Can't run certbot on Apache (Timeout during connect (likely firewall problem))

Help
1

My domain is:

next-it.pt

I ran this command:

sudo certbot --apache -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.

1: next-it.pt
2: www.next-it.pt

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Certificate is due for renewal, auto-renewing...
Renewing an existing certificate for next-it.pt and www.next-it.pt
Performing the following challenges:
http-01 challenge for next-it.pt
http-01 challenge for www.next-it.pt
Waiting for verification...
Challenge failed for domain www.next-it.pt
Challenge failed for domain next-it.pt
http-01 challenge for www.next-it.pt
http-01 challenge for next-it.pt

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: www.next-it.pt
Type: connection
Detail: 62.48.220.98: Fetching http://www.next-it.pt/.well-known/acme-challenge/7sYyjHfbI40i_EufRvbS7kKVeku5jG2gtukf0QVStcw: Timeout during connect (likely firewall problem)

Domain: next-it.pt
Type: connection
Detail: 62.48.220.98: Fetching http://next-it.pt/.well-known/acme-challenge/SCFfdv3ryLd1YqUXjKsBw0f98hmvmdfbvfe3wBMw5a8: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

Server version: Apache/2.4.41 (Ubuntu)
Server built: 2023-01-23T18:36:09

The operating system my web server runs on is (include version):

Ubuntu 20.04.5 LTS

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.32.2

2

Hi @joseraeiro, and welcome to the LE community forum :slight_smile:

Something has changed since the last certificate renewal/issuance.

curl -Ii www.next-it.pt
curl: (56) Recv failure: Connection reset by peer
2 Likes
3

Hello @rg305,

Thank you for your reply.

And what can be done about it?

4

I'd start by checking the firewall:

3 Likes
5

@rg305 and what should I be searching in the Firewall? Do you know? Can you help?

6

Not much is getting into your domain

$ nmap -Pn www.next-it.pt
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2023-02-10 10:24 PST
Nmap scan report for www.next-it.pt (62.48.220.98)
Host is up (0.17s latency).
Not shown: 999 filtered ports
PORT    STATE  SERVICE
113/tcp closed ident

Nmap done: 1 IP address (1 host up) scanned in 16.56 seconds
7

This is not a firewall assistance forum.
Do you have a firewall?
Who manages it?

3 Likes
8

Let's take a step back [I take nothing for granted].

Please confirm the IP address, with:
curl ipconfig.io

2 Likes
9

Do apologize. I'll check it myself.

10

62.48.220.97

(ran from inside the server containing the website)

11

Yet https://dnsspy.io/scan/next-it.pt shows only

image
image1133×516 8.22 KB

1 Like
12

And nmap for that IPv4 Address

$ nmap -Pn 62.48.220.97
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2023-02-10 10:32 PST
Nmap scan report for 62.48.220.97
Host is up (0.17s latency).
Not shown: 999 filtered ports
PORT    STATE  SERVICE
113/tcp closed ident

Nmap done: 1 IP address (1 host up) scanned in 13.44 seconds
1 Like
13

Then I have to update my DNS records to point the A entry to 62.48.220.97?

14

So how's the website being served on port 443?

15

Maybe.

You have to do, whatever you have to do, to make sure the site works properly [via HTTP] before trying to secure it [using HTTP-01 authentication].

2 Likes
16

I asked for the manager to disable all the firewall rules for incoming connections, but same result.

And, apparently, 62.48.220.97 is the IP that the machine is using for outbound connections.

17

You should try using Let's Debug test site (link here). It tests the comms and other items

I also time-out trying to reach your domain or the IP you show.

Can you connect to that domain with HTTP from outside your own network? You could use a mobile phone with wifi off to use your carrier's network. Based on what we see that would fail.

You should consult with your network experts to resolve this.

2 Likes
18

Can you reach your site via HTTP from the Internet?

3 Likes
19

Please remember Let’s Encrypt offers Domain Validation (DV) certificates.
So whatever the domain name(s) map to for IP Addresses is what Let’s Encrypt must use for Domain Validation; the exception being the DNS-01 Challenge(which is based off of a DNS record).

1 Like
20

I am able to navigate correctly to the site by using my cellphone with my carrier's network (both http://next-it.pt and https://next-it.pt are working)

Read above.