Certbot certonly firewall problem

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: falconsoil.net

I ran this command: certbot.exe certonly --standalone -d www.falconsoil.net

It produced this output:
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: www.falconsoil.net
Type: connection
Detail: Fetching http://www.falconsoil.net/.well-known/acme-challenge/dr0ydjGdwkVQpT02abQrre_H6EMEo-MT6X_kV2LXOLE: Timeout during connect (likely firewall proble

My web server is (include version): intraweb 15.2.X

The operating system my web server runs on is (include version): Windows 2012 R2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.19.0

This OS is running on a VM in Azure.
I have verified that port 80 is open at the AZURE portal and port 80 is open and allows all traffic from the windows firewall.

I have been unable to get certBot.exe to issue a certificate. Everytime it runs it reports the "timeout error - likely do to a firewall problem".

My website uses both 80 and 443 and it is able to recieve traffic.

What could be causing my problem?

RIck Howitt

Not from where I'm connecting. 40.122.43.230 port 80 is very much unreachable. Time out. Strangely enough port 443 is open though.

1 Like

Hi @rhowitt, welcome to the LE community forum :slight_smile:

That seems contrary to the command issued:

Do you stop your webserver before running certbot?

Also: Why not get a cert for both names?
certbot.exe certonly --standalone -d falconsoil.net -d www.falconsoil.net

Yes, I stop the web server before issuing the command. If the webserver is not stopped, certbot displays an error saying that port 80 is not available.

Is it possible that the challenge file is not being created?
if certbot was installed in the root folder C:\certbot, where will the .well-known folder be created?

Did you ever try just using the webserver you already have?

Yes.
The logfile would tell us more.

The log file follows:

