Certbot failed to authenticate some domains

Bruce5051 · November 5, 2022, 5:33pm

Here Check report was removed: Check host - online website monitoring

Bruce5051 · November 5, 2022, 5:35pm

However current Let's Debug shows
itflow.omahatechnology.net has an A (IPv4) record (129.146.55.75) but a request to this address over port 80 did not succeed.

MikeMcQ · November 5, 2022, 5:36pm

@eskos Can you show this command result? (hopefully works on your system)

sudo  netstat -pant | grep ':80' | grep -i listen

If not, what about this:

sudo systemctl status apache

(might not need sudo; might be apache2 or httpd)

eskos · November 5, 2022, 5:37pm

Unit apache.service could not be found.

MikeMcQ · November 5, 2022, 5:37pm

That's more important Maybe still propagating but the authoritative DNS servers show the right IP and google dig tool also (not surprising in this case). (could use unboundtest)

MikeMcQ · November 5, 2022, 5:40pm

Yeah, looks from the netstat that your is apache2

From netstat we see apache is listening but we can't see it from the public internet. Something must be wrong in the outer comms routings. Or possibly a firewall blocking port 80 and 443

Bruce5051 · November 5, 2022, 5:42pm

https://unboundtest.com/m/A/itflow.omahatechnology.net/J5PFN5FB shows
;; ANSWER SECTION:
itflow.omahatechnology.net. 0 IN A 129.146.55.75

Locally I see:

$ ping itflow.omahatechnology.net
PING itflow.omahatechnology.net (129.146.55.75): 56 data bytes
^C
--- itflow.omahatechnology.net ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
$ curl -Ii http://itflow.omahatechnology.net

curl: (7) Failed to connect to itflow.omahatechnology.net port 80 after 75057 ms: No route to host
$

eskos · November 5, 2022, 5:43pm

To Action From

OpenSSH ALLOW Anywhere
Apache Full ALLOW Anywhere
80 ALLOW Anywhere
443 ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Apache Full (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)

MikeMcQ · November 5, 2022, 5:50pm

That's your ufw on Ubuntu. Is there any firewall or port management in Oracle Cloud setup? I don't know that system well so can't be specific. But often cloud setups do have these options

We can reach you on port 22, just not port 80. Well, no one can reach you on port 80. From my own test server:

curl -i http://itflow.omahatechnology.net
curl: (7) Failed to connect to itflow.omahatechnology.net port 80 after 55 ms: No route to host

(using port 22 - not allowed as expected but at least got to you)
curl -i http://itflow.omahatechnology.net:22
curl: (1) Received HTTP/0.9 when not allowed

A port map test is another way to show it (filtered means blocked often by firewall)

nmap -p22,80,443 -Pn itflow.omahatechnology.net
Nmap scan report for itflow.omahatechnology.net (129.146.55.75)
PORT    STATE    SERVICE
22/tcp  open     ssh
80/tcp  filtered http
443/tcp filtered https

eskos · November 5, 2022, 5:51pm

i have it on the network as well

Bruce5051 · November 5, 2022, 5:52pm

I get the same results as Mike.

$ nmap -p22,80,443 -Pn itflow.omahatechnology.net
Starting Nmap 7.80 ( https://nmap.org ) at 2022-11-05 17:52 UTC
Nmap scan report for itflow.omahatechnology.net (129.146.55.75)
Host is up (0.044s latency).

PORT    STATE    SERVICE
22/tcp  open     ssh
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 0.36 seconds

MikeMcQ · November 5, 2022, 5:53pm

I don't know what else to say. You need a working HTTP server to be able to process an HTTP Challenge. What happens when you try to reach your domain in a browser from a machine not on that network? Like, even use a phone with wifi off so you are on provider network

Once that works then try this again

eskos · November 5, 2022, 5:55pm

it keeps saying cant connect to site

MikeMcQ · November 5, 2022, 5:57pm

Good. At least you can reproduce your connection problem. Now you just have to figure that out. Maybe a forum for your cloud service might help

Bruce5051 · November 5, 2022, 6:01pm

Here are a couple of possible links to googledomian forums

eskos · November 5, 2022, 6:13pm

do you think it would change any if I went back to using Cloudflare

MikeMcQ · November 5, 2022, 6:19pm

No. Mind, you can use Cloudflare just as DNS which will not help this at all. Or, you can use it for "proxy" which uses their CDN. The CDN Edge sits in between the client (like a browser) and your origin server. Setting up certs behind a CDN takes more care.

But, even using their CDN it needs to reach your server on port 80 or 443 (or both) and won't be able to either. You need to resolve your basic connectivity problem.

rg305 · November 6, 2022, 7:26am

traceroute -n -T -p 22 129.146.55.75

 9  12.122.5.189  51.146 ms  52.591 ms  51.544 ms
10  12.122.28.114  52.015 ms  57.695 ms  57.601 ms
11  12.122.28.65  51.466 ms  67.737 ms  57.383 ms
12  12.123.206.249  52.222 ms  52.840 ms  52.858 ms
13  140.91.195.4  53.703 ms 140.91.195.7  52.654 ms 140.91.195.13  50.643 ms
14  * * *
15  * * *
16  * * *

What is 140.91.195.4?

system · December 6, 2022, 7:27am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.