Certbot failing and claiming a firewall issue

Help
1

I update Ubuntu a couple of days ago and started getting invalid certificate error when tying to get to my site. I cannot figure out what the issue. My firewall is configured correctly, Apache config test return ok, I am at a loss.

Please fill out the fields below, so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.dosstroop.com

I ran this command: sudo certbot

It produced this output:

HTTP 200
Server: nginx
Date: Wed, 11 Oct 2023 23:00:21 GMT
Content-Type: application/json
Content-Length: 1069
Connection: keep-alive
Boulder-Requester: 1230318826
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: IAvmRRVVoaPpbVpxmUK_rbNiSn_dy88c6WSn_oRgDD5Ta8CajuY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.dosstroop.com"
  },
  "status": "invalid",
  "expires": "2023-10-18T23:00:07Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "205.201.88.159: Fetching http://www.dosstroop.com/.well-known/acme-challenge/-hifhMx1fEUGy7yfDehpHoX5xTc0ybEgow0S262crJU: Timeout during connect (likely firewall problem)",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/272968741546/BfmeCA",
      "token": "-hifhMx1fEUGy7yfDehpHoX5xTc0ybEgow0S262crJU",
      "validationRecord": [
        {
          "url": "http://www.dosstroop.com/.well-known/acme-challenge/-hifhMx1fEUGy7yfDehpHoX5xTc0ybEgow0S262crJU",
          "hostname": "www.dosstroop.com",
          "port": "80",
          "addressesResolved": [
            "205.201.88.159"
          ],
          "addressUsed": "205.201.88.159"
        }
      ],
      "validated": "2023-10-11T23:00:10Z"
    }
  ]
}
2023-10-11 18:00:21,409:DEBUG:acme.client:Storing nonce: IAvmRRVVoaPpbVpxmUK_rbNiSn_dy88c6WSn_oRgDD5Ta8CajuY
2023-10-11 18:00:21,409:INFO:certbot._internal.auth_handler:Challenge failed for domain dosstroop.com
2023-10-11 18:00:21,409:INFO:certbot._internal.auth_handler:Challenge failed for domain www.dosstroop.com
2023-10-11 18:00:21,409:INFO:certbot._internal.auth_handler:http-01 challenge for dosstroop.com
2023-10-11 18:00:21,409:INFO:certbot._internal.auth_handler:http-01 challenge for www.dosstroop.com
2023-10-11 18:00:21,409:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: dosstroop.com
  Type:   connection
  Detail: 205.201.88.159: Fetching http://dosstroop.com/.well-known/acme-challenge/wyCqPBtDe-PmNpEfSxxYzbJnQGEIvEganh7E9cUlpMs: Timeout during connect (likely firewall problem)

  Domain: www.dosstroop.com
  Type:   connection
  Detail: 205.201.88.159: Fetching http://www.dosstroop.com/.well-known/acme-challenge/-hifhMx1fEUGy7yfDehpHoX5xTc0ybEgow0S262crJU: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version):
Ubuntu 22.04
My hosting provider, if applicable, is:
Virtual Box
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

2

Welcome @bdoss

Something is blocking port 80 so the HTTP challenge cannot reach your server. I don't see port 443 open either. Did you have HTTPS working on that port before?

I see port 22 open but no others.

Did you try connecting from outside your own network? Like a mobile phone with wifi disabled? Because it doesn't look like it would work.

The Let's Debug test site is helpful to test changes as you make them. I couldn't reach you from my own test server either.

https://letsdebug.net

2 Likes
3

Thank you so much. You are correct. I am looking into this. When I figure it out, I will post the resolution. I may ask more questions in a few minutes!

2 Likes
4

Still hammering at this

Here is my firewall config

To                         Action      From
--                         ------      ----
Apache Full                ALLOW       Anywhere
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
443                        ALLOW       Anywhere
OpenSSH                    ALLOW       Anywhere
80                         ALLOW       Anywhere
Apache                     ALLOW       Anywhere
Apache Full (v6)           ALLOW       Anywhere (v6)
22/tcp (v6)                ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)
OpenSSH (v6)               ALLOW       Anywhere (v6)
80 (v6)                    ALLOW       Anywhere (v6)
Apache (v6)                ALLOW       Anywhere (v6)

When I use curl I get this response

*   Trying 205.201.88.159:80...
* Connected to www.dosstroop.com (205.201.88.159) port 80 (#0)
> GET / HTTP/1.1
> Host: www.dosstroop.com
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Server: micro_httpd
< Cache-Control: no-cache; max-age=0; no-store
< Expires: Thu Jan  1 00:00:00 1970 GMT
< Date: Thu, 12 Oct 2023 03:11:27 GMT
< Content-Type: text/html; charset=utf-8
< Set-Cookie: SESSIONID=7b96dd391f3fa64e44c604abae397e8d; Path=/; Max-Age=600; HttpOnly
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: deny
< Connection: close

Does this mean the apache is not answering this request or that it is declining the request for whatever reason?

2 Likes
5

Where did you do that curl request from?

2 Likes
6

ssh terminal

7

On that same server?

2 Likes
8

correct

9

That is a bad test.
You need to test it as we all would - from the Internet.

3 Likes
10

Is it possible my isp started blocking port 80. Checking this angle now.

1 Like
11

That exactly what was wrong. It seems ok because port 443, and 22 were still open. Thank you for your help guys!

2 Likes
12

Glad at least 443 is working now. It was not open earlier when I only saw port 22.

Yes, your local network test was not reaching your Apache and was being rejected by whatever micro_httpd is. Maybe something like a router admin interface?

Without port 80 you have either DNS Challenge or TLS-ALPN which uses port 443 only.

Apache supports TLS-ALPN with the mod_md feature. It's quite easy to use. See more details below and then of course the Apache docs. I did one as a test a few months back and had it working inside like 10 minutes and that included reading mod_md docs.

I don't have time anymore tonite to post more but it is worth a look. Probably easier than automating a DNS Challenge.

2 Likes
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.