Can't create cert with certbot

Franzi98 · December 5, 2022, 5:01pm

Hello, i have some docker containers running on my server. I have just opened port 80 and 433 on my router. anche checked if my domain works. I try to create a certificate for home assistant, so i stopped pihole container and i run certbot wit sudo certbot certonly. I use standalone method but it doesn't work. I think my domain is no reachable, can someone help me?

My domain is:
studiodomotico.duckdns.org

I ran this command:
sudo cerbot certonly

It produced this output:

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: studiodomotico.duckdns.org
  Type:   connection
  Detail: 151.51.16.34: Fetching http://studiodomotico.duckdns.org/.well-known/acme-challenge/mKRQgrnY9O1-_CX19gxMuYNQV32r0Ud_GQH7ec1ZOYc: Error getting validation data

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.

My web server is (include version):
Home Assistant in Docker

The operating system my web server runs on is (include version):
Ubuntu server 22.04 lts

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.21

MikeMcQ · December 5, 2022, 5:41pm

Welcome to the community @Franzi98

Try this

sudo cerbot certonly --debug-challenges -v -d studiodomotico.duckdns.org

Certbot will pause and show you a URL. Leave Certbot running and try getting that URL. If you cannot then you have a comms config problem.

Franzi98 · December 5, 2022, 6:03pm

Unfortunatly it give me the same error

Requesting a certificate for studiodomotico.duckdns.org
Performing the following challenges:
http-01 challenge for studiodomotico.duckdns.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Challenge failed for domain studiodomotico.duckdns.org
http-01 challenge for studiodomotico.duckdns.org

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: studiodomotico.duckdns.org
  Type:   connection
  Detail: 151.51.16.34: Fetching http://studiodomotico.duckdns.org/.well-known/acme-challenge/dOCgqbyT3T_6DKKt8JjeBWPJknFlq3AwKnQqc6CEIpc: Error getting validation data

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

I don't know what can I do anymore....

MikeMcQ · December 5, 2022, 6:26pm

Didn't Certbot show you the URL? It should when using -v and --debug-challenges

You then leave that running / paused and use another machine or window to try to get that URL. Even use your cell phone with wifi off so you are using your provider network.

An HTTP connection is required to use the HTTP Challenge. To test HTTP you must have something running and listening on that port. With Certbot standalone you must leave it paused / running to test connecting to it. Or, if you have some other software to run on that port you can use that.

You have a complicated mix of components but I don't know them well enough to give more specific advice than this. There is something fundamentally wrong with your config. Or, maybe your ISP does not allow port 80 to be used.

Maybe another volunteer will know pihole and Home Assistant. Or, try a forum for those to get it setup for an HTTP connection. Once that works you can use Certbot to get a cert and enable HTTPS

Osiris · December 5, 2022, 6:28pm

Is the IP address 151.51.16.34 correct? It seems to be totally down to me.

rg305 · December 5, 2022, 7:33pm

Where will you be using the certificate?

Franzi98 · December 5, 2022, 8:49pm

I'm sure it is my ip address. I don't know why doesn't work, inside my network this ip route me on the router page

Franzi98 · December 5, 2022, 8:49pm

Insiede Homeassistant

Franzi98 · December 5, 2022, 8:56pm

Only url showed is this:

http://studiodomotico.duckdns.org/.well-known/acme-challenge/dOCgqbyT3T_6DKKt8JjeBWPJknFlq3AwKnQqc6CEIpc

I am bit noobie with ssl certificate so sorry for stupid mistakes

rg305 · December 5, 2022, 9:00pm

curl -Ii http://studiodomotico.duckdns.org/
curl: (56) Recv failure: Connection reset by peer

You need a working HTTP site before it can be secured via HTTP-01 authentication.

Franzi98 · December 5, 2022, 9:31pm

If i run pihole in docker,

curl -Ii http://studiodomotico.duckdns.org/

return me

HTTP/1.1 401 Unauthorized
Set-Cookie: Session=0; path=/; HttpOnly
Content-Type: text/html
Content-Length: 1337
Date: Mon, 05 Dec 2022 21:28:18 GMT

I can't running pihole during cert creation because pi hole use port 80

rg305 · December 5, 2022, 9:44pm

If there is only one IP, and that IP is being used by pihole, then how can you get a cert (using that IP:80)?
hmm...

If you proxy the challenge requests on the pihole to the HA.
if you obtain the cert on the pihole and then copy it to the HA.
if you use the pihole to proxy all traffic (80&443) to the HA.

