Certbot failes to authentication

Help
21

What do you mean and how would I explain it to you guys?
"If you really want help, start by drawing out the entire system and then test as much of it as possible."

22

I've messed around too much... Do I need to forward 443 as well? I did but then removed it..

23

I don't know your specific system, but usually one might have:

  • a server [maybe within a docker container]
  • a switch
  • a router

[other potential obstacles]

And one should test connectivity through each piece of that path (wherever possible).

7 Likes
24

443 seems to be forwarded - it responds (but speaks HTTP not HTTPS)
Check that external 443 goes to your server 443 [not also to 80]

If 443 goes to 443, then we simply need to enable TLS (SSL) on port 443.

7 Likes
25

That should read:
Server: Apache/2.2.15 (CentOS)

That said, do you know how to execute commands within a docker image?
If not, you need to go learn that first.
If so, then execute this and show the output:
certbot certificates
apachectl -t -D DUMP_VHOSTS

6 Likes
26

Thank you so much. I will try this after work. :slight_smile:

1 Like
27

Used the console in portainer:

root@55293ab1bc54:/# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

No certificates found.

root@55293ab1bc54:/# apachectl -t -D DUMP_VHOSTS
bash: apachectl: command not found

28

I am using the linuxserver/swag container. Seems that curl reaches some other server??
SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let's Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention.

29

This is from the nginx.conf in the cointainer..

Enables the specified protocols. Default is TLSv1 TLSv1.1 TLSv1.2.
# TIP: If you're not obligated to support ancient clients, remove TLSv1.1.
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;

...but that shouldn't(?) matter since:

"The validation is performed when the container is started for the first time.
Nginx won't be up until ssl certs are successfully generated."
https://docs.linuxserver.io/general/swag
30

You might consider turning off fail2ban until you get your issue sorted out.

9 Likes
31

Don't know how but can look into it...

The more i think about it, I think that this could be something with my isp...
iotserver.st point to 94.254.0.48 and not 178.174.175.127 which is my actual ip... I still somehow end up on my webserver when I enter iotserver.st..
Can someone explain that? Does it have something to do with different kinds(?) of dns records?

32

There's definitely something to discuss with your ISP.

Analysis:

  1. You have inconsistent SOA records.

  2. DNS zone nameservers are not consistent because they're returning differing SOA records.

  3. Nameserver addresses should have reverse names

  4. According to RFC 1912, having reverse DNS configuration in place for every nameserver is a best practice that maximizes the chances of correct DNS operation.

  5. Further, some anti-spam techniques use reverse name resolution to allow traffic.

  6. Nameserver A and AAAA records should have matching reverse records

  7. According to RFC 1912, nameserver's PTR records must match their A and AAAA records to ensure maximum interoperability.

11 Likes
33 
systemctl stop fail2ban
9 Likes
34

I sent an email asking why the tcptrace ip dont match my ip but i can still reach my web server...
I guess ill provide your list if there's more questions..
Sadly, their support wont answer until Monday (since this is a commercial domain included with my internet).

35

It's included in a docker container. I googled and found that i have to exclude it from the container to get rid of it... Duno' if your wiser?

36

I'll try my best...
Docker (container: swag) on Ubuntu 20.04
Unmanaged switches
Router: Unifi Security Gateway with Unifi Controller on the same server.
Domain name from my isp.

Could there be anything else? :wink:

Edit: I forgot to acknowledge the phone joke... I chuckled :stuck_out_tongue_winking_eye:

1 Like
37

I just received a reply. Guess I will go with duckdns or buy another domain instead.

"Your domain is a free domain, so you do not get full access to everything. Your domain is currently pointing to a web space(?), so that's why you may have some problems, but you can still access the domain."

Thank you so much guys for helping out!

2 Likes
38

Bought a cheap domain. Set it up with cloudflare. Got everything working with swag and letsencrypt now. Tomorrow I will continue with fail2ban. :slight_smile:

Can I donate a symoblic sum to @rg305 and @rip for the help?

2 Likes
39

Yes, if you open my "avatar" you can see what I prefer.
Hint: It start with :beer: and ends with :beer: - LOL

Actually you have to click it twice then the expand button - to see the whole entry

9 Likes
40

Thanks for the :beer:
I will drink it in your honor.
Cheers :slight_smile:

10 Likes