Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
I ran this command:
sudo certbot certonly -d turn.jonsweb.io --dry-run -v
It produced this output:
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
My web server is (include version):
I am not trying to use a web server. I am just tying to get a TLS cert for something else.
The operating system my web server runs on is (include version):
Ububntu 20.04
My hosting provider, if applicable, is:
Contabo
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.20.0
I have litterly tried everything and I don't know why port 80 is not working. I have opened the port every way possible, shut down everything using port 80 and it doesn't to anything. plesle help me fix this.
@jon_will I do not have a specific suggestion but this may help debug. Add a --debug-challenge flag and Certbot will pause after creating the challenge file leaving its standalone server running.
Then, try reaching that Certbot server with curl turn.jonsweb.io
The ICMP messages show that port 80 is being actively blocked by a firewall. That might be on the server machine itself, but it might be at the upstream ISP. That is, the ISP might be blocking this deliberately.
The same administratively prohibited error comes back from trying to ping this address and from trying to connect on port 80. But not on port 443, which is just a RST. Probably the ISP itself is restricting some kinds of inbound connections.
2021-10-19 00:13:55,344:DEBUG:acme.client:Storing nonce: 0001tTdSJg5epUAPJ2P-0nBfNntAeO5QsywBwnogYfEwtro
2021-10-19 00:13:55,344:INFO:certbot._internal.auth_handler:Challenge failed for domain turn.jonsweb.io
2021-10-19 00:13:55,344:INFO:certbot._internal.auth_handler:http-01 challenge for turn.jonsweb.io
2021-10-19 00:13:55,344:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: turn.jonsweb.io
Type: connection
Detail: Fetching http://turn.jonsweb.io/.well-known/acme-challenge/EueWlS27qFXsigK43xQ6Cb46v339iBZVU3JUgnU4yiE: Error getting validation data
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
2021-10-19 00:13:55,346:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/snap/certbot/1514/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/snap/certbot/1514/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2021-10-19 00:13:55,346:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-10-19 00:13:55,346:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-10-19 00:13:55,347:DEBUG:certbot._internal.plugins.standalone:Stopping server at :::80...
2021-10-19 00:13:55,807:DEBUG:certbot._internal.log:Exiting abnormally:
There's nothing wrong with Certbot here or with your decision to use --standalone. Something (probably your ISP, probably not your own server) is deliberately blocking inbound connections needed by Let's Encrypt for this method.
As a point of comparison, the ability to ping your server is blocked in exactly the same way as the ability to connect to port 80. If the places where you tried to enable/unblock port 80 in your setup didn't also mention blocking pings, then they were probably not actually the part of the system that was responsible for the blockage.
I know this can be frustrating because many environments now have a host firewall, a router firewall, and possibly an upstream policy from the ISP or web host, and the error messages are never clear about which one made the decision to block the connections. So it can be extremely tricky to figure out exactly which of the several firewalls is doing so. Nonetheless, the connections you need to get your certificate are being intentionally blocked by a firewall... somewhere.
But I have gotten a cert before. It's just now it's being extremely hard to work with. I love certbot (I always will) but this time I don't know whats wrong. It has to be with the system thow because if I do a "telnet localhost 80" it does not work, but there is not firewall stopping it this time. I guess it's worth mentioning it is running mailcow docerized but I terned it off for this. Don't know whats wrong
But there are different ways for a TCP connection to fail. In my tcpdump output above, my attempt to connect to port 80 and my attempt to connect to port 443 failed in two different ways: the first with an ICMP error (from a firewall) and the second with a TCP reset packet (possibly from your server itself).
If you do telnet localhost 80 and you get
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
then you're not seeing the same error that people out on the Internet are seeing, and it's not coming from the same place or the same reason!
I shut down the docker service. It is not going so port 80 should be avilible. and yes I shut down docker and it it was blocked. port 80 seems to ublocked when inuse?
._______.
OK I figured it out but I don't know how to fix this. when port 80 is in use the test says it will work. If not in use it say it will not. regardless it will not get the cert.
Interesting. If your Docker container is going to use port 80, you would need to run Certbot inside that container. Otherwise you would need to figure out why port 80 works in that container and do whatever is necessary to make port 80 work outside of it.