2021-09-15 12:46:52,286:DEBUG:certbot._internal.main:certbot version: 1.19.0
2021-09-15 12:46:52,286:DEBUG:certbot._internal.main:Location of certbot entry point: C:\Certbot\bin\certbot.exe
2021-09-15 12:46:52,302:DEBUG:certbot._internal.main:Arguments: ['--standalone', '-d', 'www.falconsoil.net', '--preconfigured-renewal']
2021-09-15 12:46:52,302:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-09-15 12:46:52,302:DEBUG:certbot.compat.misc:Failed to set console mode
Traceback (most recent call last):
  File "C:\Certbot\pkgs\certbot\compat\misc.py", line 59, in prepare_virtual_console
    h.SetConsoleMode(h.GetConsoleMode() | ENABLE_VIRTUAL_TERMINAL_PROCESSING)
pywintypes.error: (87, 'SetConsoleMode', 'The parameter is incorrect.')
2021-09-15 12:46:52,349:DEBUG:certbot._internal.log:Root logging level set at 30
2021-09-15 12:46:52,349:DEBUG:certbot._internal.plugins.selection:Requested authenticator standalone and installer None
2021-09-15 12:46:52,364:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: Authenticator, Plugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator
Initialized: <certbot._internal.plugins.standalone.Authenticator object at 0x03801490>
Prep: True
2021-09-15 12:46:52,364:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.standalone.Authenticator object at 0x03801490> and installer None
2021-09-15 12:46:52,364:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2021-09-15 12:46:52,396:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/201922740', new_authzr_uri=None, terms_of_service=None), 6ddc1a6b08c5b2a7ea4271193d8d4e45, Meta(creation_dt=datetime.datetime(2021, 9, 15, 15, 40, 24, tzinfo=<UTC>), creation_host='falconsoilFEVM.falconsoilFEcs.g2.internal.cloudapp.net', register_to_eff='rhowitt@agrinetix.com'))>
2021-09-15 12:46:52,396:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-09-15 12:46:52,411:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-09-15 12:46:52,552:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2021-09-15 12:46:52,552:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 15 Sep 2021 16:46:52 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "VTpVK76g5FE": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-09-15 12:46:52,552:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for www.falconsoil.net
2021-09-15 12:46:52,724:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): C:\Certbot\keys\0004_key-certbot.pem
2021-09-15 12:46:52,739:DEBUG:certbot.crypto_util:Creating CSR: C:\Certbot\csr\0004_csr-certbot.pem
2021-09-15 12:46:52,739:DEBUG:acme.client:Requesting fresh nonce
2021-09-15 12:46:52,739:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-09-15 12:46:52,771:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-09-15 12:46:52,771:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 15 Sep 2021 16:46:52 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0101IaIKgRD7Urr5hGAIuni0bMXPY_OpXgnwMP7oWkpjkVE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2021-09-15 12:46:52,771:DEBUG:acme.client:Storing nonce: 0101IaIKgRD7Urr5hGAIuni0bMXPY_OpXgnwMP7oWkpjkVE
2021-09-15 12:46:52,771:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "www.falconsoil.net"\n    }\n  ]\n}'
2021-09-15 12:46:52,786:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjAxOTIyNzQwIiwgIm5vbmNlIjogIjAxMDFJYUlLZ1JEN1VycjVoR0FJdW5pMGJNWFBZX09wWGdud01QN29Xa3Bqa1ZFIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "Wr22SO6ea70g4-tp41mAGveuIWXuyz2M1tLS_xV_Z1c--p9GVzoxmykQRVBuIUiWz8Ow9bAqYG8RWEgJKuQRykvNXOyxKgcP5P_elGem-EPdXHvOPQU6SS28wIh18DBLO2XK5-FZLHaUhqYe4p4QAnhQCLszf_762n8r77cdYBqTr4TenC5y1Ghw2avPl6qUsdaz1WS2T64KW2iPARl7odvVgbGk9ua7bwt1xQOSgX--O7Ryeth0pn4XwBdZHniXoKpv4sOUocmUfS1904UQ6sN4LEMP8GQC3pofg1PqCX6EK7QnZ6x4qd4dzl-Wyjwa-APdDS89Eck2CuuwXVcpsQ",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInd3dy5mYWxjb25zb2lsLm5ldCIKICAgIH0KICBdCn0"
}
2021-09-15 12:46:53,210:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 341
2021-09-15 12:46:53,210:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Wed, 15 Sep 2021 16:46:53 GMT
Content-Type: application/json
Content-Length: 341
Connection: keep-alive
Boulder-Requester: 201922740
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/201922740/24687884100
Replay-Nonce: 0102pZildQtQrfkuUuQ4mep37K_8zzvPRRyF_vrQcQuHy8c
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2021-09-22T16:46:52Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "www.falconsoil.net"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/31279893700"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/201922740/24687884100"
}
2021-09-15 12:46:53,210:DEBUG:acme.client:Storing nonce: 0102pZildQtQrfkuUuQ4mep37K_8zzvPRRyF_vrQcQuHy8c
2021-09-15 12:46:53,210:DEBUG:acme.client:JWS payload:
b''
2021-09-15 12:46:53,210:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/31279893700:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjAxOTIyNzQwIiwgIm5vbmNlIjogIjAxMDJwWmlsZFF0UXJma3VVdVE0bWVwMzdLXzh6enZQUlJ5Rl92clFjUXVIeThjIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8zMTI3OTg5MzcwMCJ9",
  "signature": "aJW5ttk8cbkhfHEOTkwFM_F0RvLsY8v_FL3NQhEgFruk6YI-t53pTu3F9gYZVga8Qc-1IaSw6y6lcDyLJ3V5dfAY4xHylzrbUQ5xsslPxjijwmqi_feMlcJ4WPKkMJCj69EaONvC2Hwbf9X1ffhJk1W7VUwuRUCMyoNdGLaEcMMJp9x6V0yId-7dkfcDCUDtzp7Zpfkk1LA4y24k2DtEPKWZT43Vvlq5PukFhJ0-GuzUMJkL8LPva9iBLAq9OYQNBvMRsbxumtCcuBLb-QgFYmInwQiYHQMGPKjvNlYY5UNuQtAs56QrX67sQkztvdVbtfKYPFXcgn3Fnt6JNTyysg",
  "payload": ""
}
2021-09-15 12:46:53,279:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/31279893700 HTTP/1.1" 200 799