Franzi98 · December 5, 2022, 11:03pm

Unfortunately this is a sector that does not belong to me. If you can link some guides you help me

Franzi98 · December 6, 2022, 11:11am

It seems like connection from outside is close but i have opened port 80, 8080 and 433. Inside my netword my url show me the router home page and curl -i url give me this output:


HTTP/1.1 401 Unauthorized
Set-Cookie: Session=0; path=/; HttpOnly
Content-Type: text/html
Content-Length: 1337
Date: Tue, 06 Dec 2022 11:02:08 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><meta http-equiv="X-UA-Compatible" /><title id='title'>.::Welcome to the Web-Based Configurator::.</title><script type="text/javascript" src="/js/build/yui/yui-min.js"></script><script type="text/javascript" src="/js/zyxelhelp.js"></script><script type="text/javascript" src="/js/init.js"></script></head><body><div id="loginBtn"></div><input id="AUTH_RET" value="InitLogin" style="display:none"><input id="CURR_MULTILANG" value="it" style="display:none"><input id="AVAIL_MULTILANG" value="en,tw,it" style="display:none"><input id="MODEL_NAME" value="VMG8823-B50B" style="display:none"><input id="DESCRIPTION" value="Dual Band Wireless AC/N VDSL2 VoIP Combo WAN IAD" style="display:none"><input id="FIRMWARE_VIRSION" value="V5.13(ABIU.0)b5_20190308" style="display:none"><input id="HTTP_TIMER" value="300" style="display:none"><input id="currentlogUser" value="admin" style="display:none"><input id="CUSTOMER_NAME" value="" style="display:none"><input id="ONdocker stop squid^C

In the certbot log file i found a authorizaton error, this is a section of output:

2022-12-06 11:02:41,510:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-12-06 11:02:41,511:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-12-06 11:02:41,511:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-12-06 11:02:41,512:DEBUG:certbot._internal.plugins.standalone:Stopping server at :::80...
2022-12-06 11:02:41,984:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1574, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1434, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 133, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 459, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 389, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 439, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2022-12-06 11:02:41,986:ERROR:certbot._internal.log:Some challenges have failed.

I search on internet to proxy through pi hole but seems be impossible. Someone can help my? i'm getting crazy

rg305 · December 6, 2022, 3:29pm

Was that 443?

Franzi98 · December 10, 2022, 3:08pm

Was that 443?

Https

MikeMcQ · December 10, 2022, 4:27pm

Rudy was asking whether your comments saying port 433 was a typo. Or, perhaps you actually were using port 433 in your router too.

Port 443 is HTTPS. It would not be first time we saw such a typo in a router

=====================

Also, earlier your IP in DNS was 151.51.16.34
It is now 151.51.16.44

Is this a new IP or did you mis-type something in DNS now? Because, I can't reach your domain with http or https.

curl -i -m10 https://studiodomotico.duckdns.org
curl: (7) Failed to connect to studiodomotico.duckdns.org port 443 after 3118 ms: No route to host

curl -i -m10 http://studiodomotico.duckdns.org
curl: (7) Failed to connect to studiodomotico.duckdns.org port 80 after 1152 ms: No route to host

Franzi98 · December 13, 2022, 6:03pm

Hi, thanks to reply.

Port 443 is HTTPS. It would not be first time we saw such a typo in a router

Yes, i make a mistake, it would be 443.

I think ip was right, the problem is from outside. Inside my network with curl -i myurl I get this output:

HTTP/1.1 401 Unauthorized
Set-Cookie: Session=0; path=/; HttpOnly
Content-Type: text/html
Content-Length: 1337
Date: Tue, 06 Dec 2022 11:02:08 GMT

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><meta http-equiv="X-UA-Compatible" /><title id='title'>.::Welcome to the Web-Based Configurator::.</title><script type="text/javascript" src="/js/build/yui/yui-min.js"></script><script type="text/javascript" src="/js/zyxelhelp.js"></script><script type="text/javascript" src="/js/init.js"></script></head><body><div id="loginBtn"></div><input id="AUTH_RET" value="InitLogin" style="display:none"><input id="CURR_MULTILANG" value="it" style="display:none"><input id="AVAIL_MULTILANG" value="en,tw,it" style="display:none"><input id="MODEL_NAME" value="VMG8823-B50B" style="display:none"><input id="DESCRIPTION" value="Dual Band Wireless AC/N VDSL2 VoIP Combo WAN IAD" style="display:none"><input id="FIRMWARE_VIRSION" value="V5.13(ABIU.0)b5_20190308" style="display:none"><input id="HTTP_TIMER" value="300" style="display:none"><input id="currentlogUser" value="admin" style="display:none"><input id="CUSTOMER_NAME" value="" style="display:none"><input id="ONdocker stop squid^C

rg305 · December 13, 2022, 7:06pm

Your router is answering that URL.
If the URL is for port 443, then your router is listening/using port 443.
You would have to move it to another port OR move your server to another port.

Franzi98 · December 29, 2022, 12:21am

My router isn't listening/using port 443, I'm sure.