These are the actual error messages. Everything else derives from them.
Yes, you have discovered that there is no good reason to be using certbot on Windows. Windows is a second class citizen, kinda.
3 Likes
That's why I use Windows because it is the dominant OS being used worldwide. It's just that Webservers seemed to be geared for Unix type systems but otherwise most computers in the world are running Windows or at least the last time I looked up statistics on it. The email server I use is a Windows Platform server while a good number of Email Servers are Unix/Linus based servers but this Email Server is Windows based which makes it very useful for many users and has a very user friendly User Interface and unlike most Email Servers which are broken up into IMAP, POP3, SMTP separate Servers this Email Server combines them all into one Server which makes it much simpler to use and maintain.
But I tend to agree with you that Certbot for Windows leaves something to be desired. And I have appreciated your input about this issue.
I thought I might have found the problem when you stated that DNS-01 used Port 53 because I didn't have that Port open or Forwarded but that didn't fix the problem.
Port 53 -- on your authoritative nameservers.
And you always choose the challenge type! It's one or the other, not all at once.
Servers go to Linux because it's easier, it has more performance and it's a lot less expensive. Windows... It's for office and gaming, infrastructure not so much.
2 Likes
Those are confusing/conflicting statements.
Is there a website at that IP or not?
3 Likes
Then what is listening on port 80?
[ I see openresty on both IPs ]
curl -Ii http://jbstech[.]com/ <<<<<<<<<< TYPO - MY BAD
HTTP/1.1 200 OK
Server: openresty
Date: Wed, 25 Jan 2023 19:00:17 GMT
Content-Type: text/html
Content-Length: 2826
Last-Modified: Mon, 23 Jan 2023 23:54:30 GMT
ETag: "63cf1e36-b0a"
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_Qp8MtBJC4xv8LNR9J9mXrfntdsjsow9e+zCtOkXEIFuv4BtbY7YbBiIOyCZ9e5Mr5qLhTyozlRBolnG5Pi2+FA
Cache-Control: no-cache
X-Content-Type-Options: nosniff
Set-Cookie: caf_ipaddr=MYIP;Path=/;Max-Age=86400;
Set-Cookie: country=US;Path=/;Max-Age=86400;
Set-Cookie: city="Hollywood";Path=/;Max-Age=86400;
Set-Cookie: expiry_partner=;Path=/;Max-Age=86400;
Accept-Ranges: bytes
Via: 1.1 google
curl -Ii http://mail.jbstech[.]com/ <<<<<<<<<< TYPO - MY BAD
HTTP/1.1 200 OK
Server: openresty
Date: Wed, 25 Jan 2023 19:00:21 GMT
Content-Type: text/html
Content-Length: 2826
Last-Modified: Mon, 23 Jan 2023 23:54:26 GMT
ETag: "63cf1e32-b0a"
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_cd3ieHOBurONA2G74ra174uvLVqOZdcz2+ev1b4peoG1ZWfc6/5ycOzboeqisxAVEPbl3/Mcxw2bilR+IPsa5A
Cache-Control: no-cache
X-Content-Type-Options: nosniff
Set-Cookie: caf_ipaddr=MYIP;Path=/;Max-Age=86400;
Set-Cookie: country=US;Path=/;Max-Age=86400;
Set-Cookie: city="Hollywood";Path=/;Max-Age=86400;
Set-Cookie: expiry_partner=;Path=/;Max-Age=86400;
Accept-Ranges: bytes
Via: 1.1 google
And why are you trying to get a cert for names that resolve to different IPs [different locations]?
Name: mail.jbsbtech.com
Address: 99.47.170.145
Name: jbsbtech.com
Address: 34.102.136.180
Which IP are you running certbot at?
