Can't create cert behind an HG633


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:rektless.duckdns.org

I ran this command:
sudo certbot certonly --authenticator standalone -d rektless.duckdns.org --pre-hook “service nginx stop” --post-hook “service nginx start”

It produced this output:
Domain: rektless.duckdns.org
Type: connection
Detail: Fetching
http://rektless.duckdns.org/.well-known/acme-challenge/dbstBdtWYXQkcoW4EKc7H_OOq9P3l6MZMIcNpprCCvM:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

My web server is (include version):
nginx version: nginx/1.10.3

The operating system my web server runs on is (include version):
PRETTY_NAME=“Raspbian GNU/Linux 9 (stretch)”
NAME=“Raspbian GNU/Linux”
VERSION_ID=“9”
VERSION=“9 (stretch)”

My hosting provider, if applicable, is: behind home router (HG633)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.28.0

port forwarding to 80/443 doesn’t work. I think this issue might be because its hitting the webserver of the router as I found this in the help doco. I tried what it suggested, ie port forwarding say 8888 external to 80 internal (and a similar port forward rule forwarding say 8989 to 443) and then tried executing this command (but I don’t know if this is right because I’m out of my depth!) but it still didn’t work

sudo certbot certonly --authenticator standalone -d rektless.duckdns.org:8888 --pre-hook “service nginx stop” --post-hook “service nginx start”
" Port Translation (where a port is intercepted by the router, e.g. port 80)

This mainly affects the Huawei HG633/HG635 routers. It does not affect the DSL-3782. If a PC for example is hosting a web server, connected to the local network, it will use TCP ports 80 and/or 443. When trying to access either of these ports from the internet, normal port forwarding will fail. The web server is expecting an incoming connection on port 80 or 443.If a connection attempt is made from the internet to:-http://a.b.c.d where a.b.c.d is the external or WAN IP address of the router, it will fail. This is because the router’s management system is also a web server & the connection attempt (as it is targeting port 80), will be intercepted by the router’s web server. This is why the router’s login screen might be seen & the desired connection never reaches the web server on the PC. What will need to be done to get this to work is choose an unused TCP port number above 1024 (for example port 8888). Then create a new port forwarding rule and translate the external port 8888 to the internal port 80 (called PAT or Port Address Translation) and point this to the PC running the web server within the port mapping rule (not shown here)


#2

Most modem-routers will allow you to re-assign the default webserver from port 80 to another port, so that you can use port 80 for port forwarding into your network.

Let’s Encrypt HTTP validation will only work with port 80. You cannot change that.

The timeout error generally refers to the condition where port 80 is blocked or not forwarded at all.

If you can’t get forwarding to work, then you have the option to use DNS validation. acme.sh supports DuckDNS to make that pretty easy.


#3

Hi, thanks for the reply. I’m a bit of a novice, can you give me some more information about how I would do this? Thanks


#4

The first question to answer is:
Can port 80 requests reach your router?
[or does your ISP block port 80]

If “yes”, then you need to accept them and forward them to your web server.
If “no”, then you will need to use another validation method - like DNS.
[see @_az’s response about that]