Can't generate SSL certificate for a domain. Using Apache server (having issues in .well-known/acme-challenge/)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nikkahtest1.theworkpc.com

I ran this command: certbot --apache -v -d nikkahtest1.theworkpc.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Requesting a certificate for nikkahtest1.theworkpc.com
Performing the following challenges:
http-01 challenge for nikkahtest1.theworkpc.com
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain nikkahtest1.theworkpc.com
http-01 challenge for nikkahtest1.theworkpc.com

Certbot failed to authenticate some domains (authenticator: apache). The Certifi cate Authority reported these problems:
Domain: nikkahtest1.theworkpc.com
Type: connection
Detail: 60.243.32.180: Fetching http://nikkahtest1.theworkpc.com/.well-known/a cme-challenge/vhJIM0_PImjeCNS56dQ8oSPY6sJnRhwlBAGz2VRKGJk: Timeout during connec t (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configurat ion changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See t he logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for mo re details.

My web server is (include version): apache

The operating system my web server runs on is (include version): linux

My hosting provider, if applicable, is: Dynu

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Dynu control panel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

Check your port forwarding and your router firewall, also check if your ISP uses CGNAT (in that case, IPv6 is pretty much your only option).

Hello @chandru003,

Using the online tool Let's Debug yields these results https://letsdebug.net/nikkahtest1.theworkpc.com/1620025
The second ERROR states "Timeout during connect (likely firewall problem)"

ANotWorking
Error
nikkahtest1.theworkpc.com has an A (IPv4) record (60.243.32.180) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
A timeout was experienced while communicating with nikkahtest1.theworkpc.com/60.243.32.180: Get "http://nikkahtest1.theworkpc.com/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://nikkahtest1.theworkpc.com/.well-known/acme-challenge/letsdebug-test (using initial IP 60.243.32.180)
@0ms: Dialing 60.243.32.180
@10001ms: Experienced error: context deadline exceeded 

IssueFromLetsEncrypt
Error
A test authorization for nikkahtest1.theworkpc.com to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
60.243.32.180: Fetching http://nikkahtest1.theworkpc.com/.well-known/acme-challenge/GIri6y5EsaL8m4mUq4R0pjv21CJMe-XMgCp2YVq3UkQ: Timeout during connect (likely firewall problem) 

Also this indicates a firewall problem

$ nmap -Pn -p80,443 nikkahtest1.theworkpc.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-09-23 20:48 UTC
Nmap scan report for nikkahtest1.theworkpc.com (60.243.32.180)
Host is up.

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.33 seconds

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.