Certbot CA Verification issues with Apache 2.4

My domain is: moodle.mesd.k12.or.us

I ran this command: certbot --apache

It produced this output:

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: moodle.mesd.k12.or.us
Type: connection
Detail: 198.236.68.59: Fetching http://moodle.mesd.k12.or.us/.well-known/acme-challenge/_s-W3KkjJQ9RLMgShvpRvFrE25hYRIBbQ207Y406z3M: Timeout during connect (likely firewall problem)

My web server is (include version):

 Apache 2.4.37

The operating system my web server runs on is (include version):

 CentOS 8 - CentOS Stream release 8

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0

Further notes: It seems the temporary RewriteRules that certbot is adding to my virtual host are not working. I tried adding them manually just for testing purposes and I could not access a temp file I created in /var/lib/letsencrypt/http_challenges/ . I enabled a quick alias for the same directory and could access the file just fine. I have verified that mod_rewrite is enabled in Apache.

Welcome to the community @dcramble

It looks like you have a firewall blocking certain IP addresses which includes one that the Let's Encrypt Server(s) use.

For the benefit of other volunteers, I looked but this is not a Palo Alto Networks ACME setting problem.

You can see from the Let's Debug test that an initial HTTP request to your domain got through and saw the expected 404 Not Found result.

But, the second test using the Let's Encrypt server staging system timed out. This is almost always an IP based firewall. Although, also look at any geographic based firewall

5 Likes

Thanks for the helpful response. This server is open widely on port 80 and 443, but I do know our network currently blocks traffic originating outside the US - so your "geographic based firewall" comment is a helpful hint.

Is there a known list of Let's Encrypt servers that could be used to update our firewall rules?

1 Like

No, IP addresses of the servers are not published. The IP addresses change frequently on purpose to avoid interference from bad actors. Especially read the link in the below FAQ about multi perspective authentication

You may have to change to a DNS Challenge if you cannot open port 80 for the ACME HTTP Challenges

3 Likes

They check from multiple places, potentially around the world, to confirm that you actually own the name as seen from everywhere. Port 80 needs to be open worldwide in order to use HTTP-01.

If for some reason you can't do that because this is an internal-only system, then you need to use some other challenge type like DNS-01 (which still requires your DNS server to have port 53 available worldwide, but that's much more common).

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.