A while ago I wrote about how I run a Miniflux instance from a Raspberry Pi in my home network. A couple months after the initial setup, I got an e-mail from the helpful Let’s Encrypt expiry bot telling me that my SSL certificate was going to expire in a couple of days. As I set up my certificates with certbot, I expected it to automatically request a new certificate when the old one was close to expiry.

I logged into the Raspberry Pi from my local network an tried to trigger the cert generation manually by running:

sudo certbot renew --dry-run

Unfortunately this would fail and certbot told me that it was unable to perform the http-01 challenge. Now, what certbot does here is the same that it does on the initial run. It puts a file in the .well-known folder at the root of your web space and then tries to fetch this file to see that your are actually still in control of the domain.

As this did not work I assumed that there was a problem with my NGINX configuration. After dabbing at various configurations for way too long I would just not get closer to a solution and actually started running into the Let’s Encrypt servers blocking me temporarily for making too many failed requests.

After some waiting time I came back to this and found some kind of flag that gave me a bit more output when running the challenge. What I noticed at that point was that Let’s Encrypt of course tries to fetch the challenge file via http, not https - after all you want this to work before you have a valid https certificate.

What I then remembered was that as a security measure I had tweaked the configuration in my FritzBox router to only share port 443 (https) of the Raspberry Pi as I thought the fewer open ports the better. This also meant that when Let’s Encrypt was trying to validate my ownership of the domain by fetching the challenge file over http (port 80), the request would just time out. So I went into the FritzBox configuration, enabled port sharing for port 80 as well, ran certbot again and this time everything worked like a charm. Port 80 is still open now and issues a 301 redirect in the default configuration to redirect users to the https version instead.

The lesson from this: Remember all of the parts of your setup and don’t over-optimize early. Coming back to this a couple of weeks or months later, you will probably have forgotten about all of the settings that you made. I feel like I have a more intuitive understanding of certbot now so that is cool for me.