2021-09-15 12:46:53,279:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 15 Sep 2021 16:46:53 GMT
Content-Type: application/json
Content-Length: 799
Connection: keep-alive
Boulder-Requester: 201922740
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0101RVo7I9-OioJ8nLi6HQAbLhoxBMO6oQY9pJm5DQHJTqQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.falconsoil.net"
  },
  "status": "pending",
  "expires": "2021-09-22T16:46:52Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/31279893700/j1r44w",
      "token": "dr0ydjGdwkVQpT02abQrre_H6EMEo-MT6X_kV2LXOLE"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/31279893700/c0VMrQ",
      "token": "dr0ydjGdwkVQpT02abQrre_H6EMEo-MT6X_kV2LXOLE"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/31279893700/9ubWUw",
      "token": "dr0ydjGdwkVQpT02abQrre_H6EMEo-MT6X_kV2LXOLE"
    }
  ]
}
2021-09-15 12:46:53,279:DEBUG:acme.client:Storing nonce: 0101RVo7I9-OioJ8nLi6HQAbLhoxBMO6oQY9pJm5DQHJTqQ
2021-09-15 12:46:53,279:INFO:certbot._internal.auth_handler:Performing the following challenges:
2021-09-15 12:46:53,279:INFO:certbot._internal.auth_handler:http-01 challenge for www.falconsoil.net
2021-09-15 12:46:53,279:DEBUG:acme.standalone:Successfully bound to :80 using IPv6
2021-09-15 12:46:53,294:DEBUG:acme.standalone:Successfully bound to :80 using IPv4
2021-09-15 12:46:53,294:DEBUG:acme.client:JWS payload:
b'{}'
2021-09-15 12:46:53,294:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/31279893700/j1r44w:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjAxOTIyNzQwIiwgIm5vbmNlIjogIjAxMDFSVm83STktT2lvSjhuTGk2SFFBYkxob3hCTU82b1FZOXBKbTVEUUhKVHFRIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8zMTI3OTg5MzcwMC9qMXI0NHcifQ",
  "signature": "rcD-R3vZ4irCcaCkSopLy-cZgLDlPvQl6eX6aqoofi_9e7aKcr6KqN5S4ExixQ6Y0KegJC4Ip3_0HqvPFlUuZJQ4Ti7FVXW0U-CvfPmy1fuD3ijUMxH-6-PDsMB_FszrLMTx4JesznV8BzSgQUxY0S8_el58O5eI89FLH3GoYjt9vfsVsFamBbNk8__jL_SrjKKxMNuAlqW9JflRQM1tg9IWQlKAQS6l1fPxhx5y0yr6eAKEcMdkoB7ZdlaHGuST5NU40PuurH9qvu6jHUJnNg1VBcqz8PucdhEyXo02kH8S-zKKC_mwwLUlS1ihyrOLf6GFtS8UEMdgVCVeLGRmZg",
  "payload": "e30"
}
2021-09-15 12:46:53,404:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/31279893700/j1r44w HTTP/1.1" 200 186
2021-09-15 12:46:53,404:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 15 Sep 2021 16:46:53 GMT
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 201922740
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/31279893700>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/31279893700/j1r44w
Replay-Nonce: 0101VMMzZA2VMHpiQgicGYWx6hRdq90ECCmEPNzQ85SYdYY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/31279893700/j1r44w",
  "token": "dr0ydjGdwkVQpT02abQrre_H6EMEo-MT6X_kV2LXOLE"
}
2021-09-15 12:46:53,404:DEBUG:acme.client:Storing nonce: 0101VMMzZA2VMHpiQgicGYWx6hRdq90ECCmEPNzQ85SYdYY
2021-09-15 12:46:53,404:INFO:certbot._internal.auth_handler:Waiting for verification...
2021-09-15 12:46:54,411:DEBUG:acme.client:JWS payload:
b''
2021-09-15 12:46:54,411:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/31279893700:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjAxOTIyNzQwIiwgIm5vbmNlIjogIjAxMDFWTU16WkEyVk1IcGlRZ2ljR1lXeDZoUmRxOTBFQ0NtRVBOelE4NVNZZFlZIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8zMTI3OTg5MzcwMCJ9",
  "signature": "VHNVY6LTdZ_jbmMbZedBUnTwdJ5Ej6rrWBpSaauaO4hFFFaxEjizY5IdFhYt9xhzoEkijldirCCj7jFY_b8Fb593cJcHPbAT-jUJEQ8EzSIBdSGM58-d6m8Ik5k4RWPC2k1FJjZKm-tG99epW1UeUgzgZF8D34nNzjE7reqt1BnwZOqH86AMI3rhJdkxuheSNWKwHh0me_j8OaOMlt094RhZcq_G8DFvYi0gCnmzSE3VVKhlklHewXd9VjfMmFH8JgX0GbxK6pYqlRzE22ocLCAuezJ_1K3KuM-jycbodcE30uq0YJJjUJAs1PAKslZ3o7IBAjTT3W0b6wfnBVDyyw",
  "payload": ""
}
2021-09-15 12:46:54,494:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/31279893700 HTTP/1.1" 200 799
2021-09-15 12:46:54,494:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 15 Sep 2021 16:46:54 GMT
Content-Type: application/json
Content-Length: 799
Connection: keep-alive
Boulder-Requester: 201922740
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0101bR1xf4uDeu72rg-JMDiU7oJaEMKDeaapZ2QyATPe8pk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.falconsoil.net"
  },
  "status": "pending",
  "expires": "2021-09-22T16:46:52Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/31279893700/j1r44w",
      "token": "dr0ydjGdwkVQpT02abQrre_H6EMEo-MT6X_kV2LXOLE"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/31279893700/c0VMrQ",
      "token": "dr0ydjGdwkVQpT02abQrre_H6EMEo-MT6X_kV2LXOLE"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/31279893700/9ubWUw",
      "token": "dr0ydjGdwkVQpT02abQrre_H6EMEo-MT6X_kV2LXOLE"
    }
  ]
}
2021-09-15 12:46:54,494:DEBUG:acme.client:Storing nonce: 0101bR1xf4uDeu72rg-JMDiU7oJaEMKDeaapZ2QyATPe8pk
2021-09-15 12:46:57,504:DEBUG:acme.client:JWS payload:
b''
2021-09-15 12:46:57,504:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/31279893700:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjAxOTIyNzQwIiwgIm5vbmNlIjogIjAxMDFiUjF4ZjR1RGV1NzJyZy1KTURpVTdvSmFFTUtEZWFhcFoyUXlBVFBlOHBrIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8zMTI3OTg5MzcwMCJ9",
  "signature": "bA8-lKudt8ycu6O0DO4VBgt7wTZ5B60L4POImOF3aNpfjTad5EJ8Na3p2cZIEuWbaR6FRizaAwYbgGXGC208MslMmbV4053psxImxXVXwAyxgVLDVymJSN1bUcSB40krPxo68_i13UXTc2qCKUBLDJHl0hjDuvtEn8MqDKUiSiJQMq3xogk8zWJi3vLOoayd2EkiccxBe8nZjoMyqxP6mIAexNzigYm9LxRb9Di3A1eKVzgfiDr0u-nF5bf3U7JG0D9HJl0ieJq25sbkKyAZGm208pQ7p8rnFbJ1dDrbv9Mi7HMjnY6dcMYt1zyhYDzO_EdvWCbWmhEVjvVOZKvB8A",
  "payload": ""
}
