Cant install Cert on an Oracle Vps, Firewall Issue?

Fireball0201 · March 15, 2023, 5:01pm

Hello,

My domain is: oracle.fireballdev.tech

I ran this command: certbot certonly -v -d oracle.fireballdev.tech

It produced this output:
root@instance-20221230-1720:~# certbot certonly -v -d oracle.fireballdev.tech
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for oracle.fireballdev.tech
Performing the following challenges:
http-01 challenge for oracle.fireballdev.tech
Waiting for verification...
1Challenge failed for domain oracle.fireballdev.tech
http-01 challenge for oracle.fireballdev.tech

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: oracle.fireballdev.tech
Type: connection
Detail: 130.61.120.104: Fetching http://oracle.fireballdev.tech/.well-known/acme-challenge/yDBVUrrMfzzceMo68JlBPou-XDm-Hvmj1SUbnFLz6vg: Error getting validation data

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
root@instance-20221230-1720:~#

My web server is (include version): Have none. Need it for a Pterodactyl Wing to communicate via SSL

My hosting provider, if applicable, is: Oracle

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

Here are my Firewall Rules set on Oracle: https://i.imgur.com/RUNLBb4.png, theoretically it should allow all traffic..

Additional Note: I am trying to setup a Pterodactyl Wing and let it communicate with my Pterodactyl Panel over SSL

Bruce5051 · March 15, 2023, 5:04pm

Hello @Fireball0201, welcome to the Let's Encrypt community.

You are using the HTTP-01 challenge of the Challenge Types - Let's Encrypt
HTTP-01 requires Port 80 to be Open Best Practice - Keep Port 80 Open

The only Port I see Open is 22; you need to Open Port 80 and like want 443 as well.

$ nmap -Pn oracle.fireballdev.tech
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-15 17:02 UTC
Nmap scan report for oracle.fireballdev.tech (130.61.120.104)
Host is up (0.72s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 75.98 seconds

Fireball0201 · March 15, 2023, 5:11pm

Thanks for your fast answer, but what should i change in my firewall settings at oracle (see the screenshot i sent before). Theoretically it should allow all Traffic. On the Server itself port 80 should be open as well as 443.

Bruce5051 · March 15, 2023, 5:14pm

Using Let's Debug yields these results https://letsdebug.net/oracle.fireballdev.tech/1408885

And here are 2 online remote port scanners to also check your inbound connections.

And here is an Oracle Forum that would be a better place to find out how to operate their firewall.

MikeMcQ · March 15, 2023, 5:37pm

@Bruce5051 bruce, stand alone authentication. Many of our common debug tools won't work the same. I am away and can't step in just wanted to refocus the thread

Bruce5051 · March 15, 2023, 5:38pm

Thanks @MikeMcQ for the course correction, much appreciated!

Bruce5051 · March 15, 2023, 5:45pm

Hello @Fireball0201 can you attach to your next post the letsencrypt.log logfile?
or the logfile from

Thanks!

Fireball0201 · March 15, 2023, 5:51pm

should be the latest log 2023-03-15 17:30:23,262:DEBUG:acme.client:Storing nonce: F977jnK19goygEATTiwAIDZ - Pastebin.com

Bruce5051 · March 15, 2023, 6:19pm

Thanks; it looks like starting about line 98 95 of the link you posted is starting to show the issue.

Kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.

rg305 · March 15, 2023, 6:32pm

Since there is no fulltime web service, troubleshooting is a bit more complicated.
I would suggest using the --debug-challenges flag to pause certbot and we can then check access to it during that pause.

Bruce5051 · March 15, 2023, 6:34pm

Actually now I am thinking line 74 range.

Bruce5051 · March 15, 2023, 6:36pm

Also can you share the output of

curl ifconfig.co

or/and

curl ifconfig.io

Fireball0201 · March 15, 2023, 6:37pm

root@instance-20221230-1720:~# curl ifconfig.io
130.61.120.104
root@instance-20221230-1720:~# curl ifconfig.co
130.61.120.104
root@instance-20221230-1720:~#

Fireball0201 · March 15, 2023, 6:39pm

root@instance-20221230-1720:~# certbot certonly -v -d oracle.fireballdev.tech --debug-challenges
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for oracle.fireballdev.tech
Performing the following challenges:
http-01 challenge for oracle.fireballdev.tech

Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.

Press Enter to Continue

How long do i have to wait until i should press Enter?

Bruce5051 · March 15, 2023, 6:39pm

Thank you, that matches what is expected.

Bruce5051 · March 15, 2023, 6:41pm

Until @rg305 has a chance to check your domain name (and IP Address) from his location.

MikeMcQ · March 15, 2023, 7:04pm

I can't reach your Certbot standalone. Is it still paused? If so, you probably have a firewall blocking (filtering) port 80. Check your network config in Oracle and any other network gear

curl -i http://oracle.fireballdev.tech/.well-known/acme-challenge/Test123
curl: (7) Failed to connect to oracle.fireballdev.tech port 80 after 105 ms: No route to host

Fireball0201 · March 15, 2023, 7:10pm

It still says 'Press Enter to continue', here is an Image of my Oracle Firewall Ingress Rules: https://i.imgur.com/xWGFBOM.png

Bruce5051 · March 15, 2023, 7:12pm

Well it looks like a firewall issue somewhere between your domain name and the Public Internet.

As this is what I a presently seeing

$ curl -Ii http://oracle.fireballdev.tech/.well-known/acme-challenge/sometestfile
curl: (7) Failed to connect to oracle.fireballdev.tech port 80 after 176 ms: No route to host

$ nmap -Pn oracle.fireballdev.tech
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-15 19:10 UTC
Nmap scan report for oracle.fireballdev.tech (130.61.120.104)
Host is up (0.52s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 73.53 seconds

MikeMcQ · March 15, 2023, 7:15pm

I don't know how Oracle VPS work but those rules look odd. There are duplicates and overlapping rules although I don't see anything obviously "broken".

I can reach something on port 22 just not on 80.

This gets "farther" than requests to port 80

curl -i oracle.fireballdev.tech:22
curl: (1) Received HTTP/0.9 when not allowed