Cert failing on ACME challenge

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:cloud.ecosprog.net and cloud.ecosprog.com

I ran this command: certbot --nginx

It produced this output: ailed authorization procedure. cloud.ecosprog.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://cloud.ecosprog.net/.well-known/acme-challenge/hloCeUiiDhJb4Q7Zy3nNZgiwe-Q04ZuLfiQjnLCYttc: Timeout during connect (likely firewall problem)

My web server is (include version): Nginx (nginx/1.14.0 (Ubuntu)) reverse proxy with Ubuntu 18.04 snap apps running Apache 2

The operating system my web server runs on is (include version): Bioth nginx reverse proxy and app servers are running Ubuntu 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

I have tried to install certs on both app servers before without the reverse proxy and have had the same problem with the ACME challenge. All servers are hosted locally through a static IP and the whole setup works fine with self-signed certs. The port 80 and 443 traffic is forwarded through a fibre router and then through a router/firewall and as stated above this routing works currently with the self-signed certs installed.

Any help with this would be much appreciated.

2

Hi @ecosprog

your https works, your http not - https://check-your-website.server-daten.de/?q=cloud.ecosprog.net

Domainname Http-Status redirect Sec. G
http://cloud.ecosprog.net/ 89.36.80.18 -14 10.030 T
Timeout - The operation has timed out
http://cloud.ecosprog.net/index.php/login -14 10.027 T
Timeout - The operation has timed out
https://cloud.ecosprog.net/ 89.36.80.18 302 http://cloud.ecosprog.net/index.php/login 3.970 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
http://cloud.ecosprog.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 89.36.80.18 -14 10.077 T
Timeout - The operation has timed out

A working port 80 is required to create a certificate. So check your configuration and use the https as template to see, why your http doesn't work.

But you have created a certificate:

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2020-01-20 2020-04-19 cloud.ecosprog.net - 1 entries duplicate nr. 1

So you don't need a new, install that certificate.

3

No http because I had foolishly left the old conf files in place which re-direct to https. Just tried with the original conf files. Port 80 is now working, but both sites fail on the ACME challenge as before.

Interesting that there is a cert for the cloud.ecosprog.net site as I thought all my previous attempts had failed.

4

Still struggling with this. Just added a 3rd site to the proxy and the same thing, the process says it fails at the ACME challenge.

I have numerous sites running on hosted VPS servers which obtained, and regularly update, their letsencrypt certificates, but I just can´t get this to work on my local network with port forwarding.

Is there anything else I can do to try and find the source of this problem.

5

There is no http port.

Please start with some basics:

Then learn something about challenge types:

You have to create a working port 80, Letsencrypt must be able to check that port.

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.