2021-09-15 12:46:57,585:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/31279893700 HTTP/1.1" 200 799
2021-09-15 12:46:57,585:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 15 Sep 2021 16:46:57 GMT
Content-Type: application/json
Content-Length: 799
Connection: keep-alive
Boulder-Requester: 201922740
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0101HTHhDzYce6P2spzbLCjNM_qW37l-07HzNk9lEdyCJSo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.falconsoil.net"
  },
  "status": "pending",
  "expires": "2021-09-22T16:46:52Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/31279893700/j1r44w",
      "token": "dr0ydjGdwkVQpT02abQrre_H6EMEo-MT6X_kV2LXOLE"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/31279893700/c0VMrQ",
      "token": "dr0ydjGdwkVQpT02abQrre_H6EMEo-MT6X_kV2LXOLE"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/31279893700/9ubWUw",
      "token": "dr0ydjGdwkVQpT02abQrre_H6EMEo-MT6X_kV2LXOLE"
    }
  ]
}
2021-09-15 12:46:57,585:DEBUG:acme.client:Storing nonce: 0101HTHhDzYce6P2spzbLCjNM_qW37l-07HzNk9lEdyCJSo
2021-09-15 12:47:00,587:DEBUG:acme.client:JWS payload:
b''
2021-09-15 12:47:00,587:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/31279893700:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjAxOTIyNzQwIiwgIm5vbmNlIjogIjAxMDFIVEhoRHpZY2U2UDJzcHpiTENqTk1fcVczN2wtMDdIek5rOWxFZHlDSlNvIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8zMTI3OTg5MzcwMCJ9",
  "signature": "PjiQKCIhRUVCTi3gJSURE7t76BEMJS2w85_DEgQKdoGvVw772AOoAT7keZuJ6Eop8dcwC1DMl4hAFvFVJSXrmiwz4ZdO3tfu6NUvdnHCucHwhoisQ3XjxZsRKri-yzBkWbpceUqokmYJJ_fKpqufAqB3838AvgPEHsE1oz8HwMVX4MRaVM_O2Bh4g9-UBbhEOe-ylwiRtDUfdh2bjuenJ-KUlNBCRZ8UT13W9MYSclXNQLjoxhUqWAcDK-9a1xoDgEHCTIRmHyVQQx_qOiXcwyxzuNg602Ain2IAcb62xdD3R4YR6X0wjcYyB2dp9nJUjcgHLKvxhEk--pq5pTQaXA",
  "payload": ""
}
2021-09-15 12:47:00,711:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/31279893700 HTTP/1.1" 200 799
2021-09-15 12:47:00,711:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 15 Sep 2021 16:47:00 GMT
Content-Type: application/json
Content-Length: 799
Connection: keep-alive
Boulder-Requester: 201922740
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102njHbCg2_TIEUT4xD0qT4DGg9zlsmNiiXwk7gTwu5zIE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.falconsoil.net"
  },
  "status": "pending",
  "expires": "2021-09-22T16:46:52Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/31279893700/j1r44w",
      "token": "dr0ydjGdwkVQpT02abQrre_H6EMEo-MT6X_kV2LXOLE"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/31279893700/c0VMrQ",
      "token": "dr0ydjGdwkVQpT02abQrre_H6EMEo-MT6X_kV2LXOLE"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/31279893700/9ubWUw",
      "token": "dr0ydjGdwkVQpT02abQrre_H6EMEo-MT6X_kV2LXOLE"
    }
  ]
}
2021-09-15 12:47:00,711:DEBUG:acme.client:Storing nonce: 0102njHbCg2_TIEUT4xD0qT4DGg9zlsmNiiXwk7gTwu5zIE
2021-09-15 12:47:03,712:DEBUG:acme.client:JWS payload:
b''
2021-09-15 12:47:03,712:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/31279893700:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjAxOTIyNzQwIiwgIm5vbmNlIjogIjAxMDJuakhiQ2cyX1RJRVVUNHhEMHFUNERHZzl6bHNtTmlpWHdrN2dUd3U1eklFIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8zMTI3OTg5MzcwMCJ9",
  "signature": "o2VlbuCNsRWJBEqgDggJyklgxpbHsTcdhbtubhtOUbPVk-lVRo1kZgfu70bYgjxnBnTSvfotwm6-8cZvoIwafQbSWt_WUrba-BtY-FMGphwCPbWdXKslJLXzWNy52ICbQ-Csjq9E8CdyFr-vgPPr0MCDWEDvWg8p3cNYihJi88b19sIZ6MzUmiCW9gYr7sWfBgr96fFot1uGpvxCaLvjyfJBS5YjVmXXTTKFh9DpLrwa_YeaRTIe09pB5g1DaYJCnkeo3islmDMoXpnZeYFMZaBbobt1X-g_ikILTIjEjCLlxVEVgC3Zo1WqJRQgft1n7z0V-TlDXcXnFd9khjOcqw",
  "payload": ""
}
2021-09-15 12:47:03,953:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/31279893700 HTTP/1.1" 200 1054
2021-09-15 12:47:03,953:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 15 Sep 2021 16:47:03 GMT
Content-Type: application/json
Content-Length: 1054
Connection: keep-alive
Boulder-Requester: 201922740
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102dn9HVV-hDuVRce-enXcZm1lSSPgEt-QfaulKEhFSniY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.falconsoil.net"
  },
  "status": "invalid",
  "expires": "2021-09-22T16:46:52Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching http://www.falconsoil.net/.well-known/acme-challenge/dr0ydjGdwkVQpT02abQrre_H6EMEo-MT6X_kV2LXOLE: Timeout during connect (likely firewall problem)",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/31279893700/j1r44w",
      "token": "dr0ydjGdwkVQpT02abQrre_H6EMEo-MT6X_kV2LXOLE",
      "validationRecord": [
        {
          "url": "http://www.falconsoil.net/.well-known/acme-challenge/dr0ydjGdwkVQpT02abQrre_H6EMEo-MT6X_kV2LXOLE",
          "hostname": "www.falconsoil.net",
          "port": "80",
          "addressesResolved": [
            "40.122.43.230"
          ],
          "addressUsed": "40.122.43.230"
        }
      ],
      "validated": "2021-09-15T16:46:53Z"
    }
  ]
}
2021-09-15 12:47:03,953:DEBUG:acme.client:Storing nonce: 0102dn9HVV-hDuVRce-enXcZm1lSSPgEt-QfaulKEhFSniY
2021-09-15 12:47:03,953:INFO:certbot._internal.auth_handler:Challenge failed for domain www.falconsoil.net
2021-09-15 12:47:03,953:INFO:certbot._internal.auth_handler:http-01 challenge for www.falconsoil.net
2021-09-15 12:47:03,953:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: www.falconsoil.net
  Type:   connection
  Detail: Fetching http://www.falconsoil.net/.well-known/acme-challenge/dr0ydjGdwkVQpT02abQrre_H6EMEo-MT6X_kV2LXOLE: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

