Cant create Cert http 201

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nextcloud.huber-server.de

I ran this command: certbot certonly --dry-run -d nextcloud.huber-server.de

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Simulating a certificate request for nextcloud.huber-server.de
Performing the following challenges:
http-01 challenge for nextcloud.huber-server.de
Waiting for verification...
Challenge failed for domain nextcloud.huber-server.de
http-01 challenge for nextcloud.huber-server.de

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: nextcloud.huber-server.de
Type: connection
Detail: 2a02:590:ec0:b6f:b42e:9900:1cc:1915: Fetching http://nextcloud.huber-server.de/.well-known/acme-challenge/guTIh5Aj_qAqFE9CmanT1VBH0Sum2wZM7xJGrbJZjUE: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is: nginx (created temporarely by the certbot)

The operating system my web server runs on is (include version): Unraid 6.12.6 (Docker Container SWAG)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 2.0.9

Hello Community,
i have a Problem creating a Cert for my Domain, i forwarded Port 80 from my Unraid Server.
On my Unraid Server runs the SWAG Docker Image.
I think i dont understand the Error Message correctly so i dont know how i can fix this Problem.
Can everyone help me finding the Solution for this?

If more Information is needed i can copy it here.

Thanks a lot to you all.
Daniel

1 Like
2

Hello @hirny199, welcome to the Let's Encrypt community. :slightly_smiling_face:

Using the online tool Let's Debug yields these results https://letsdebug.net/nextcloud.huber-server.de/1824679

AAAANotWorking
ERROR
nextcloud.huber-server.de has an AAAA (IPv6) record (2a02:590:ec0:b6f:b42e:9900:1cc:1915) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.
A timeout was experienced while communicating with nextcloud.huber-server.de/2a02:590:ec0:b6f:b42e:9900:1cc:1915: Get "http://nextcloud.huber-server.de/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://nextcloud.huber-server.de/.well-known/acme-challenge/letsdebug-test (using initial IP 2a02:590:ec0:b6f:b42e:9900:1cc:1915)
@0ms: Dialing 2a02:590:ec0:b6f:b42e:9900:1cc:1915
@10000ms: Experienced error: context deadline exceeded

IssueFromLetsEncrypt
ERROR
A test authorization for nextcloud.huber-server.de to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
2a02:590:ec0:b6f:b42e:9900:1cc:1915: Fetching http://nextcloud.huber-server.de/.well-known/acme-challenge/XJu7Rlb2cK044S45wInQm8ix8C2GJpSuFRH4NErNelk: Timeout during connect (likely firewall problem)

Side note it seems there is only an IPv6 Address (that in itself is not a problem).

3 Likes
3

Also using nmap shows Ports 80 & 443 are filtered on IPv6

>nmap -6 -Pn -p80,443 nextcloud.huber-server.de
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-04 17:19 UTC
Nmap scan report for nextcloud.huber-server.de (2a02:590:ec0:b6f:b42e:9900:1cc:1915)
Host is up.

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 5.16 seconds

And there is no IPv4 Address (not a problem for the issue at hand).

>nmap -4 -Pn -p80,443 nextcloud.huber-server.de
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-04 17:21 UTC
Warning: Hostname nextcloud.huber-server.de resolves, but not to any IPv4 address. Try scanning with -6
Failed to resolve "nextcloud.huber-server.de".
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.03 seconds
3 Likes
4

Hello @Bruce5051,
thanks for your quick Answer.
So my IPv6 Address replys not to the certbot right ?
I checked my entries on my Domain(INWX)
inwx-config

It is the same IPv6 as in the Error Message, did i forgot something to do ? Port Forwarding is done, also the Entry in INWX.

There is no Public IPv4 because i dont have a Public IPv4 so i decided to try with IPv6.

If you can say me how the DNS Challenge works i can try this, eventually is that the better way because i can set a Wildcard Cert.

5

I checked my entrys again and found that my Nextcloud Container changed IPv6 so i changed the Entry in INWX and set the IPv of the Container static.

Now i can connect with the Nextcloud inside my Home Network via the IPv6 and the Domain nextcloud.huber-server.de but if i try it outside my Home Network the Site is unreachable is this because i dont have https at the moment?

6

It's the other way around: First you need to get connectivity working to your network on port 80, and then you should be able to get a certificate to enable https. (If it's intentionally only accessible inside, then you can use the DNS-01 challenge instead, though that still requires a DNS server that's publicly reachable but those are more common.)

4 Likes
7

OK; but Ports 80 & 443 are still being filtered (i.e. blocked) to the Public Internet.

>nmap -6 -Pn -p80,443 nextcloud.huber-server.de
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-04 20:49 UTC
Nmap scan report for nextcloud.huber-server.de (2a02:590:ec0:b6f:b42e:9900:bcc:1915)
Host is up.

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.75 seconds
3 Likes
8

@petercooperjr i will try the DNS01 Challenge today after Work, i created the TXT Record and verified i can see it with the Google DIG Tool.

@Bruce5051 So Port 80 filtered means that a Firewall or something on the way from my Nextcloud Server to the Outside of my Home Network blocks the Packages right ?
I will show if i can find something like this in Unraid and check my Routers (TP-Link AX5400) Firewall settings.

Thanks for the help :slight_smile:
i reply when i finished the steps above.

1 Like
9

No, it means that connections from the public Internet to your domain are getting blocked.

3 Likes
10

Okey but how can i find out why the Port is filtered, i communicated earlier today with the INWX Support to check if my Domain is correctly configured and the Support Employee sayed that all is oke.
Sorry for that many Questions im realy new to the Domain and IPv6 thing.

Thanks

1 Like
11

Check each piece of equipment and software starting from the cable from your ISP leading into your home. Follow the wire from device to device and check each device. The first one is probably your router so check all of its settings.

5 Likes
12

Is this correct?

Latest version is: 2.9.0

4 Likes
13

Hello again to all,
i think i found my Problem.
My Router TP-Link AX73 has a non configurable Firewall that blocks IPv6 from Outside so i cant configure Port or disable it, i will try to Upgrade my Firmware and hope that TP Link added this Feature.

Here a Statement from the TP-Link Forum:
We understand that you want to have the network permission to access the local IPv6 server/service from outside, which is currently not supported on the Archer AX73 routers yet.

3 Likes
14

@rg305
yes the Version is correct so i should update the Version.

1 Like
15

Just a suggestion: You might consider disabling IPV6 altogether.
;@)

2 Likes
16

Hello @Rip
yes that should be a Solution but i dont have a external IPv4 and i like to know more about IPv6.

My Provider offers me a free Router (Fritz Box) they should have a IPv6 Firewall, i will Contact my ISP today and try it as soon as the Router is Delivered.

If i tested the Fritz Box Router i will Report here if this was the Solution.

3 Likes
17

Hello to all,
i was able to Solve all my Problems.
The Fritz Box was Delivered so i Setup and Forwarded IPv6 Ports, that solved the Problem that i was unreachable from Outside.
Then i found out that Unraid Docker Containers are not shown as own Devices in the Fritz Box because all have the same MAC Address so Port Forwardings are useless.

So I setup a VM in Unraid to have a Device in my Fritz Box and installed Nextcloud with Letsencrypt on it and Forwarded the required Ports.

Now i can Access the Nextcloud from Outside over IPv6 and Domain and from Inside over IPv4 and IPv6 as well as over the Hostname.

Thank you all very much for the Time you spend to Help me :slight_smile:

Regards Daniel

4 Likes
18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.