Cant get certificate in bigbluebutton installation

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bbb.mahale-ggmbh.de

I ran this command: wget -qO- https://ubuntu.bigbluebutton.org/bbb-install-2.5.sh | bash -s -- -v focal-250 -s bbb.mahale-ggmbh.de -e bbb@mahale-ggmbh.de -a -w -g

It produced this output:
IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: bbb.mahale-ggmbh.de
  Type: connection
  Detail: 45.146.254.209: Fetching
  http://bbb.mahale-ggmbh.de/.well-known/acme-challenge/J87O6Oe2mSakRWiuVSka5sZzY2KLhERHIOoMeG_NpWk:
  Connection reset by peer

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you're using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

My web server is (include version): Ubuntu 20.04 LTS

The operating system my web server runs on is (include version): 20.04.5

My hosting provider, if applicable, is: zap-hosting

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40

I can reach your IPv4 address from my own test server. But, do you have a firewall which might be blocking certain IP's or connects from certain geographic areas?

You have an invalid IPv6 address in your DNS AAAA record. I don't think this is causing this problem but you should change your DNS AAAA record to be your valid public IP address. Or, remove it if you don't have IPv6.

See Let's Debug test site (link here). This is good site to test new websites.

Hi @mkirsten, and welcome to the LE community forum

That could use an upgrade.

I tried to upgrade it but it always says: newest version.

So how can i do it?

I deleted the AAAA record and my firewall is completely inactive.

I get still the same error.

My logfile looks like this:

2023-02-20 10:21:23,681:DEBUG:certbot.error_handler:Calling registered functions
2023-02-20 10:21:23,682:INFO:certbot.auth_handler:Cleaning up challenges
2023-02-20 10:21:23,682:DEBUG:certbot.plugins.webroot:Removing /var/www/bigbluebutton-default/.well-known/acme-challenge/WuBycLWeqCb4wy-d8WKo3m_EyZ6PJnn4tDPMb4rCmFg
2023-02-20 10:21:23,682:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2023-02-20 10:21:23,683:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1265, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 417, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 396, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

Unfortunately, the relevant error is most likely above the lines you're showing now.

I don't think the log will show us anything but Osiris is right. We need to see the whole log

It still looks like you have a firewall blocking certain IP's. Does Zap-Hosting have a firewall in front of your server?

I can see your domain from my own test server in the US and several other points around the world. I do not see interference from a Palo Alto Network brand firewall (this has been a repeated problem for people).

That is all good.

But, Let's Debug cannot see it using its initial test or the Let's Encrypt Staging Servers (latest test here). This is almost always caused by a selective firewall blocking certain IP or specific other criteria.

I did a quick read on BBB and it looks like it is in a docker container. If so, did you check for a firewall in the container and also in the host server?

I didn't realise the relevant part was already in the first post of the thread Whoopsie.

Follow the recommended upgrade instructions.
See: Certbot (eff.org)

Sorry for the delay..
Here ist the full Log:

2023-02-19 05:30:29,800:DEBUG:certbot.main:certbot version: 0.40.0
2023-02-19 05:30:29,800:DEBUG:certbot.main:Arguments: ['-q']
2023-02-19 05:30:29,800:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#>
2023-02-19 05:30:29,816:DEBUG:certbot.log:Root logging level set at 30
2023-02-19 05:30:29,816:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2023-02-19 05:30:29,817:DEBUG:certbot.renewal:no renewal failures
2023-02-19 20:34:29,762:DEBUG:certbot.main:certbot version: 0.40.0
2023-02-19 20:34:29,762:DEBUG:certbot.main:Arguments: ['-q']
2023-02-19 20:34:29,763:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#>
2023-02-19 20:34:29,779:DEBUG:certbot.log:Root logging level set at 30
2023-02-19 20:34:29,780:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2023-02-19 20:34:29,781:DEBUG:certbot.renewal:no renewal failures
2023-02-20 07:00:22,449:DEBUG:certbot.main:certbot version: 0.40.0
2023-02-20 07:00:22,449:DEBUG:certbot.main:Arguments: ['-q']
2023-02-20 07:00:22,449:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#>
2023-02-20 07:00:22,463:DEBUG:certbot.log:Root logging level set at 30
2023-02-20 07:00:22,464:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2023-02-20 07:00:22,465:DEBUG:certbot.renewal:no renewal failures
2023-02-20 10:21:20,833:DEBUG:certbot.main:certbot version: 0.40.0
2023-02-20 10:21:20,834:DEBUG:certbot.main:Arguments: ['--email', 'chat@mahale-ggmbh.de', '--agree-tos', '--rsa-key-size', '4096', '-w', '/var>
2023-02-20 10:21:20,834:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#>
2023-02-20 10:21:20,849:DEBUG:certbot.log:Root logging level set at 20
2023-02-20 10:21:20,849:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2023-02-20 10:21:20,850:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2023-02-20 10:21:20,850:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f110333d2e0>
Prep: True
2023-02-20 10:21:20,851:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f110333d2e0>
2023-02-20 10:21:20,851:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2023-02-20 10:21:20,860:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=Non>
2023-02-20 10:21:20,861:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2023-02-20 10:21:20,864:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2023-02-20 10:21:21,329:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 756
2023-02-20 10:21:21,330:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 20 Feb 2023 09:21:23 GMT
Content-Type: application/json
Content-Length: 756
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

There is no firewall in the host Server.
I asked the support Team of ZAP-Hosting.
And there is no Docker Container cause the installation routine ends when there's no certificate.

did abusedipdb fixed their list blocking LE VA IPs?

webpage looks they didn't.

And what can i do now?

Another odd thing is I can reproduce the "reset by peer" from my own test server.

But, it only happens the first time I try a curl request with a new test server IP. I repeated this problem twice this morning with two different IP's. Again, this points to some sort of firewall interfering.

(I used the same URL as used by Let's Debug)
curl -i http://bbb.mahale-ggmbh.de/.well-known/acme-challenge/letsdebug-test
curl: (56) Recv failure: Connection reset by peer

(immediately after the failure:)
curl -i http://bbb.mahale-ggmbh.de/.well-known/acme-challenge/letsdebug-test
HTTP/1.1 404 Not Found
Server: nginx
Date: Wed, 22 Feb 2023 13:11:05 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.