web-dev-qa-db-ja.com

certbotが突然tls-sni-01(https)ではなくhttp-01チャレンジにフォールバックするのはなぜですか?

私は十分にテストされたbashスクリプトを数週間前まで問題なく実行していました。
certbotチャレンジのデフォルトが、httpsではなくhttpになっているようです。その理由がわかりません。

echo 'rsa-key-size = 2048
renew-hook = /usr/sbin/ipsec reload && /usr/sbin/ipsec secrets
' > /etc/letsencrypt/cli.ini

certbot certonly --non-interactive --agree-tos --email $EMAIL --standalone -d $VPNHOST

ファイアウォール設定:

Firewall stopped and disabled on system startup
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             state NEW recent: UPDATE seconds: 60 hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255
           all  --  anywhere             anywhere             state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     udp  --  anywhere             anywhere             udp dpt:isakmp
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  ip-10-10-10-0.eu-west-2.compute.internal/24  anywhere             policy match dir in pol ipsec proto esp
ACCEPT     all  --  anywhere             ip-10-10-10-0.eu-west-2.compute.internal/24  policy match dir out pol ipsec proto esp
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Certbot:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for vpn-1.duelify.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. vpn-1.duelify.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://vpn-1.duelify.com/.well-known/acme-challenge/BsPR5NK4JVb8rgIyS2VR4VTOv4Bc1F5TNppjoo95O70: Timeout

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: vpn-1.duelify.com
   Type:   connection
   Detail: Fetching
   http://vpn-1.duelify.com/.well-known/acme-challenge/BsPR5NK4JVb8rgIyS2VR4VTOv4Bc1F5TNppjoo95O70:
   Timeout

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
6
Houman

Tls-sni-01検証方法で発表された最近の脆弱性が原因である可能性があります。修正パッチが適用されるまで、Let’s Encryptはこれを無効にしました。

それまでは、検証にhttpを使用することを勧めていました。

tls-sni-01のバグの詳細を暗号化できます

5
CrispyDuck