I ran this command:
certbot --apache -m david.t.tao@gmail.com.tw -d am.e-tec.com.tw
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for am.e-tec.com.tw
Waiting for verification...
Challenge failed for domain am.e-tec.com.tw
http-01 challenge for am.e-tec.com.tw
Cleaning up challenges
Some challenges have failed.
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
My web server is (include version):
apache2 2.4.41
The operating system my web server runs on is (include version):
Ubuntu 20.04 Server
My hosting provider, if applicable, is:
No
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0
I have test port 80, it seem's ok as following output:
23/02/2025 15:41.07/home/mobaxterm > telnet am.e-tec.com.tw 80
Trying 211.22.223.203...
Connected to am.e-tec.com.tw.
Escape character is '^]'.
Offtopic:
The only thing I see is "Feb 23" which is just the silly, illogical order in which (mainly) Americans write their dates. Month of the year before the day of the month instead of day first and month after like normal people do.
I assume this web application is set to Murica language by default. When you change the interface language to e.g. "English (UK)" it shows the normal date notation
Yes, I was also tested using Let's Debug and got the same result before created this topic. I don't understand why all setting is same, each time I just need to mapping port 80 on my Firewall to the web site and then run 'certbot -apache' all setting will be done except this time! I have no idea why Let's debug say so! but when I tested, I believe the port 80 for am.e-tec.com.tw is open.
The following is I use telnet to test when FW enable to mapping port 80
23/02/2025 18:35.15 /home/mobaxterm telnet am.e-tec.com.tw 80
Trying 211.22.223.203...
Connected to am.e-tec.com.tw.
Escape character is '^]'.
telnet>
And run certbot --apache command with port 80 open
# certbot --apache -m david.t.tao@gmail.com.tw -d am.e-tec.com.tw
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for am.e-tec.com.tw
Waiting for verification...
Challenge failed for domain am.e-tec.com.tw
http-01 challenge for am.e-tec.com.tw
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: am.e-tec.com.tw
Type: connection
Detail: 211.22.223.203: Fetching
http://am.e-tec.com.tw/.well-known/acme-challenge/9zT8v_0-Iq7_ekAyZr2oFea0PogwHM9DSyEDTHpZjJs:
Connection reset by peer <----------------!!!!!--->
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
The following is I use telnet to test when FW disabled to mapping port 80
23/02/2025 18:43.38 /home/mobaxterm telnet am.e-tec.com.tw 80
Trying 211.22.223.203...
telnet: Unable to connect to remote host: Connection timed out
And run certbot --apache command with port 80 closed
# certbot --apache -m david.t.tao@gmail.com.tw -d am.e-tec.com.tw
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for am.e-tec.com.tw
Waiting for verification...
Challenge failed for domain am.e-tec.com.tw
http-01 challenge for am.e-tec.com.tw
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: am.e-tec.com.tw
Type: connection
Detail: 211.22.223.203: Fetching
http://am.e-tec.com.tw/.well-known/acme-challenge/19oBLz0lcjq5Fpt5VlBTPkYBkwZGAsLiL8JgAqP226w:
Timeout during connect (likely firewall problem) <----------------!!!!!--->
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
As you can see both outputs doesn't same. Can you point some troubleshutting tips or direct for me ?
I'm not sure what else people here would be able to help you with. As stated, your site isn't accessible from the Internet. (Here's one site showing failure to connect from many places around the world.) If your site is intended to be publicly accessible, you need to fix that in order to get a certificate. If your site is only intended to be visible to a small group internal to some network, then if you have publicly-available authoritative DNS servers you may be able to switch to the DNS-01 challenge, but it sounds like you're expecting your site to be publicly visible. So you need to figure out what's blocking it from the rest of the world.
Hi Peter and Nekit, thanks for your help, finally I realized what means about "Connect reset by peer" and found what mistake I made (one of the middle FW recently I added but forget to open it..) ^_^!
