Length: 0^M Connection: close^M Content-Type: text/html; charset=UTF-8^M ^M
Oct 11 15:27:27 ddns update: retval= 0, ddns_return_code (,200)
Oct 11 15:27:27 ddns update: asusddns_update: 0
Oct 11 15:27:28 ddns: ddns update ok
Oct 11 15:27:28 ddns update: exit_main
Oct 11 15:27:35 kernel: /usr/sbin/acme-client: SSL_read return 5: Success
Oct 11 15:27:35 kernel: /usr/sbin/acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: bad comm
Oct 11 15:27:35 kernel: /usr/sbin/acme-client: transfer buffer: [{ "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "website": "https://letsencrypt.org" }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert", "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-
Oct 11 15:27:36 kernel: /usr/sbin/acme-client: SSL_read return 5: Success
Oct 11 15:27:36 kernel: /usr/sbin/acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: bad comm
Oct 11 15:27:36 kernel: /usr/sbin/acme-client: transfer buffer: [{ "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "website": "https://letsencrypt.org" }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert", "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-
Oct 11 15:28:01 rc_service: service 11005:notify_rc restart_letsencrypt
Oct 11 15:28:10 kernel: /usr/sbin/acme-client: SSL_read return 5: Success
Oct 11 15:28:10 kernel: /usr/sbin/acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: bad comm
Oct 11 15:28:10 kernel: /usr/sbin/acme-client: transfer buffer: [{ "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "website": "https://letsencrypt.org" }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert", "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-
Oct 11 15:28:10 kernel: /usr/sbin/acme-client: SSL_read return 5: Success
Oct 11 15:28:10 kernel: /usr/sbin/acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: bad comm
Oct 11 15:28:10 kernel: /usr/sbin/acme-client: transfer buffer: [{ "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "website": "https://letsencrypt.org" }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert", "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-

 

[Kamikaze01]

@pypk I found this Threat... Maybe it helps... ?
I still stuck at the same problem too

I will try a complete reset later...

 

[Kamikaze01]

You probably didn't copy/paste the entire line from the log, unless it was too long to be logged and got truncated at the log level.

Anyway, your issue is more likely to be with the firmware than on your end. Let's Encrypt is gradually phasing out the old API that is used by the Asus client. Asus will have to update their client.

I don't think that it is only a Firmware problem... It used to work, till I have to changed some settings and use double NAT now with two routers...

I use a Fritz! Box 7035 as a ModemRouter and behind my ASUS Router.
... Asus is allowed by Fritz!Box to establish its own PPPoE Connection...
So there is no internal IP for my ASUS Router in the Fritz!Box network.
And no need to Port forwarding... Asus use its own connection and got the right wan IP (a static one from my ISP).

I just did a complete Hard Reset on the secondRouter (Asus) and here is the new SysLog (what does "bad comm" mean?)

Oct 11 23:09:10 kernel: /usr/sbin/acme-client: SSL_read return 5: Success
Oct 11 23:09:10 kernel: /usr/sbin/acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: bad comm
Oct 11 23:09:10 kernel: /usr/sbin/acme-client: transfer buffer: [{ "QBsSiMFxRm4": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "website": "https://letsencrypt.org" }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme
Oct 11 23:09:11 kernel: /usr/sbin/acme-client: SSL_read return 5: Success
Oct 11 23:09:11 kernel: /usr/sbin/acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: bad comm
Oct 11 23:09:11 kernel: /usr/sbin/acme-client: transfer buffer: [{ "QBsSiMFxRm4": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "website": "https://letsencrypt.org" }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme
Oct 11 23:10:10 kernel: /usr/sbin/acme-client: SSL_read return 5: Success
Oct 11 23:10:10 kernel: /usr/sbin/acme-client: https://acme-v01.api.letsencrypt.org/acme/new-reg: bad comm
Oct 11 23:10:10 kernel: /usr/sbin/acme-client: transfer buffer: [{ "6H07BFSwvO4": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "website": "https://letsencrypt.org" }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme
Oct 11 23:10:12 kernel: /usr/sbin/acme-client: SSL_read return 5: Success
Oct 11 23:10:12 kernel: /usr/sbin/acme-client: https://acme-v01.api.letsencrypt.org/acme/new-authz: bad comm
Oct 11 23:10:12 kernel: /usr/sbin/acme-client: transfer buffer: [{ "6H07BFSwvO4": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "website": "https://letsencrypt.org" }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme

Attached is a screenshot: it stuck at "Authorizing"

