how to get a certificate on ubuntu adguardhome? The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
how to resolve port 80?
Does the FQDN point to your Internet IP?
Can the Internet reach your "Adguard"/internal system via port 80?
3 Likes
can’t, ufw allows 80/tcp, but it doesn’t work
Is there a physical firewall or an ISP router involved?
3 Likes
adguard home installed on ubuntu, firewall in ubuntu
I'm confused about the term "home" [in adguard home] - maybe I'm reading too much into it.
Is this system co-located Or is it running in your home?
3 Likes
на удалённом сервере убунту находится
so what's the problem?
What is the Internet IP of the server?
3 Likes
89.110.77.8
OK.
Show the certbot command that fails.
2 Likes
Supplemental information: Port 80 is being filtered
$ nmap -Pn -p80,443 kazantsev97.ru
Starting Nmap 7.80 ( https://nmap.org ) at 2024-09-18 20:18 UTC
Nmap scan report for kazantsev97.ru (89.110.77.8)
Host is up (0.16s latency).
rDNS record for 89.110.77.8: v136815.hosted-by-vdsina.com
PORT STATE SERVICE
80/tcp filtered http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 3.46 seconds
Let's Debug yields https://letsdebug.net/kazantsev97.ru/2229015
ANotWorking
Error
kazantsev97.ru has an A (IPv4) record (89.110.77.8) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
A timeout was experienced while communicating with kazantsev97.ru/89.110.77.8: Get "http://kazantsev97.ru/.well-known/acme-challenge/letsdebug-test": context deadline exceeded
Trace:
@0ms: Making a request to http://kazantsev97.ru/.well-known/acme-challenge/letsdebug-test (using initial IP 89.110.77.8)
@0ms: Dialing 89.110.77.8
@10000ms: Experienced error: context deadline exceeded
IssueFromLetsEncrypt
Error
A test authorization for kazantsev97.ru to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
89.110.77.8: Fetching http://kazantsev97.ru/.well-known/acme-challenge/iKnSENXplJAHf7GZbf5wnpFCbSqKnOdVppsgIRJyWqI: Timeout during connect (likely firewall problem)
Note the above "Timeout during connect (likely firewall problem)"
And from around the world seeing "Connection timed out" Permanent link to this check report
Using Open Port Check Tool - Test Port Forwarding on Your Router shows
And there are DNS Zone issues Hardenize Report: kazantsev97.ru and https://ednscomp.isc.org/ednscomp/09488b4959 and https://dnsviz.net/d/kazantsev97.ru/dnssec/
Edit
There is "no peer certificate available" for TLS.
$ openssl s_client -showcerts -servername kazantsev97.ru -connect kazantsev97.ru:443 < /dev/null
CONNECTED(00000003)
4007815961780000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1593:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 316 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
And "Server: cloudflare"
$ curl -k -Ii http://kazantsev97.ru:443
HTTP/1.1 400 Bad Request
Server: cloudflare
Date: Wed, 18 Sep 2024 20:41:56 GMT
Content-Type: text/html
Content-Length: 253
Connection: close
CF-RAY: -
3 Likes
Domen kazantsev97.shop check
And then I see this
Port 80 is being filtered
$ nmap -Pn -p80,443 kazantsev97.shop
Starting Nmap 7.80 ( https://nmap.org ) at 2024-09-18 21:34 UTC
Nmap scan report for kazantsev97.shop (89.110.77.8)
Host is up (0.16s latency).
rDNS record for 89.110.77.8: v136815.hosted-by-vdsina.com
PORT STATE SERVICE
80/tcp filtered http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 3.11 seconds
And here is the certificate being served.
