Certbot failed to authenticate riptide.monster domain

Hello, I am a trying to register my riptide.monster Nextcloud server with Let's Encrypt. I populated my DNS A record, but it is not being accepted by Certbot. I spent a few hours trying to figure out what is causing it but can't seem to find the fault with it. Could someone help me with it please? Thanks, Viktor

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: riptide.monster

I ran this command: sudo certbot --apache

It produced this output: no valid A records found for riptide.monster; no valid AAAA records found for riptide.monster

My web server is (include version): apache2 (2.4.52-1ubuntu4.5)

The operating system my web server runs on is (include version): Ubuntu 22.04.02 LTS (GNU/Linux 5.15.0.73-generic x86_64)

My hosting provider, if applicable, is: Gandi.net

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 2.6.0

Let's Encrypt can find your A record but it is for a private IP address. The --apache plug-in uses the HTTP Challenge which requires HTTP access to your server across the public internet. See Let's Debug results (link here)

Either change the IP to your public IP or use the DNS Challenge

3 Likes

More on Private network - Wikipedia
and using the online tool https://unboundtest.com/ yields these results
https://unboundtest.com/m/A/riptide.monster/4THEKL3L

edited.

1 Like

unboundtest shows no IP because it is configured to ignore private IP addresses

3 Likes

And that is the point of show it, to aid in demonstrating they are using a private IP Address. :slight_smile:

edited

1 Like

I think showing "nothing" is not as effective as showing a regular dig/nslookup output.

See, the proof is right there!
" "

2 Likes

Right; but either way it shows the OP that any challenge other than the DNS-01 challenge cannot succeed. :beers:

edited

1 Like

The Let's Debug test I already linked to explains it all nicely

3 Likes

So I guess I should delete my post, correct?

1 Like

Hi Mike, Thanks a lot for your help. I have modified the A record to the public IP address 49.196.221.179. I might have to wait a bit as when I tried to use Let's Encrypt I receive the below error message:
"Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: riptide.monster
Type: connection
Detail: 49.196.221.179: Fetching http://riptide.monster/.well-known/acme-challenge/H_0noPEOb0rxHxI7WnT9bKWR0IyAV1Dz-i3-j95whIk: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet."
Thanks again for your and Bruce's help.

2 Likes

Presently your Ports 80 and 443 are not OPEN (likely a firewall).

$ nmap -Pn -p80,443 riptide.monster
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-05 13:15 PDT
Nmap scan report for riptide.monster (49.196.221.179)
Host is up.
rDNS record for 49.196.221.179: pa49-196-221-179.pa.vic.optusnet.com.au

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.86 seconds
1 Like

Here is a list of issued certificates (1 presently) https://crt.sh/?q=riptide.monster, latest being 2023-06-05.

1 Like

Hi Bruce, thanks a lot for your help. I will investigate the Firewall issue. Cheers

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.