Cant get port 80 to work

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

My domain is:
turn.jonsweb.io

I ran this command:
sudo certbot certonly -d turn.jonsweb.io --dry-run -v

It produced this output:
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

My web server is (include version):
I am not trying to use a web server. I am just tying to get a TLS cert for something else.

The operating system my web server runs on is (include version):
Ububntu 20.04

My hosting provider, if applicable, is:
Contabo

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.20.0

I have litterly tried everything and I don't know why port 80 is not working. I have opened the port every way possible, shut down everything using port 80 and it doesn't to anything. plesle help me fix this.

@jon_will I do not have a specific suggestion but this may help debug. Add a --debug-challenge flag and Certbot will pause after creating the challenge file leaving its standalone server running.

Then, try reaching that Certbot server with curl turn.jonsweb.io

Use https://letsdebug.net instead of the curl - it may show more clues.

Update: And, welcome to the community :slight_smile:

2 Likes

That's great advice for debugging.

The ICMP messages show that port 80 is being actively blocked by a firewall. That might be on the server machine itself, but it might be at the upstream ISP. That is, the ISP might be blocking this deliberately.

2 Likes

Thanks but it is a webserver. I know for a fact that it will work but when is another question

1 Like

That confuses me...
Why are you then using certbot with --standalone ?

Maybe there are some clues in the log file.
/var/log/letsencrypt/letsencrypt.log

15:19:08.464945 IP demorgan.52006 > vmi590915.contaboserver.net.http: Flags [S], seq 587911896, win 64240, options [mss 1460,sackOK,TS val 4181462066 ecr 0,nop,wscale 10], length 0
15:19:08.793170 IP vmi590915.contaboserver.net > demorgan: ICMP host vmi590915.contaboserver.net unreachable - admin prohibited, length 68
15:19:19.473332 IP demorgan.52008 > vmi590915.contaboserver.net.http: Flags [S], seq 2058521563, win 64240, options [mss 1460,sackOK,TS val 4181473075 ecr 0,nop,wscale 10], length 0
15:19:19.749195 IP vmi590915.contaboserver.net > demorgan: ICMP host vmi590915.contaboserver.net unreachable - admin prohibited, length 68
15:19:25.038477 IP demorgan > vmi590915.contaboserver.net: ICMP echo request, id 49, seq 1, length 64
15:19:25.199720 IP vmi590915.contaboserver.net > demorgan: ICMP host vmi590915.contaboserver.net unreachable - admin prohibited, length 92
15:19:26.039664 IP demorgan > vmi590915.contaboserver.net: ICMP echo request, id 49, seq 2, length 64
15:19:26.410241 IP vmi590915.contaboserver.net > demorgan: ICMP host vmi590915.contaboserver.net unreachable - admin prohibited, length 92
15:19:33.874477 IP demorgan.42590 > vmi590915.contaboserver.net.https: Flags [S], seq 1230917063, win 64240, options [mss 1460,sackOK,TS val 4181487476 ecr 0,nop,wscale 10], length 0
15:19:34.193974 IP vmi590915.contaboserver.net.https > demorgan.42590: Flags [R.], seq 0, ack 1230917064, win 0, length 0

The same administratively prohibited error comes back from trying to ping this address and from trying to connect on port 80. But not on port 443, which is just a RST. Probably the ISP itself is restricting some kinds of inbound connections.

1 Like

hmmmm.
found this in the logs

2021-10-19 00:13:55,344:DEBUG:acme.client:Storing nonce: 0001tTdSJg5epUAPJ2P-0nBfNntAeO5QsywBwnogYfEwtro
2021-10-19 00:13:55,344:INFO:certbot._internal.auth_handler:Challenge failed for domain turn.jonsweb.io
2021-10-19 00:13:55,344:INFO:certbot._internal.auth_handler:http-01 challenge for turn.jonsweb.io
2021-10-19 00:13:55,344:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: turn.jonsweb.io
  Type:   connection
  Detail: Fetching http://turn.jonsweb.io/.well-known/acme-challenge/EueWlS27qFXsigK43xQ6Cb46v339iBZVU3JUgnU4yiE: Error getting validation data

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

2021-10-19 00:13:55,346:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/snap/certbot/1514/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/snap/certbot/1514/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2021-10-19 00:13:55,346:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-10-19 00:13:55,346:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-10-19 00:13:55,347:DEBUG:certbot._internal.plugins.standalone:Stopping server at :::80...
2021-10-19 00:13:55,807:DEBUG:certbot._internal.log:Exiting abnormally:

It did not start off with --standalone It just took hours of searching and decided to tried it

There's nothing wrong with Certbot here or with your decision to use --standalone. Something (probably your ISP, probably not your own server) is deliberately blocking inbound connections needed by Let's Encrypt for this method.

As a point of comparison, the ability to ping your server is blocked in exactly the same way as the ability to connect to port 80. If the places where you tried to enable/unblock port 80 in your setup didn't also mention blocking pings, then they were probably not actually the part of the system that was responsible for the blockage.

I know this can be frustrating because many environments now have a host firewall, a router firewall, and possibly an upstream policy from the ISP or web host, and the error messages are never clear about which one made the decision to block the connections. So it can be extremely tricky to figure out exactly which of the several firewalls is doing so. Nonetheless, the connections you need to get your certificate are being intentionally blocked by a firewall... somewhere.

2 Likes

But I have gotten a cert before. It's just now it's being extremely hard to work with. I love certbot (I always will) but this time I don't know whats wrong. It has to be with the system thow because if I do a "telnet localhost 80" it does not work, but there is not firewall stopping it this time. I guess it's worth mentioning it is running mailcow docerized but I terned it off for this. Don't know whats wrong

But there are different ways for a TCP connection to fail. In my tcpdump output above, my attempt to connect to port 80 and my attempt to connect to port 443 failed in two different ways: the first with an ICMP error (from a firewall) and the second with a TCP reset packet (possibly from your server itself).

If you do telnet localhost 80 and you get

Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused

then you're not seeing the same error that people out on the Internet are seeing, and it's not coming from the same place or the same reason!

1 Like

By the way, it just started working on port 80 right now, so I'm guessing you found and fixed something relevant! :slight_smile:

1 Like

yes the same thing. Although I see IPv6 in there. hmmmm. What do you think?

There is now an nginx server listening there and redirecting to a different URL (https://mail.jonsweb.io/).

And now it's blocked again!

I shut down the docker service. It is not going so port 80 should be avilible. and yes I shut down docker and it it was blocked. port 80 seems to ublocked when inuse?
._______.

OK I figured it out but I don't know how to fix this. when port 80 is in use the test says it will work. If not in use it say it will not. regardless it will not get the cert.

Interesting. If your Docker container is going to use port 80, you would need to run Certbot inside that container. Otherwise you would need to figure out why port 80 works in that container and do whatever is necessary to make port 80 work outside of it.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.