Certbot failed to authenticate some domains

BatedWaif · February 26, 2023, 8:16pm

Hi, I just got my first domain and tried to get a certificate for it but I am getting the following error:

My domain is: liordev.online

I ran this command: sudo certbot --nginx -d liordev.online -d www.liordev.online

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for liordev.online and www.liordev.online

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: liordev.online
Type: connection
Detail: 83.130.236.22: Fetching http://liordev.online/.well-known/acme-challenge/eNIoBKPZea_t0sCvO0ZHrJ_mxAeoumjIuaBRW6oIcy8: Timeout during connect (likely firewall problem)

Domain: www.liordev.online
Type: connection
Detail: 83.130.236.22: Fetching http://www.liordev.online/.well-known/acme-challenge/nyoJ1_VO2aF9aMpZs4xTCpa4umA2SBKn5ZDPjEgdG88: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx

The operating system my web server runs on is (include version): ubuntu server 22.04.02 LTS

My hosting provider, if applicable, is: Partner Communications

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.3.0

Osiris · February 26, 2023, 8:20pm

Your website at IP address 83.130.236.22 is unreachable from the public internet, using HTTP on port 80 as well as using HTTPS on port 443.

Please make sure your website is reachable when using the http-01 challenge (which is the only challenge the --nginx authenticator plugin can do).

Bruce5051 · February 26, 2023, 8:26pm

Supplemental here are (is) the only accessible (but closed) ports.

$ nmap -Pn liordev.online
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2023-02-26 12:22 PST
Nmap scan report for liordev.online (83.130.236.22)
Host is up (0.23s latency).
rDNS record for 83.130.236.22: IGLD-83-130-236-22.inter.net.il
Not shown: 999 filtered ports
PORT   STATE  SERVICE
22/tcp closed ssh

Nmap done: 1 IP address (1 host up) scanned in 27.58 seconds

As @Osiris said HTTP-01 challenge of the Challenge Types - Let's Encrypt
needs Port 80 open and accessible.
Best Practice - Keep Port 80 Open

And to assist with debugging there is a great place to start is Let's Debug.

BatedWaif · February 26, 2023, 8:38pm

@Bruce5051 @Osiris
Thank you for your help. I opened port 80 and port 443 before opening the server. This is my router configuration for port forwarding. source is my public IP and the destination is the private IP of my server.

I also opened port 80 and 443 in my ubuntu server. Did I miss anything?

Bruce5051 · February 26, 2023, 8:41pm

What about possibly the router's firewall?
Or possibly in a geographic location that has a Great Firewall?

Osiris · February 26, 2023, 8:42pm

Probably, but I don't know why. I just know everything on port 80 and 443 needs to be open, I'm afraid you're the only one who can do that. It might even be that your ISP is blocking access.

Bruce5051 · February 26, 2023, 8:44pm

Here are a couple of online tools to help check from a location(s) on the Internet (i.e. not your local LAN)

Bruce5051 · February 26, 2023, 8:52pm

Can you run one or both of theses and share the output?
curl https://ifconfig.co/
curl https://ifconfig.io/

BatedWaif · February 26, 2023, 8:56pm

@Bruce5051
I checked if my router has a firewall but could not find it so I am not sure about this. In IPVoid the public IP of the server shows that port 80 and 443 is "Filtered"
@Osiris
Well unless I need to put something else in the source IP I don't know if is there anything else I can open. This is my DNS settings in hostinger. Is there anything faulty here?

BatedWaif · February 26, 2023, 8:57pm

both show 83.130.236.22

Bruce5051 · February 26, 2023, 8:57pm

And that is what we've got to get corrected.

Osiris · February 26, 2023, 8:57pm

"Filtered" is the opposite of "open".

And no, unless you've entered the incorrect IP address, your DNS settings aren't the issue.

Bruce5051 · February 26, 2023, 8:58pm

Thank you; so we know we are dealing with the correct IPv4 Address.

BatedWaif · February 26, 2023, 9:00pm

@Bruce5051 @Osiris
So the problem lies in my ISP/router port forwarding settings/firewall?

Osiris · February 26, 2023, 9:01pm

Impossible to tell by us I'm afraid. Could be anywhere in your network or your ISPs.

BatedWaif · February 26, 2023, 9:06pm

Okay I understand I will check with my ISP tomorrow for a solution thanks again both of you for the help! have a good evening @Bruce5051 @Osiris

system · March 28, 2023, 9:06pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.