$ openssl s_client -showcerts -servername kazantsev97.shop -connect kazantsev97.shop:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R4
verify return:1
depth=1 C = US, O = Google Trust Services, CN = WE1
verify return:1
depth=0 CN = kazantsev97.shop
verify return:1
---
Certificate chain
0 s:CN = kazantsev97.shop
i:C = US, O = Google Trust Services, CN = WE1
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256
v:NotBefore: Sep 18 11:40:06 2024 GMT; NotAfter: Dec 17 11:40:05 2024 GMT
-----BEGIN CERTIFICATE-----
MIIDszCCA1mgAwIBAgIRAIa4nqPTIRsbDitBIa1sx48wCgYIKoZIzj0EAwIwOzEL
MAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczEMMAoG
A1UEAxMDV0UxMB4XDTI0MDkxODExNDAwNloXDTI0MTIxNzExNDAwNVowGzEZMBcG
A1UEAxMQa2F6YW50c2V2OTcuc2hvcDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
BOmzsvA35t2+LM06WQECsrQ+2WOFcdtbiGvgBrrQBb0Q5isUj4jovzLPl7TZNbQx
bYTCyU0PkAvh3P9uz7xmN8ajggJcMIICWDAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0l
BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUQFMyWFUbfgmy
KTIHkgCKFHLICSkwHwYDVR0jBBgwFoAUkHeSNWfE/6jMqeZ72YB5e8yT+TgwXgYI
KwYBBQUHAQEEUjBQMCcGCCsGAQUFBzABhhtodHRwOi8vby5wa2kuZ29vZy9zL3dl
MS9ocmcwJQYIKwYBBQUHMAKGGWh0dHA6Ly9pLnBraS5nb29nL3dlMS5jcnQwLwYD
VR0RBCgwJoIQa2F6YW50c2V2OTcuc2hvcIISKi5rYXphbnRzZXY5Ny5zaG9wMBMG
A1UdIAQMMAowCAYGZ4EMAQIBMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jLnBr
aS5nb29nL3dlMS9DalhWUzk5OTFtYy5jcmwwggEDBgorBgEEAdZ5AgQCBIH0BIHx
AO8AdgB2/4g/Crb7lVHCYcz1h7o0tKTNuyncaEIKn+ZnTFo6dAAAAZIFJansAAAE
AwBHMEUCIQDS7NO/LltI7UzBHmzN4UTcpRjKytPgVnWu4MFC+ttuwAIgKKPXS4br
HGyas/MJKzwclPQnjQYPjAaUwlgYzv73dFEAdQDatr9rP7W2Ip+bwrtca+hwkXFs
u1GEhTS9pD0wSNf7qwAAAZIFJan5AAAEAwBGMEQCIFMCh5mZKH3IyOgao+Ge8/L+
OMtcYKm0lDSZ0kWf0Ms1AiBlYvDvwSJUjtcvRhy5BmMz8XxnGMQhykJPAqs3pOQb
+jAKBggqhkjOPQQDAgNIADBFAiEA/jXcIKEqcSYUEOusgnIxmsDXsCMqEbCn1sxB
KxZHox4CIHq6acj4W1nHNbCBeCXSoW7DsewTe7uDen2gHLHggHE/
-----END CERTIFICATE-----
1 s:C = US, O = Google Trust Services, CN = WE1
i:C = US, O = Google Trust Services LLC, CN = GTS Root R4
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
-----BEGIN CERTIFICATE-----
MIICnzCCAiWgAwIBAgIQf/MZd5csIkp2FV0TttaF4zAKBggqhkjOPQQDAzBHMQsw
CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU
MBIGA1UEAxMLR1RTIFJvb3QgUjQwHhcNMjMxMjEzMDkwMDAwWhcNMjkwMjIwMTQw
MDAwWjA7MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZp
Y2VzMQwwCgYDVQQDEwNXRTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARvzTr+
Z1dHTCEDhUDCR127WEcPQMFcF4XGGTfn1XzthkubgdnXGhOlCgP4mMTG6J7/EFmP
LCaY9eYmJbsPAvpWo4H+MIH7MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU
kHeSNWfE/6jMqeZ72YB5e8yT+TgwHwYDVR0jBBgwFoAUgEzW63T/STaj1dj8tT7F
avCUHYwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzAChhhodHRwOi8vaS5wa2ku
Z29vZy9yNC5jcnQwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL2MucGtpLmdvb2cv
