Certbot failing and claiming a firewall issue

bdoss · October 11, 2023, 11:10pm

I update Ubuntu a couple of days ago and started getting invalid certificate error when tying to get to my site. I cannot figure out what the issue. My firewall is configured correctly, Apache config test return ok, I am at a loss.

Please fill out the fields below, so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.dosstroop.com

I ran this command: sudo certbot

It produced this output:

HTTP 200
Server: nginx
Date: Wed, 11 Oct 2023 23:00:21 GMT
Content-Type: application/json
Content-Length: 1069
Connection: keep-alive
Boulder-Requester: 1230318826
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: IAvmRRVVoaPpbVpxmUK_rbNiSn_dy88c6WSn_oRgDD5Ta8CajuY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.dosstroop.com"
  },
  "status": "invalid",
  "expires": "2023-10-18T23:00:07Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "205.201.88.159: Fetching http://www.dosstroop.com/.well-known/acme-challenge/-hifhMx1fEUGy7yfDehpHoX5xTc0ybEgow0S262crJU: Timeout during connect (likely firewall problem)",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/272968741546/BfmeCA",
      "token": "-hifhMx1fEUGy7yfDehpHoX5xTc0ybEgow0S262crJU",
      "validationRecord": [
        {
          "url": "http://www.dosstroop.com/.well-known/acme-challenge/-hifhMx1fEUGy7yfDehpHoX5xTc0ybEgow0S262crJU",
          "hostname": "www.dosstroop.com",
          "port": "80",
          "addressesResolved": [
            "205.201.88.159"
          ],
          "addressUsed": "205.201.88.159"
        }
      ],
      "validated": "2023-10-11T23:00:10Z"
    }
  ]
}
2023-10-11 18:00:21,409:DEBUG:acme.client:Storing nonce: IAvmRRVVoaPpbVpxmUK_rbNiSn_dy88c6WSn_oRgDD5Ta8CajuY
2023-10-11 18:00:21,409:INFO:certbot._internal.auth_handler:Challenge failed for domain dosstroop.com
2023-10-11 18:00:21,409:INFO:certbot._internal.auth_handler:Challenge failed for domain www.dosstroop.com
2023-10-11 18:00:21,409:INFO:certbot._internal.auth_handler:http-01 challenge for dosstroop.com
2023-10-11 18:00:21,409:INFO:certbot._internal.auth_handler:http-01 challenge for www.dosstroop.com
2023-10-11 18:00:21,409:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: dosstroop.com
  Type:   connection
  Detail: 205.201.88.159: Fetching http://dosstroop.com/.well-known/acme-challenge/wyCqPBtDe-PmNpEfSxxYzbJnQGEIvEganh7E9cUlpMs: Timeout during connect (likely firewall problem)

  Domain: www.dosstroop.com
  Type:   connection
  Detail: 205.201.88.159: Fetching http://www.dosstroop.com/.well-known/acme-challenge/-hifhMx1fEUGy7yfDehpHoX5xTc0ybEgow0S262crJU: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version):
Ubuntu 22.04
My hosting provider, if applicable, is:
Virtual Box
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

MikeMcQ · October 11, 2023, 11:35pm

Welcome @bdoss

Something is blocking port 80 so the HTTP challenge cannot reach your server. I don't see port 443 open either. Did you have HTTPS working on that port before?

I see port 22 open but no others.

Did you try connecting from outside your own network? Like a mobile phone with wifi disabled? Because it doesn't look like it would work.

The Let's Debug test site is helpful to test changes as you make them. I couldn't reach you from my own test server either.

https://letsdebug.net

bdoss · October 12, 2023, 12:41am

Thank you so much. You are correct. I am looking into this. When I figure it out, I will post the resolution. I may ask more questions in a few minutes!

bdoss · October 12, 2023, 3:13am

Still hammering at this

Here is my firewall config

To                         Action      From
--                         ------      ----
Apache Full                ALLOW       Anywhere
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443                        ALLOW       Anywhere
OpenSSH                    ALLOW       Anywhere
80                         ALLOW       Anywhere
Apache                     ALLOW       Anywhere
Apache Full (v6)           ALLOW       Anywhere (v6)
22/tcp (v6)                ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)
OpenSSH (v6)               ALLOW       Anywhere (v6)
80 (v6)                    ALLOW       Anywhere (v6)
Apache (v6)                ALLOW       Anywhere (v6)

When I use curl I get this response

*   Trying 205.201.88.159:80...
* Connected to www.dosstroop.com (205.201.88.159) port 80 (#0)
> GET / HTTP/1.1
> Host: www.dosstroop.com
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Server: micro_httpd
< Cache-Control: no-cache; max-age=0; no-store
< Expires: Thu Jan  1 00:00:00 1970 GMT
< Date: Thu, 12 Oct 2023 03:11:27 GMT
< Content-Type: text/html; charset=utf-8
< Set-Cookie: SESSIONID=7b96dd391f3fa64e44c604abae397e8d; Path=/; Max-Age=600; HttpOnly
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: deny
< Connection: close

Does this mean the apache is not answering this request or that it is declining the request for whatever reason?

rg305 · October 12, 2023, 3:21am

Where did you do that curl request from?

bdoss · October 12, 2023, 3:22am

ssh terminal

rg305 · October 12, 2023, 3:23am

On that same server?

bdoss · October 12, 2023, 3:24am

correct

rg305 · October 12, 2023, 3:24am

That is a bad test.
You need to test it as we all would - from the Internet.

bdoss · October 12, 2023, 3:30am

Is it possible my isp started blocking port 80. Checking this angle now.

bdoss · October 12, 2023, 3:40am

That exactly what was wrong. It seems ok because port 443, and 22 were still open. Thank you for your help guys!

MikeMcQ · October 12, 2023, 3:47am

Glad at least 443 is working now. It was not open earlier when I only saw port 22.

Yes, your local network test was not reaching your Apache and was being rejected by whatever micro_httpd is. Maybe something like a router admin interface?

Without port 80 you have either DNS Challenge or TLS-ALPN which uses port 443 only.

Apache supports TLS-ALPN with the mod_md feature. It's quite easy to use. See more details below and then of course the Apache docs. I did one as a test a few months back and had it working inside like 10 minutes and that included reading mod_md docs.

I don't have time anymore tonite to post more but it is worth a look. Probably easier than automating a DNS Challenge.

system · November 11, 2023, 3:48am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.