Certbot Fails to fetch endpoints to verify the temporary nginx configuration changes made by certbot

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: monosodium.net / l.monosodium.net / m.monosodium.net

I ran this command: sudo certbot --nginx

It produced this output:

Renewing an existing certificate for monosodium.net and 2 more domains Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:

Domain: l.monosodium.net Type: connection Detail: 93.209.199.69: Fetching http://l.monosodium.net/.well-known/acme-challenge/Ik4pkbzsZFN5pAZq9typ8gXmObUwe6IAkEb18TdjVQ0: Timeout during connect (likely firewall problem)

Domain: monosodium.net Type: connection Detail: 93.209.205.220: Fetching http://monosodium.net/.well-known/acme-challenge/PrMTm_jyyt_eq745X0yOIviFWkztgKuROv7NnAdiF5I: Timeout during connect (likely firewall problem)

Domain: m.monosodium.net Type: connection Detail: 93.209.199.69: Fetching http://m.monosodium.net/.well-known/acme-challenge/FlnOfaN1Bh3DQUJVscI1bOThEu4pUZaqptsWMkJXjSA: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet. Some challenges have failed.

My web server is (include version): NodeJS 20.12.1 / nginx/1.22.1

The operating system my web server runs on is (include version): Debian GNU/Linux 12 (bookworm) aarch64

My hosting provider, if applicable, is: Telekom DE

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.10.0

i followed this tutorial here: Configure Node.js to Use Port 80 / 443 | by Adarsh Dayanand | Medium
to point the 3 domains to my node Server. This has worked in the past, but for some reason it no longer does...

The HTTP Challenge that you are using needs the Let's Encrypt Server to reach your domain using HTTP on port 80. That query is failing (timing out).

I cannot reach your domain using HTTP or HTTPS. It seems entirely offline.

SSL Labs cannot reach it (HTTPS). And the Let's Debug test site fails too (HTTP). You need to resolve your connectivity to the public internet. You could try reaching your domain using a mobile phone with wifi disabled so use your carrier's network. I think you will timeout the same.

https://www.ssllabs.com/ssltest/analyze.html?d=monosodium.net&hideResults=on

I see, i resolved the issue, i disabled my DNS to see if that helped but forgot to turn it back on ._.
It should be re-enabled!

Can you access your domain from outside your local network? (like mobile phone with wifi disabled)

Because I still cannot and neither can the Let's Debug website. You should review your settings especially for port 80 and run Let's Debug yourself. Once that works you could try getting a cert again.

I see you got a new IP address. I'm guessing you have a dynamic DNS service which is what you meant by turning it back on. That alone hasn't been enough to provide connection to the public internet.

Hi @Furo,

It looks like Port 80 is filtered (i.e. blocked) and not accessible from the public Internet.
As @MikeMcQ pointed out Port 80 needs to be reachable. Best Practice - Keep Port 80 Open

The HTTP-01 challenge of the Challenge Types - Let's Encrypt states:
"The HTTP-01 challenge can only be done on port 80."

Also Port 443 is closed.

$ nmap -Pn -p80,443 monosodium.net
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-26 11:40 PDT
Nmap scan report for monosodium.net (93.209.199.69)
Host is up (0.18s latency).
rDNS record for 93.209.199.69: p5dd1c745.dip0.t-ipconnect.de

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp closed   https

Nmap done: 1 IP address (1 host up) scanned in 3.39 seconds

$ nmap -Pn -p80,443 l.monosodium.net
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-26 11:40 PDT
Nmap scan report for l.monosodium.net (93.209.199.69)
Host is up (0.18s latency).
rDNS record for 93.209.199.69: p5dd1c745.dip0.t-ipconnect.de

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp closed   https

Nmap done: 1 IP address (1 host up) scanned in 2.83 seconds

$ nmap -Pn -p80,443 m.monosodium.net
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-26 11:40 PDT
Nmap scan report for m.monosodium.net (93.209.199.69)
Host is up (0.18s latency).
rDNS record for 93.209.199.69: p5dd1c745.dip0.t-ipconnect.de

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp closed   https

Nmap done: 1 IP address (1 host up) scanned in 2.90 seconds

@Bruce5051 and @MikeMcQ

You two are correct, i just reviewed my router configuration and as it turns out, only port 443 is forwarded. I have updated the setting to also forward 80 now.

Good. I see Let's Debug comms test works.

I don't see your nginx server responding to HTTPS requests on port 443 yet. Did you get a cert?

Do you need help with anything else?

I Have yet to get a cert, i'll update you when i do!

@MikeMcQ Certificated and Works flawlessly as before! Thank you very much for your support!
You too @Bruce5051! Appreciate it lots!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.