Cannot issue cert on acme.sh nor windows client


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
darks0ul.ddns.net

I ran this command:
./acme.sh --issue --standalone -d darks0ul.ddns.net --home /jffs/usr/ssl
–ca-path /opt/etc/ssl/certs --pre-hook “stopservice httpd && iptables -I INPUT -p tcp --dport http
-j ACCEPT” --post-hook “startservice httpd && iptables -D INPUT -p tcp --dport http -j ACCEPT”

It produced this output:
darks0ul.ddns.net:Verify error:Fetching http://darks0ul.ddns.net/.well-known/acme-challenge/WZi2qUB0yxgWcIOMxzZs-FU-EVeWGIYDlOUlWgHTBhY: Connection refused

My hosting provider, if applicable, is:
No-ip

this was done on a ddwrt router


#2

Hi @darks0ul,

Does your ISP allow inbound connections on port 80 from the Internet?


#3

yes…i can access from outside…also i just did another certificate some time ago and it worked at that time


#4

Do you have your httpd running right now? I can’t connect to that site.


#5

yes is running…but still connection refused


#6

OK, I was able to connect to the router just now. So, you’re running these commands directly on the router? Could you try just leaving iptables in a state where the public can connect and running the acme.sh command without the iptables part?


#7

ok!! it’s working finally…turns out that it was port 80 blocked

one question thought…on renawal…port 80 can be blocked?, because my pages are https so port 80 remains closed on my setup


#8

Hi @darks0ul

no, that doesn’t work. If you use http-01 - challenge, Letsencrypt want’s a file under

http://yourdomain.com/.well-known/acme-challenge/file-with-long-name

Initial there is a http - request port 80 required. But you may

  • redirect to https and another location
  • use a rewrite rule to block all request outside /.well-known/acme-challenge/

Letsencrypt doesn’t want to fetch / or other pages, so you may block that.


#9

what’s the point of having a certificate to my ddwrt router if i have to leave port 80 open


#10

You can block port 80. But if you want to renew your certificate, you have to open port 80.

Letsencrypt certificates are only 90 days valide, so you have to do that all 60 - 85 days.

Perhaps you can automate that: Open the port, create a new certificate, close the port.


#11

hmm…i thought this might be the steps…

well… thank you very much


#12

To protect connections on port 443. (Your router doesn’t have to accept connections on port 80 at other times, but they can’t be blocked by a firewall during renewal.)

You can also now use port 443 instead of port 80 if you get a Let’s Encrypt client that supports the new TLS-ALPR-01 validation method (I don’t think this is true of acme.sh or Certbot yet, and I’m not sure if it’s true yet of any client that can run on your device).


#13

i’m will set back 443… but i’m unable to use port 80 even if i allow on renewal by a rule:

iptables -I INPUT -p tcp -d --dport http -j ACCEPT

the result is:

root@DD-WRT:/jffs/usr/ssl# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

but does not allow also connections on port 80 from outside


#14

I don’t quite understand this, because earlier you said that the problem with issuing your certificate was that port 80 was blocked, and that you were able to do something to unblock it in order to issue the certificate. What did you have to do? Why can’t you do it again?


#15

In DDWRT in Administration i can allow remote access by port 80 or to switch to 443

but in command line does not work


#16

Interesting! Does DDWRT have a support forum where you could ask what the effect of that configuration setting is? Maybe it does have a command-line equivalent that the DDWRT community could point out for you.


#17

I have to allow port 80 on renewal by a rule, it does not help me if I have to use the interface…and my mouse :slight_smile:
…but the rule just does not work


#18

Well, I would ask the DDWRT community what the exact effect of that setting is so that you can either make it permanent (without having negative effects that you don’t like) or script it from the command line (so that you can do it temporarily for certificate renewals).


#19

i need just a script for renewals


#20

…which would include opening port 80 on your DDWRT router, which we don’t have any experience with. So in the end, you’ll probably need to search for or ask the DDWRT community on how to do that. And include that script in the renewal script.