Hello,
I want to run a VPN-Server behind a firewall using the openvpn Port 1194, and i try to get a certificate for that.
Thats the only port pointing to that machine from the Internet (at the moment).
I can connect through SSH from the Internet, but that access is locked to a few specific IP-Addresses.
I tried to read through similar topics but couldn’t really find a solution to my problem (my engish might not be good enough to filter relevant answers from other topics).
What I did / tried so far:
First I stopped the VPN-Server to free up the port (1194).
Then I tried to get a certificate from LE.
- command:
certbot certonly --tls-sni-01-port 1194
(‘1: Spin up a temporary webserver (standalone)’) - Output:
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for enzian.vpn.eiskalt.at
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. enzian.vpn.eiskalt.at (tls-sni-01): urn:acme:err or:connection :: The server could not connect to the client to verify the domain :: Timeout
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: enzian.vpn.eiskalt.at
Type: connection
Detail: Timeout
Following tries with a webserver started (nginx) listening on 1194
(the webserver was accessable and responded with the standard page)
- command:
certbot certonly --webroot -w /usr/share/nginx/html/ -d enzian.vpn.eiskalt.at --tls-sni-01-port 1194 - output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for enzian.vpn.eiskalt.at
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. enzian.vpn.eiskalt.at (http-01): urn:acme:error: connection :: The server could not connect to the client to verify the domain :: Fetching http://enzian.vpn.eiskalt.at/.well-known/acme-challenge/8aylDqLw6qQPCL Jm0gz-8JxYrBYzdXiSPtKYFGanbNA: Timeout
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: enzian.vpn.eiskalt.at
Type: connection
Detail: Fetching
http://enzian.vpn.eiskalt.at/.well-known/acme-challenge/8aylDqLw6qQPCLJm0gz-8 JxYrBYzdXiSPtKYFGanbNA:
Timeout
- tried with http-01 instead of tls-sni-01
- command:
certbot certonly --webroot -w /usr/share/nginx/html/ -d enzian.vpn.eiskalt.at --http-01-port 1194 - Output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for enzian.vpn.eiskalt.at
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. enzian.vpn.eiskalt.at (http-01): urn:acme:error: connection :: The server could not connect to the client to verify the domain :: Fetching http://enzian.vpn.eiskalt.at/.well-known/acme-challenge/Xpkh3Zm9kKHQMs PwfKpZ2NCMrclYUxfmxzFzk4095NA: Timeout
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: enzian.vpn.eiskalt.at
Type: connection
Detail: Fetching
http://enzian.vpn.eiskalt.at/.well-known/acme-challenge/Xpkh3Zm9kKHQMsPwfKpZ2 NCMrclYUxfmxzFzk4095NA:
Timeout
It seems to me, as if this procedure (getting a certificate with certbot) needs two ports (80 and 443).
If this is the case, would it be possible to use port 1194 for http (with --http-01-port 1194) and port 44300 for https (with --tls-nsi-01-port 44300) as the ports 80 and 443 are not available (i don’t get them forwarded to my machine).
I am not in charge of the firewall, so i don’t want to try different options, cause i always have to ask others to change settings.
If ports below 1024 needed, I may be able to request forwarding from 81 and 444 (or something similar). The Administrator of the firewall is in general not too happy to open ports below 1024 to be accessable from everywhere from the internet. If ports below 1024 needed is there a possibility to limit access to an IP or IPrange?
Or do i have an error in the commands i tried to optain a certificate?
Kind regards
Oliver
Please fill out the fields below so we can help you better.
My domain is:
enzian.vpn.eiskalt.at
I ran this command:
more than one … listed above
It produced this output:
more than one … listed above
My web server is (include version):
nginx/1.10.2
The operating system my web server runs on is (include version):
Centos Linux 7
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
yes, but locked to specific IP-addresses