2021-09-15 12:47:03,953:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "C:\Certbot\pkgs\certbot\_internal\auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "C:\Certbot\pkgs\certbot\_internal\auth_handler.py", line 178, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2021-09-15 12:47:03,969:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-09-15 12:47:03,969:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-09-15 12:47:03,969:DEBUG:certbot._internal.plugins.standalone:Stopping server at :::80...
2021-09-15 12:47:03,969:DEBUG:certbot._internal.plugins.standalone:Stopping server at 0.0.0.0:80...
2021-09-15 12:47:04,546:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "runpy.py", line 194, in _run_module_as_main
  File "runpy.py", line 87, in _run_code
  File "C:\Certbot\bin\certbot.exe\__main__.py", line 29, in <module>
    sys.exit(main())
  File "C:\Certbot\pkgs\certbot\main.py", line 15, in main
    return internal_main.main(cli_args)
  File "C:\Certbot\pkgs\certbot\_internal\main.py", line 1572, in main
    return config.func(config, plugins)
  File "C:\Certbot\pkgs\certbot\_internal\main.py", line 1432, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "C:\Certbot\pkgs\certbot\_internal\main.py", line 133, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "C:\Certbot\pkgs\certbot\_internal\client.py", line 454, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "C:\Certbot\pkgs\certbot\_internal\client.py", line 384, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "C:\Certbot\pkgs\certbot\_internal\client.py", line 434, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "C:\Certbot\pkgs\certbot\_internal\auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "C:\Certbot\pkgs\certbot\_internal\auth_handler.py", line 178, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2021-09-15 12:47:04,546:ERROR:certbot._internal.log:Some challenges have failed.
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: www.falconsoil.net
  Type:   connection
  Detail: Fetching http://www.falconsoil.net/.well-known/acme-challenge/dr0ydjGdwkVQpT02abQrre_H6EMEo-MT6X_kV2LXOLE: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Timeout during connect (likely firewall problem)
Are you 100% certain that port 80 reaches your server?

