Certbot can't pass through Port 80 even after i did all Portforwarding (Not stuck with GNat other ports work well) and firewall rules

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: setark.ddns.net

I ran this command: certbot certonly --standalone -d setark.ddns.net

It produced this output: Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: setark.ddns.net
Type: connection
Detail: 189.60.88.207: Fetching http://setark.ddns.net/.well-known/acme-challenge/1unc1NLv-3zTFynjNGOtXnBpvR7tAvS23jc8I_L6OX0: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

My web server is (include version): NoIp ?

The operating system my web server runs on is (include version): NoIp ?

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 2.8.0

Some extra context.
Portfoward is functioning to everything else.
I'm using NoIP for my Domain Name.
Dynamic DNS is connected to NoIP on my router.
When tried to use PortTriggers for 80 and 443, router didn't accept them.
All rules on firewall were placed correctly.

Looks like claro itself may block ports

That's frustrating.
I'll try and call Claro and be direct with them.
I've already made them remove the CGNat so i can portfoward other stuff
But if they are blocking those specifically, i'll try to tank with them.
If not, i'll have to resort to Anatel's.
Will be a "fun" new year i guess.

Another thing i noticed, i'm trying to ping myself, at 189.60.88.207 and can't.
I tried with my iPv6 adress and it gonne through perfectly.
But with the iPv4 189.60.88.207 pings doesn't return.

Could this be a indicator of another problem?

well LE will happily prioritize IPv6: maybe add those to ddns too and try again?

But, well , how would i go pointing to Certbot to use my iPv6 instead of iPv4?

Certbot dont choose: If your dns have both record LE will pick ipv6 first so register aaaa onto ddns too

Anywhy can you host something on port 80? So people can test outside;

Strange as far as i'm aware, both iPv4 and iPv6 are up on my router.

But you didnt register v6 address on ddns. (This needs to be done by server itself not router btw)

True gonna try it asap.

Well, adjusted the NoIP host to use iPv6 too and, saddly Certbot kept trying to go for iPv4 ignoring iPv6 on the hostname =\

Certbot makes outbound requests from your server to the Let's Encrypt server. Certbot uses whatever your local system has configured (IPv4 or IPv6).

The Let's Encrypt Server tries to connect to your domain name using the IP in the public DNS system. If it finds an IPv6 address (AAAA record) it will use that first. Otherwise it will use the IPv4 address (A record) if present.

The request from the LE Server is what you need to get working. That is the request that is shown as "timing out".

I don't see an A or an AAAA record for your domain name setark.ddns.net. Can you put the IP addresses back so we can check.

There's no AAAA RR for setark.ddns.net currently.

Hail! Yesterday i ended up disabling the NoIP hostname is it wasn't beeing used for anything

Already reactivated it, in AAAA with my V6 and for some reason it also asks for the V4
But yeah it's up now.

A little update.
I tested on my Desktop to ping to my public IP 189.60.88.207 through CMD.
4 tries, 4 Request Timed Out.
From my phone connected through Wifi used the Check-Host.net to ping to 189.60.88.207.
All pinged back.
Tested in Desktop the Check-Host.net ping to 189.60.88.207 and they actually responded.

But, still when i CMD myself and try to Ping 189.60.88.207 i get Request Timeout.
Ports on the Moden 80 and 443 are open with TCP.
Advanced Windows Firewall too have rules for 80 and 443.

Yesterday i was thinking that it might have been the ISP but, if Check-Host and websitepulse.com both can find me and ping me at 189.60.88.207

I imagine that the problem must be my om my Desktop, right?

ping uses icmp so is not a good test for HTTP(S) comms which uses TCP

I can't reach your domain using IPv4 or v6 with HTTP or HTTPS

curl -i4 -m7 http://setark.ddns.net
curl: (28) Failed to connect to setark.ddns.net port 80 after 3501 ms: Connection timed out
curl -i6 -m7 http://setark.ddns.net
curl: (7) Failed to connect to setark.ddns.net port 80 after 121 ms: Connection refused

curl -i4 -m7 https://setark.ddns.net
curl: (28) Failed to connect to setark.ddns.net port 443 after 3503 ms: Connection timed out
curl -i6 -m7 https://setark.ddns.net
curl: (7) Failed to connect to setark.ddns.net port 443 after 143 ms: Connection refused

Another information.
Asked for a friend to ping me from their computer.
Ping went okey.
So it's clear that i, on my machine can't ping myself even with a rule on my windows firewall to allow ICMP4 - Echo Request rule open on the firewall.
No option i could find on my Router config about it.

Now i have to test to see why Certbot isn't passing through Port 80.

Oh, i didn't knew that.
This domain is just an NoIp domain that i made, specifically for Certbot.
Overall the side doesn't exist.

But, if you can't reach my domain, any ideas of what could be?

Strangely enough, on certain sites like Check-Host it is managing to get info from the domain but yeah, TCP connection is being blocked.

DDNS on router setting is working i imagine, as it is showing my IP.

Any idea of what could be causing this?

Edit: Through chek-host they managed to reach me through UDP, but yeah not thorugh TCP

image720×734 56.9 KB

Lots of things can cause such trouble. Using the wrong IP addresses, an ISP that actively blocks those ports (residential ISPs might do this), a router that is not setup properly. Or a number of other things.

The --standalone option is the hardest to debug because there is only an active listener on port 80 when it is running. Still, I think something is blocking access before reaching that.

Why did you choose --standalone? What kind of service do you plan on using with the certificate? I don't see any other ports open on your system

If you can only use --standalone, see below post on how to keep it active to test comms

It's for a SSL CA for allowing Video and Audio on through FoundryVTT.
So i was following their instructions, on how to make an SSL just for that.
In all fairness their link to Certbot is outdated, and i had to search for the 2.8.0 myself.