Can't get cetificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
srimuang.ddns.net
I ran this command:
sudo certbot --nginx -d srimuang.ddns.net
It produced this output:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: srimuang.ddns.net
Type: connection
Detail: 34.199.8.144: Fetching http://192.168.43.70:8080/.well-known/acme-challenge/EZ-yLUh5GjL0kWixwoxpS0FVILqJBFEjz8mC1RomR0c: Invalid port in redirect target. Only ports 80 and 443 are supported, not 8080

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version):
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
ubuntu server 22.04

My hosting provider, if applicable, is:
no-ip

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

Welcome to the community @chatofking

There are several problems. One is that you are using the nginx plug-in but an Apache server is responding to requests for that domain. Are you sure the IP in your DNS points to your server?

A second problem is the redirect is both to a private IP address and a port that Let's Encrypt does not allow for redirects.

You should first find out why Apache is responding. Example

curl -I http://srimuang.ddns.net

HTTP/1.1 302 Found
Date: Fri, 17 Jun 2022 14:49:48 GMT
Server: Apache
Location: http://192.168.43.70:8080
Content-Type: text/html
4 Likes

i change to public ip following this guide
Host a blog on your Raspberry Pi with Ghost ! | by Pierre Averous | Oct, 2020 | The Startup.
but
when i require Le certificate it time out
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: srimuang.ddns.net
Type: connection
Detail: 182.232.224.166: Fetching http://srimuang.ddns.net/.well-known/acme-challenge/Dm9_uHZJ1yKB0XmXN64nag_S77hM0emdy0LyRPHMGj8: Timeout during connect (likely firewall problem)
when i sudo ufw status
Status: inactive
secord problem has no problem i can changed to (a) type private IP addresss
but my first page was nginx http://srimuang.ddns.net/ my home page is in http://srimuang.ddns.net:8080/
idk why my url was Apache responding im too new for this.

Your DNS is pointing to your private IP 192.168.43.70. That will not work. The public DNS must point to your public IP for the Let's Encrypt http challenge to work. You can find your public IP in your router admin panel or using a command like:

curl -4 http://ifconfig.co

I do not know enough about the Pi and docker compose to help further. I think you should focus on getting an HTTP site working first. Once that is working we can help you get a Let's Encrypt cert.

I think that guide is poorly written. The certbot command format is wrong among other things. The sample website they setup is not running on a Pi and not even using nginx. Maybe search this forum for raspberry for other ideas.

You can use the Let's Debug test site to help you test your http site. Or, even use a browser from the public internet - not your home network. You could do that using a cell phone with wifi turned off if you don't have other machines to test from.

dig +short srimuang.ddns.net
192.168.43.70
4 Likes

i use this guide instead

but when i sudo nginx -t && nginx -s reload
it shows
nginx: [emerg] a duplicate default server for 0.0.0.0:80 in /etc/nginx/sites-enabled/default:22
nginx: configuration file /etc/nginx/nginx.conf test failed

when i point to public ip it timeout as you can see .
Timeout during connect (likely firewall problem)
my result debug is
ANotWorking

ERROR

srimuang.ddns.net has an A (IPv4) record (182.232.224.166) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

A timeout was experienced while communicating with srimuang.ddns.net/182.232.224.166: Get "http://srimuang.ddns.net/.well-known/acme-challenge/letsdebug-test": dial tcp 182.232.224.166:80: i/o timeout

Trace:
@0ms: Making a request to http://srimuang.ddns.net/.well-known/acme-challenge/letsdebug-test (using initial IP 182.232.224.166)
@0ms: Dialing 182.232.224.166
@10001ms: Experienced error: dial tcp 182.232.224.166:80: i/o timeout

IssueFromLetsEncrypt

ERROR

A test authorization for srimuang.ddns.net to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

182.232.224.166: Fetching http://srimuang.ddns.net/.well-known/acme-challenge/w26qrobAyyFDAu8S622wAeFE5vShS2eNv0bvA--Rf-A: Timeout during connect (likely firewall problem)
what should i do ??

i read some guide

Prerequisites

  • Your host must be publicly reachable on both port 80 and 443.
  • Check your firewall rules and do not attempt to block port 80 as that will prevent http-01 challenges from completing.
    will this guide will work ??
    Run your blog with Ghost, Docker and LetsEncrypt

You should check your router to make sure it allows inbound connections and is doing any port forwarding correctly. You should make sure your ISP allows connections on port 80 and 443. If you have a firewall(s) make sure they allow inbound connections on port 80 and 443.

The latest guide you showed suggested using a hosting service. If you are going to pay for a hosting service you should look at one that makes setting up your blog easy. Let's Encrypt also has this list of hosting candidates.

3 Likes

now i got only one problem duplicate default server do you know how to fix this ??

Yes, can you show the output of this command

sudo nginx -T

Please put 3 backticks before and after the output like this:
```
output
```

3 Likes

hey do you know how to port forwarding without router ??
i think i skip this process
i try 192.168.1.1 but ERR_CONNECTION_REFUSED &
192.168.0.1 is ERR_CONNECTION_TIMED_OUT

I see you are now using NOIP for your domain name but it has two problems. One is that it is not configured to allow the Let's Encrypt HTTP challenge to work. The below request should result in a 404 Not Found error because file ForumTest123 does not exist on your server. Instead, the NOIP system returns a 200 Found. Two, the page says to click a link to forward to your 192.168.43.71:8080 and this will not work from the public internet. Addresses that begin with 192.168 are private addresses only.

You need to have a working website with HTTP before you can get a cert using the Let's Encrypt HTTP challenge. Once you have a site working we can help you get a cert.

curl -i srimuang.ddns.net/.well-known/acme-challenge/ForumTest123

HTTP/1.1 200 Found
Date: Sun, 19 Jun 2022 14:14:44 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 1017
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">
<html>
<!-- WEB REDIRECTION PROVIDED BY NOIP.COM  http://www.noip.com/ -->
<head>
<TITLE></TITLE>
<meta name="keywords" content="">
<meta name="description" content="">
<link rel="icon" href="http://192.168.43.71:8080/favicon.ico" type="image/ico">
<link rel="shortcut icon" href="http://192.168.43.71:8080/favicon.ico">
</head>
<!--
<script language="JavaScript">
if(window != top) {
        top.location.href = location.href;
}
</script>
-->
<frameset  rows="*,29" >
        <frame src="http://192.168.43.71:8080/.well-known/acme-challenge/ForumTest123" name="redir_frame" frameborder=0>

        <frame src="http://srimuang.ddns.net/KHgKKjl_popupgoogle.html" noresize="noresize" scrolling="no" name="ad_frame"
frameborder="0">
        <noframes>
        Sorry, your browser does not support frames.  Click <a href="http://192.168.43.71:8080/.well-known/acme-challenge/ForumTest123" TARGET=_top>here</A>
        </noframes>
</frameset>

</html>
4 Likes

idk why my http:// doesn't work
it show
not secure i my site
my host name Protocol http:// already set to no-ip
also in my docker-compose.yml
url: http://srimuang.ddns.net

do i need to buy a router ?
or i need to register more account in no-ip
to cname my public ip to private ip ??

Respectfully, I think you should buy a hosting service. You say you are "too new for this". I agree.

There are hosting services designed for people to easily setup websites, blogs, and similar. It will avoid much of the complexity that you are having trouble with. Maybe some future day as you learn more you may be able to setup a working system on your own.

3 Likes