ci9yNC5jcmwwEwYDVR0gBAwwCjAIBgZngQwBAgEwCgYIKoZIzj0EAwMDaAAwZQIx
AOcCq1HW90OVznX+0RGU1cxAQXomvtgM8zItPZCuFQ8jSBJSjz5keROv9aYsAm5V
sQIwJonMaAFi54mrfhfoFNZEfuNMSQ6/bIBiNLiyoX46FohQvKeIoJ99cx7sUkFN
7uJW
-----END CERTIFICATE-----
2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R4
i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
v:NotBefore: Nov 15 03:43:21 2023 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
-----BEGIN CERTIFICATE-----
MIIDejCCAmKgAwIBAgIQf+UwvzMTQ77dghYQST2KGzANBgkqhkiG9w0BAQsFADBX
MQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEQMA4GA1UE
CxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTIzMTEx
NTAzNDMyMVoXDTI4MDEyODAwMDA0MlowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT
GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFI0
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE83Rzp2iLYK5DuDXFgTB7S0md+8Fhzube
Rr1r1WEYNa5A3XP3iZEwWus87oV8okB2O6nGuEfYKueSkWpz6bFyOZ8pn6KY019e
WIZlD6GEZQbR3IvJx3PIjGov5cSr0R2Ko4H/MIH8MA4GA1UdDwEB/wQEAwIBhjAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAd
BgNVHQ4EFgQUgEzW63T/STaj1dj8tT7FavCUHYwwHwYDVR0jBBgwFoAUYHtmGkUN
l8qJUC99BM00qP/8/UswNgYIKwYBBQUHAQEEKjAoMCYGCCsGAQUFBzAChhpodHRw
Oi8vaS5wa2kuZ29vZy9nc3IxLmNydDAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8v
Yy5wa2kuZ29vZy9yL2dzcjEuY3JsMBMGA1UdIAQMMAowCAYGZ4EMAQIBMA0GCSqG
SIb3DQEBCwUAA4IBAQAYQrsPBtYDh5bjP2OBDwmkoWhIDDkic574y04tfzHpn+cJ
odI2D4SseesQ6bDrarZ7C30ddLibZatoKiws3UL9xnELz4ct92vID24FfVbiI1hY
+SW6FoVHkNeWIP0GCbaM4C6uVdF5dTUsMVs/ZbzNnIdCp5Gxmx5ejvEau8otR/Cs
kGN+hr/W5GvT1tMBjgWKZ1i4//emhA1JG1BbPzoLJQvyEotc03lXjTaCzv8mEbep
8RqZ7a2CPsgRbuvTPBwcOMBBmuFeU88+FSBX6+7iP0il8b4Z0QFqIwwMHfs/L6K1
vepuoxtGzi4CZ68zJpiq1UvSqTbFJjtbD4seiMHl
-----END CERTIFICATE-----
---
Server certificate
subject=CN = kazantsev97.shop
issuer=C = US, O = Google Trust Services, CN = WE1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2840 bytes and written 398 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE
Edit
And https://letsdebug.net/kazantsev97.shop/2229060
Note and still the "Timeout during connect (likely firewall problem )";
but also new the CloudflareCDN WARNING.
2 Likes
Host is up (0.17s latency).
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp filtered http
443/tcp open https
Go figure.
Bruce is correct. Smart Guy.
Host is up (0.17s latency).
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp filtered http
443/tcp open https
Gotta fix this for it to work.
2 Likes
sudo ufw allow 443/tcp sudo ufw allow 80/TCP sudo ufw allow 22/TCP such commands? I have ufw
sudo ufw allow 443/tcp sudo ufw allow 80/TCP sudo ufw allow 22/TCP such commands? I have ufw
This is not a ufw forum.
Maybe it is...
Maybe it isn't...
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.