Certbot failed to authenticate some domains

I get the following error when i try to renew my cert for nitrozeus.site

bs@bookstack:~$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/nitrozeus.site.conf


Simulating renewal of an existing certificate for nitrozeus.site

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: nitrozeus.site
Type: connection
Detail: 94.130.164.204: Fetching http://nitrozeus.site/.well-known/acme-challenge/RFLcuGHgfMGrmYpgnjG48eDxrEsDoiPR1OsZkJxyrwI: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate nitrozeus.site with error: Some challenges have failed.


All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/nitrozeus.site/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

I'm running Ubuntu 22.04 Live-server amd64

I'm running Pfsense firewall, where HTTP/HTTPS/SSH is allowed to the server

Best Practice - Keep Port 80 Open

Using https://letsdebug.net/ with HTTP-01 Challenge Type result Let's Debug

2 Likes

Well that makes sense, but the port is open, it makes no sense, I just tried simulating my other domain wich is running something else, I get the same error, so I don't know what happened :open_mouth:


You can see my rule here from pfsense, Bookstack is an alias for the internal IP address wich is correct.

You can try connecting directly with your Cellphone with Wi-Fi off, so as to not be on your local network, and see if you can connect.

2 Likes

And here is a view from around the world Check website performance and response: Check host - online website monitoring

1 Like

Not sure what you mean, the physical server is located off site (not in my home) the physical server runs Esxi with virtual machines, first Pfsense the firewall and then Bookstack under it, where the HTTP port is forwarded to bookstack

OK; thanks! :slight_smile:

1 Like

Can you see that with a web browser from you home?

1 Like


this is a picture from the home network

So you cannot access Port 80 also.

3 Likes

I assume yeah :sweat:
Do you have anything I can check. I assume it's a firewall issue, i just cannot see where the error is? I have not made any changes sinse i made the certificate 3 months ago

Is the web server service running? (I assume likely YES!, but got to check)

2 Likes

Ofc xD you can try and access nitrozeus.site it is online

I cannot

$ nmap nitrozeus.site
Starting Nmap 7.80 ( https://nmap.org ) at 2022-11-15 20:30 UTC
Nmap scan report for nitrozeus.site (94.130.164.204)
Host is up (0.17s latency).
rDNS record for 94.130.164.204: static.204.164.130.94.clients.your-server.de
Not shown: 999 filtered ports
PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 12.84 seconds

$ curl -I http://nitrozeus.site/.well-known/acme-challenge/RFLcuGHgfMGrmYpgnjG48eDxrEsDoiPR1OsZkJxyrwI
^C
$

Nor can Check website performance and response: Check host - online website monitoring

2 Likes

Did your ISP start blocking HTTP?
Do you have any other software running that might be able to block services or geo-location block?

5 Likes

From my perspective Port 80 is NOT open:

PORT    STATE SERVICE
443/tcp open  https

Simple scan.. Need to fix this.

5 Likes

You guys have any idea where to start, i have pfsense as firewall where port 80 is open and forwarded to book stack where I need the certificate, it's a VM running Ubuntu v. 22 where i have updated it.
DNS is setup correctly and CFS firewall is disabled on the system i have checked that.

Have you checked whether the Hetzner firewall is enabled?

How do you SSH into the instance? Port 22 doesn't seem open either.

4 Likes

I concur with _AZ and others who have pointed to inaccessible important ports.

IMHO this leads me to suspect what is most likely a mis-configuration in your pfSence firewall. (Out of scope for this forum BTW)

Are you using port forwarding per se' or 1:1 NAT?

PORT     STATE    SERVICE
22/tcp   filtered ssh
80/tcp   filtered http
443/tcp  open     https

If you are using Port Forwarding you MUST use an "alias" for the destination ports that includes the desired ports:
port-forward
Configuration Info can be found in Netgate Docs:
https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html

If you are using 1:1 Mapping:

NAT 1:1 Mappings
Interface	External IP 		Internal IP		Destination IP		Description
WAN			123.456.789.112		10.10.10.110 	*					MAIL - MAIL  

Configuration Info can be found in Netgate Docs:
https://docs.netgate.com/pfsense/en/latest/nat/1-1.html

Hope this helps!

5 Likes

Presently

$ nmap nitrozeus.site
Starting Nmap 7.80 ( https://nmap.org ) at 2022-11-19 17:23 UTC
Nmap scan report for nitrozeus.site (94.130.164.204)
Host is up (0.17s latency).
rDNS record for 94.130.164.204: static.204.164.130.94.clients.your-server.de
Not shown: 999 filtered ports
PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 12.81 seconds
2 Likes