And when I try letsdebug-dot-net I got following message:

MYDOMAIN.selfhost.eu has an A (IPv4) record (XXX.WAN-IP.XXX) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
A timeout was experienced while communicating with MYDOMAIN.selfhost.eu/XXX.WAN-IP.XXX: Get http://MYDOMAIN.selfhost.eu/.well-known/acme-challenge/letsdebug-test: context deadline exceeded

Trace:
@0ms: Making a request to http://MYDOMAIN.selfhost.eu/.well-known/acme-challenge/letsdebug-test (using initial IP XXX.WAN-IP.XXX)
@0ms: Dialing XXX.WAN-IP.XXX
@10000ms: Experienced error: context deadline exceeded


A test authorization for MYDOMAIN.selfhost.eu to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
Fetching http://MYDOMAIN.selfhost.eu/.well-known/acme-challenge/zx-0dA6fcFewwvsM5SgSsMfVUC5Cd84EU8qgmrVWcnQ: Timeout during connect (likely firewall problem)

What are my wrong settings?!?
On Fritz!Box I can not enable real bridge mode just "allow" my ASUS router behind to PPPoE it's own connection.
So maybe I have to change some settings at the Fritz!Box? :-/

 

[Grisu]

you dont use modem part on your Fritz (DSL not connected!) so its not used as modemrouter, just only as router.

Why dont you try to connect Asus directly to ONT and lets see if it will get any faster?

 

[Kamikaze01]

you dont use modem part on your Fritz (DSL not connected!) so its not used as modemrouter, just only as router.

Why dont you try to connect Asus directly to ONT and lets see if it will get any faster?

Thank u for the response
But I still have to use Fritz!Box as a Modem.
The ONT just change the Signal from Fiber to standard RJ45. But I still need a VDSL2 vectoring Modem behind :-/

I just give it a try, but I can not get online and the ASUS don't get an IP.

*******

I think it is a problem of my ISP.
Due to security reason they block external access to the Fritz!Box.

After contacting my ISP they told me, that I have to pay for a static IP, then they will open the external access.

So I pay for static IP, but still can not get an LetsEncrypt Certificate over ASUS behind Fritz!Box.

Maybe they still block Port 80...

In the Fritz!Box I allow other network clients to establish there own PPPoE connection.
(My ISP says, this is same as bridge...)
And in the ASUS behind I set my Login dates, to get connected.

Everything works like a Charme.
I can even reach my NAS via HTTP.

But it is not possible to get an LetsEncrypt Certificate

The Fritz!Box overview show another (wrong) WAN IP than the ASUS Router behind (with wright WAN IP).

I just want to use my ASUS with HTTPS (LetsEncrypt). I would like to throw the Fritz!Box out of the window (but I need it as a modem...).

I get crazy with that... Spend HOURS and HOURS for this !!

 

[Grisu]

ONT on RJ45 gives you an ethernet port (!!!), nothing to do with VDSL2 or vectoring or modem!
Thats why you have to use LAN1=WAN and not xDSL port on your Fritz.

With your setting of Fritz and Asus there is no difference to connect Asus directly to ONT, Fritz with allowed second PPPoE connection is acting as a switch, nothing more.

Maybe you only need to clone MAC address from Fritz onto Asus WAN-setting, this is when your ISP allows only this one MAC for IP connection.

As soon as you through it out of the window please take care to let it go through my window, would like to have it!

 

[Kamikaze01]

ONT on RJ45 gives you an ethernet port (!!!), nothing to do with VDSL2 or vectoring or modem!
Thats why you have to use LAN1=WAN and not xDSL port on your Fritz.

With your setting of Fritz and Asus there is no difference to connect Asus directly to ONT, Fritz with allowed second PPPoE connection is acting as a switch, nothing more.

Maybe you only need to clone MAC address from Fritz onto Asus WAN-setting, this is when your ISP allows only this one MAC for IP connection.

As soon as you through it out of the window please take care to let it go through my window, would like to have it!

LoL Okay @Grisu ,... I will aim at your window ;-)

I would LOVE to use my ASUS router only.
But I do not think the ONT box works like a modem. If I use the ASUS alone, I'm missing the modem after all, right?
Even if I go from the ONT with Ethernet to the WAN port of the FritzBox, the signal comes from the phone socket .... right? I also got a phone number from my ISP. Isn't that DSL?
Oh man... im confused right now...

Anyway, I've just tried it with a cloned MAC address. But the ASUS remains offline on the ONT only

For the fixed IP, I have received PPPoE Login dates from my ISP.

