Certbot error on setup

Help
1

My domain is: uruz.gg

I ran this command: sudo certbot --apache

It produced this output:

root@Uruz:~# sudo certbot --apache

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?

We recommend selecting either all domains, or all domains in a VirtualHost/server block.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: uruz.gg

2: launcher.uruzmu.com

3: test.uruzmu.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel): 1

Requesting a certificate for uruz.gg

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:

Domain: uruz.gg

Type: connection

Detail: 45.235.99.69: Fetching http://uruz.gg/.well-known/acme-challenge/V5wnKvDb0H30_7eYauv-WzzcMtio98ZWEe1LrDaBczE: Connection reset by peer

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.7.4

2

Tell whatever antiddos/flowproxy is to allow access to

http://uruz.gg/.well-known/acme-challenge/

and every file inside, from every IP address on the internet.

2 Likes
3

Hello, thanks for answering. I'm going to try this, are you sure this is the problem?

1 Like
4

The problem is some kind of firewall that's blocking access to that directory. If it's not this firewall, it's another one.

3 Likes
5

I try to access the URLs mentioned in the log and it does not exist. There is also nothing of the type .well-known in the files. Could this be a mistake?

6

If I try accessing programmatically I get the connection dropped, if I use a "human" browser I get some kind of challenge before actually seeing any content. That needs to go.

You need at the very least to whitelist that directory. It's a very big oversight for this software not to do so by default.

3 Likes
7

Thanks again for responding, I'll do my best to remove this.

1 Like
8

I already did this and I'm still having the same problem.

9

Uhm. It should work now.

~
❯ curl -IL http://uruz.gg/.well-known/acme-challenge/AAA
HTTP/1.1 404 Not Found
Date: Sun, 12 Nov 2023 14:53:22 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1
2 Likes
10

Maybe not. My first request from a fresh IP got "reset by peer". A second request right after worked.

curl -i http://uruz.gg/.well-known/acme-challenge/Test404
curl: (56) Recv failure: Connection reset by peer

curl -i http://uruz.gg/.well-known/acme-challenge/Test404
HTTP/1.1 404 Not Found
Date: Sun, 12 Nov 2023 14:58:47 GMT
Server: Apache/2.4.52 (Ubuntu)

Let's Debug still fails

3 Likes
11

Hello how are you? How can i solve this?

12

I don't know if it's important to mention, but there is no directory called ".well-known". Attached image

image
image921×38 2.96 KB

13

Certbot will create one as needed and remove it after.

I was expecting to see a 404 Not Found response which is fine. But the "reset by peer" response is wrong and is preventing Let's Encrypt from validating your domain name. I don't have any good suggestions. We have seen similar patterns before but never got a good answer how to fix.

Who is your ISP or hosting service? You may need to ask them why requests are being denied by "reset by peer". This even happens if I use curl for your "home" page so it is not unique to the ACME challenge

# Just now this fails
curl -i http://uruz.gg
curl: (56) Recv failure: Connection reset by peer

# Tried immediately after and it got through
curl -i http://uruz.gg
HTTP/1.1 200 OK
2 Likes
14

Thank you again for responding, I am going to contact my hosting with all this information so they can help me.

My hosting is inetgaming.com.ar

I am using a dedicated server with Apache that I configured myself, I have a contracted machine at that company.

3 Likes
15

Thanks to everyone who helped me, I was able to solve it. I send you a big greeting.

@MikeMcQ @9peppe

3 Likes
16

This makes me think that you aren't asking for a cert that can cover all the names in the vhost found.
What shows?:
sudo apachectl -t -D DUMP_VHOSTS

1 Like
17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.