Cant renew cert http-01 challenge error

#1

hi all,

im trying to renew my cert via certbot but i get this error, i dont know why as i have done a port forward to my server (443) and i can connect to my apache welcome page externally ie not in my company ie https://blah.com

certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?


1: hftp.hackenbacker.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for hftp.hackenbacker.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. hftp.hackenbacker.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to v erify the domain :: Fetching http://hftp.hackenbacker.com/.well-known/acme-challenge/OqduhAT2VW2BdnJ3f0_lrdiOq0l_UHoIfZDub0HzoWA: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: hftp.hackenbacker.com
    Type: connection
    Detail: Fetching
    http://hftp.hackenbacker.com/.well-known/acme-challenge/OqduhAT2VW2BdnJ3f0_lrdiOq0l_UHoIfZDub0HzoWA:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

this error seems to me its trying to renew my cert via 80?

cheers,
rob

#2

Hi @robertkwild

you have two different ip addresses (non-www and www):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
hftp.hackenbacker.com A 217.138.11.250 yes 1 0
AAAA yes
www.hftp.hackenbacker.com A 23.251.134.60 yes 1 0
AAAA yes

But your non-www doesn’t answer (checked with https://check-your-website.server-daten.de/?q=hftp.hackenbacker.com ):

Domainname Http-Status redirect Sec. G
http://www.hftp.hackenbacker.com/
23.251.134.60 302 http://www.hftp.hackenbacker.com/holdingpage/ 0.053 D
http://hftp.hackenbacker.com/
217.138.11.250 -14 10.024 T
Timeout - The operation has timed out
http://www.hftp.hackenbacker.com/holdingpage/ 200 0.050 H
https://hftp.hackenbacker.com/
217.138.11.250 403 5.676 M
Forbidden
https://www.hftp.hackenbacker.com/
23.251.134.60 -4 0.083 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
http://www.hftp.hackenbacker.com:443/
23.251.134.60 -3 0.083 A
ReceiveFailure - The underlying connection was closed: An unexpected error occurred on a receive. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
http://hftp.hackenbacker.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
217.138.11.250 -14 10.023 T
Timeout - The operation has timed out
http://www.hftp.hackenbacker.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
23.251.134.60 404 0.050 A
Not Found

Letsencrypt checks a file in /.well-known/acme-challenge, but the 217.* - ip address doesn’t answer.

So first step: Check your configuration so http + non-www answers.

The www version answers correct with a http status 404 - not found.

#3

mmm… thats wierd as when you go on the website it does answer as i get the apache welcome page -

https://hftp.hackenbacker.com

the www doesnt answer atall

https://www.hftp.hackenbacker.com

we host the non www one but not the www one, an external company manages the www one for us

do you think i should change the public DNS a name for 217.138.11.250 to ftp.hackenbacker.co, will that work as that ip points to our firewall/router

#4

That’s the https version, not the http version. If you want to use http-01 validation, an open port 80 is required. That port may redirect to https.

#5

yes, i want to validate or renew the https one (hftp.hackenbacker.com) the non-www via port 443 and NOT port 80 as i havnt got that open on my firewall/router, the only nat i have open or done is the port 443 with the address 217.138.11.250

so how do i get certbot to renew the https one please

#6

so the only option is to port forward port 80 and then the renew process will work?

#7

That’s not possible if you want to use http-01 - validation. First request - port 80.

Is this a home server? Letsencrypt connects your domain via port 80, that must be possible. Then you can send a http redirect to port 443.

closed #8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.