My ISP told me to set the Internet Connection in the FritzBox to ONLY "fiber" (not fiber WITH fixed IP) and then allow PPPoE for other clients. In the ASUS behind i shoud deposit the PPPoE access data.

Everything works this way, except for LetsEncrypt !!
The ASUS shows the right fixed WAN IP and - very strange to me - the FritzBox displays a totaly wrong WAN IP beginning with 100.XX.....

*****

If I set the Internet Connection in the FritzBox to "fiber WITH fixed IP", then I have to deposit the PPPoE access data directly in the FritzBox and the ASUS behind also gets an IP assigned by the FritzBox (192.168.178.X).
In ASUS itself, I must also deposit the PPPoE access data, and the ASUS gets the fixed IP.
However, the ASUS does not realy go online with this constellation (every internet page lasts 3 minutes or completely offline).


If I - (as described above and how my ISP told me to do) - set the Internet Connection in the FritzBox to only "optical fiber" (WITHOUT fixed IP), then the ASUS is no longer displayed in the FritzBox (no IP in the FritzBox range 192.168.178.XXX) and in the FritzBox i do not have to store the PPPoE access dates - only in ASUS.
With this attitude, the ASUS gets the right (fixed) IP and goes online immediately. I can also use DDNS and reach the ASUS externally!
The FritzBox shows me any strange wrong WAN IP and i am unable to get a LetsEncrypt Certificate

Ai Ai ai ... with broadband cable Internet, everything was much easier

Anyway THANK U VERY VERY MUCH for you time and your thoughts !!
If i realy throw my Fritz out of the window, i will PM you, so you tell me where to find your window haha...

 

[Grisu]

A modem modulates/demodulates a xDSL signal and translates it to ethernet protocol.
As you use ethernet out of the ONT there cant be anything other than ethernet between ONT and router.
And you use LAN1=WAN on your router, these are pure ethernet ports, nothing else you could connect there!
On your own picture you can read in the first line: DSL disconnected!

All you have to do is to configure your Asus the right way, but I dont know what your ISP needs to do so.
As I could read fonira uses CGN-NAT, so you dont get puplic IP: "Bei fonira Internet privat handelt es sich um eine Carrier-NAT-Technologie, dadurch ist auf IPv4 das Modem in der Regel nicht direkt ansprechbar."
100.64.xxx.xxx are reserved IPv4 addresses for CGN-NAT, not public IP!
But they offer paid public IPv4 address.
You need to set VLAN31 on Asus to get it running!!! Maybe something different with ONT, the description I got is for xDSL.
howto here in LAN-IPTV: https://www.asus.com/us/support/FAQ/1034366/
MAC-clone probably NOT needed with fonira, you have to test it after everything is up and running.

When you use optical fiber only your Asus wont get IP from Fritz, it makes his own PPPoE connection and runs in router mode with own subnet and DHCP for its clients, so you cant see it in Fritz IP list - correct.

Lets encrypt doesnt work anymore: https://www.snbforums.com/threads/lets-encrypt-not-updating-or.59524/

Here they have exactly same config as you and like I tried to explain to you: https://www.lteforum.at/mobilfunk/glasfaser-im-keller.11961/

I cant answer PM as I am blocked to do so, you would have to contact me in other forum.
If you want further help contact me in ip-phone-forum.
There we can PM and pictures would help a lot too to explain how your phone is "connected" to the fibre.

 

[Kamikaze01]

OH MY GOD !!!! It works !!!
After setting VLAN31, I am ONLINE only with the AC-68U )))) I do not need the FritzBox anymore! I can't believe it !!!!

Stupid coincidence that I changed my ISP exactly on 07th Oct. 2019 and then LetsEncrypt did not work anymore ... I was already totally desperate, because I was sure, this must be related to the change of the ISP.
But now the Internet works (with my ASUS alone, WITHOUT FritzBox and NO speed loss, ... WITH VPN, DDNS, ...).

Unfortunately without HTTPS Certificate, but now I know, that this error is not at my side, so I do not need to search annoyed the error at my settings.

Phone or fax will not be possible with this ASUS model, but that does not bother me as long as I can use merlin firmware and ASUS hardware hehe ...

@Grisu You are my personal HERO. You made my day with your help and your knowledge.
I am not just a bunch of pixels on your screen !! I'm actually sitting on the other end of the Forum in front of my Mobile phone and you made me totally happy !!

Thank you, Thank you, Thank you Thank you.... Thousand times !!!

 

[Grisu]

And now you're going to through away the modem?
I could give you a google home mini for it.