Intraweb has it's own Let's Encrypt certificate manager, you should probably just use that: IntraWeb Certificate Manager | Atozed Software

The key thing with http validation is you must have something listening on port 80 that can handle the incoming validation request (and know what file to serve). If running certbot you'd need to ensure it's running as administrator in order to be able to allocate a listener on port 80 (that's a restriction on windows) and you can only do so if nothing else is using port (IIS, Intraweb etc).

You could also just contact IntraWeb support, since you're paying for that.

1 Like

It was able to bind (and unbind):

2021-09-15 12:46:53,279:DEBUG:acme.standalone:Successfully bound to :80 using IPv6
2021-09-15 12:46:53,294:DEBUG:acme.standalone:Successfully bound to :80 using IPv4

2021-09-15 12:47:03,969:DEBUG:certbot._internal.plugins.standalone:Stopping server at :::80...
2021-09-15 12:47:03,969:DEBUG:certbot._internal.plugins.standalone:Stopping server at 0.0.0.0:80...

Your account is in the Administrators group or a specific ACL has been set for your account, or you're a leet hacker.

Actually @rhowitt I've just tried the IntraWeb Certificate Manager myself and it appears to be a manual renewal, so stick with certbot or any other windows ACME tool (there are several).

1 Like

Btw, I can confirm your TCP port 80 is not open or has no listener, but 443 is OK. Test http access to your site from outside your own network and don't use any geographic IP filtering.

1 Like

It turns out that even though I had define a rule in the VM's firewall to open port 80 , it was not working. I deleted the port 80 rule and recreated it and that solved the problem.

Thanks for the quick replies to my issue.

2 Likes

Yeah sometimes you need a reboot with Windows Firewall as well, it's not always reliable after changes.

1 Like