Can't get certificate - Error getting validation data (Jitsi-Meet)

Help
1

Dear letsencrypt-gods,

I wonder if you can enlighten me after a few days of trying different methods to install Jitsi-Meet on a freshly installed Ubuntu Server on localhost at home.

My domain is: meet.human-design-management.de

I ran this command:
sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh mail@human-design-management.de

It produced this output:
meet.human-design-management.de: Invalid status. Verification error details: 2.212.126.199: Fetching http://meet.human-design-management.de/.well-known/acme-challenge/vcSeEJKZXWMuOieo8v0jeSUg2R8Ngq0DMpU9Caj0_0E: Timeout during connect (likely firewall problem)

My web server is (include version): nginx/1.24.0

The operating system my web server runs on is (include version): Ubuntu Server 24.04.1 LTS

My hosting provider, if applicable, is: all-inkl.com + localhost (for the subdomain meet)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.9.0

my steps:

installed Ubuntu Server and Jitsi-Meet (Self-Hosting Guide - Debian/Ubuntu server | Jitsi Meet), including:

  • configured ufw for ip4 and ip 6 (allow from anywhere ports 22/tpc, 80/tpc, 443/tcp, 10000:20000/udp, 3478/udp, 5349/tcp)
  • configured DDNS on all-inkl.com to point to my public ip 2.212.126.199
  • configured DynDNS on my fritzbox according to help page from all-inkl.com
  • configured fritz.box to open ports as above for my server (ip4 and ip6), allow server to open ports itself, even set server to "exposed host", so there is no firewall protection for the server)

tried to certificate

most of the time i got:
meet.human-design-management.de: Invalid status. Verification error details: 2a02:3102:8001:8461::17f: Fetching http://meet.human-design-management.de/.well-known/acme-challenge/6MkNdNdu07nhuL4Vbh2LAP3SKLCCyV75x0dtoCJys5I: Error getting validation data

but the last errors were: timeout during connect (likely firewall problem)

I think I did what I can to have minimal security. :stuck_out_tongue:

I also tried it without DDNS but with A and AAAA records in the DNS settings from all-inkl, but that didn't work either.

I tried it without certbot (like in the original guide from Jitsi) and with certbot (after viewing other peoples posts) with the command
certbot --nginx

Nothing worked so far.

I noticed, that my DDNS entry on all-inkl.com was changed in between from my public to my private ip, I don't know why. Changed it back to public, but neither ip worked for certification.

I cannot access meet.human-design-management.de from the internet due to the missing certificate, but I can reach the server via private ip, which sends me to the nginx start page, not to the Jitsi Server. I guess because of the missing certificate (so http instead of https).

I don't find a folder named "well-known" or ".well-known" on the server system. Is it deleted when things go wrong or is it a hint for missing rights for someone/something?

Did I do something obviously wrong?

Where can I look for more specific hints what went wrong?

Any hint is appreciated. Thank you very much.

2

Hi @webholist,

I find the β€œ(likely firewall problem)” is most often correct.
Port 80 access is required for HTTP-01 challenge.

Edit

And Let’s Debug failing results are here https://letsdebug.net/meet.human-design-management.de/2256128

2 Likes
3

Thank you for that hint, @Bruce5051, and for the link. The domain itself is protected by Let's encrypt with force SSL and HSTS and it has a wildcard entry. Is it possible, that this also forces the subdomain to use https, even though its DDNS entry leads to another IP?

1 Like
4

What does that mean exactly?

I'm pretty sure it has nothing to do with a "missing certificate". Your IP addresses are not reachable at all, regardless of a certificate:

  • IPv6: instant rejection: "connect to 2a02:3102:8001:8461::17f port 80 from 2a10:x:x:x:x:x:x:x port x failed: Permission denied"
  • IPv4: timeout: "connect to 2.212.126.199 port 80 from 192.168.x.x port x failed: Connection timed out"

Both IP addresses seem to be from "Telefonica Germany" or "DE MediaWays" (not sure). Is that/are those home resident ISP(s)? Perhaps your ISP is blocking incoming connections in their firewall?

I'm also pretty sure this has nothing to do with a certificate. HTTP and HTTPS should behave the same.

I don't know what that install-letsencrypt-cert.sh script does exactly, but if it's using Certbot uner the hood, then it will remove that directory again always after the challenge has been performed or was tried to perform, as it serves no function any longer, either if the challenge was successful or not.

  • Doublecheck the IP addresses;
  • Triplecheck the firewall;
  • Check for missing NAT portmaps;
  • Check if your ISP is blocking things.

Also:

You already got a certificate for the meet subdomain 5 days ago: where did that certificate go to?

4 Likes
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.