Certbot certification issue

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: webwork1.cc.uregina.ca

I ran this command: sudo certbot --apache

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?


1: webwork1.cc.uregina.ca


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for webwork1.cc.uregina.ca

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: webwork1.cc.uregina.ca
Type: connection
Detail: XXX.X.XXX.XX: Fetching http://webwork1.cc.uregina.ca/.well-known/acme-challenge/iKiXdld9KFr1iaYvPZJjhxreeIKwYYzvnst31oMUM74: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

Version:  Linux version 5.4.0-120-generic (buildd@lcy02-amd64-006) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #136-Ubuntu SMP Fri Jun 10 13:40:48 UTC 2022

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.29.0

Welcome to the community @caron24k !
In order to obtain certificates from Let's Encrypt, your site must be availble on the internet. Something is getting in the way of public access.

PORT    STATE    SERVICE
22/tcp  filtered ssh
80/tcp  filtered http
443/tcp filtered https

You might check either your firewall or contact your ISP to verify if they are blocking your ports or not.

4 Likes

Hello,

I am currently using firewalld and have these specific settings:

wwadmin@webwork1:~$ sudo firewall-cmd --list-all
[sudo] password for wwadmin:
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client http https ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

http https and ssh are all allowed.

I can also reach my server through the browser by going to http://webwork1.cc.uregina.ca:80

Are you accessing the site from within your own network? If so, use a phone or pad or something and turn your wifi off and try accessing from that device. (all I am getting are timeouts, unfortunately.)

4 Likes

I can concur: your host at webwork1.cc.uregina.ca is completely down from the perspective of the public internet.

Please also check NAT portmaps if applicable.

5 Likes

0 for 3, I too have a problem reaching that site:

curl -Ii http://webwork1.cc.uregina.ca/
curl: (56) Recv failure: Connection reset by peer
2 Likes

I got this

$ curl -Ii http://webwork1.cc.uregina.ca/
HTTP/1.1 200 OK
Date: Mon, 25 Jul 2022 19:09:02 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 09 Aug 2021 23:38:13 GMT
ETag: "2aa6-5c928e0f1d0db"
Accept-Ranges: bytes
Content-Length: 10918
Vary: Accept-Encoding
Content-Type: text/html
2 Likes

@Bruce5051
I get that too now.
[making progess!]

3 Likes

Nice @rg305 :slightly_smiling_face:

1 Like

Hello,

The original hypothesis was correct. Out network team told me they opened it up but really they didn't. So I had local access from the inner network but not outside the companies network. Networking opened up the http channel and I was able to get the certificate and everything works. Appreciate all the help and support from the community members here.

5 Likes

Still down for me tho :frowning_face:

4 Likes

Sill up for me; maybe @caron24k's firewall team doesn't have the problem full resolved for all of the internet yet. IPv4 vs IPv6?
I'm using IPv4 myself.

2 Likes

I see only one IP:

Name:    webwork1.cc.uregina.ca
Address: 142.3.152.39

So, it's probably something more like GEO-blocking.

3 Likes

Works for me!

3 Likes

Totally agree. Site24x7 test says only North America sites can connect.

EDIT: Let's Encrypt will need http connectivity from North America and Europe, at minimum, to satisfy http challenge. Other regions may be needed in future. Let's Encrypt recommends port 80 be open for all visitors.

3 Likes

And it seems not all of the USA can even reach the site Check website performance and response: Check host - online website monitoring

2 Likes

Hmm. I don't know how reliable that site is. I just tried it and none of their locations found the site. That test site also did not find letsencrypt.org or this forum from any of their locations either so that's not a good sign. I tried http and ping and nothing. Maybe they are just having a bad day :slight_smile:

4 Likes

It is usual reliable, I guess they could be having an off day.

3 Likes

I can still reach it though.

3 Likes