4 Likes
1 Like
And this is what I get from my location with nmap
$ nmap jbsbtech.com
Starting Nmap 7.91 ( https://nmap.org ) at 2023-01-25 11:09 PST
Nmap scan report for jbsbtech.com (34.102.136.180)
Host is up (0.013s latency).
rDNS record for 34.102.136.180: 180.136.102.34.bc.googleusercontent.com
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 5.16 seconds
$ nmap mail.jbsbtech.com
Starting Nmap 7.91 ( https://nmap.org ) at 2023-01-25 11:10 PST
Nmap scan report for mail.jbsbtech.com (99.47.170.145)
Host is up (0.12s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
995/tcp open pop3s
1443/tcp open ies-lm
Nmap done: 1 IP address (1 host up) scanned in 23.26 seconds
1 Like
And I am presently seeing this with curl
$ curl -Ii http://jbsbtech.com/
HTTP/1.1 200 OK
Server: openresty
Date: Wed, 25 Jan 2023 19:22:23 GMT
Content-Type: text/html
Content-Length: 2826
Last-Modified: Mon, 23 Jan 2023 23:54:50 GMT
ETag: "63cf1e4a-b0a"
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_b+r+JuczS426Vs+ruU42hPbWTuceBcrYEJ+vHV+BdFCRo+C0SzkS0qGWKa7VRIYeo5lFSfvDA+LgN/u7Eo/HRg
Cache-Control: no-cache
X-Content-Type-Options: nosniff
Set-Cookie: system=PW;Path=/;Max-Age=86400;
Set-Cookie: country=US;Path=/;Max-Age=86400;
Set-Cookie: traffic_target=gd;Path=/;Max-Age=86400;
Accept-Ranges: bytes
Via: 1.1 google
$ curl -Ii http://mail.jbsbtech.com/
HTTP/1.1 404 Not Found
Content-Length: 315
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 25 Jan 2023 19:22:51 GMT
Connection: close
I am assuming that mail.jbsbtech.com is the Windows machine where Certbot is being run.
1 Like
Who manages the OpenResty service?
2 Likes
I added jbsbtech.com for possible website usage at future date.
Name: mail.jbsbtech.com
Address: 99.47.170.145
The above is the IP Address of the Local Network which is running my Email Server.
As far as what may be listening on Port 80, the process of Certbot for Windows with --standalone Plugin is to 'spin up a temporary webserver' for Certbot to use to process the CSR request. I believe this temporary webserver listens on Port 80.
In addition I have run Certbot just requesting a Certificate for mail.jbsbtech.com domain only and I get the same error results with just this mail.jbsbtech.com domain only.
Something is on Port 80
$ curl -Ii http://mail.jbsbtech.com/
HTTP/1.1 404 Not Found
Content-Length: 315
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 25 Jan 2023 20:20:08 GMT
Connection: close
$ nmap -Pn mail.jbsbtech.com
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2023-01-25 12:19 PST
Nmap scan report for mail.jbsbtech.com (99.47.170.145)
Host is up (0.13s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE
80/tcp open http
110/tcp open pop3
995/tcp open pop3s
1443/tcp open ies-lm
5555/tcp open freeciv
Nmap done: 1 IP address (1 host up) scanned in 72.64 seconds
1 Like
I have predefined A Records for all my Static IP Addresses should I make use of these additional Static IP Addresses. At the moment, I am concentrating on just getting one of my subdomains working for the Email Server. As I've indicated earlier, I have had Let's Encrypt Certificates which were produced by my Linux OS Synology NAS Server DSM Certificate Request Utility before the NAS Hardware failure which causing me to resort to Certbot.
Also see my prior reply to RG305 which explains what may be listening on Port 80.
And yes certbot is running on machine for mail.jbsbtech.com.
1 Like
Please follow the packet.
From the Internet...
What device [router] has the IP 99.47.170.145?
Does it NAT/port forward?
[to where?]
1 Like
I have done furher attempts at Certbot for Windows for wildcard domains and I'm seeing indications in the logs that indicate it cannot handle this type of request yet the web page for Certbot for Windows indicates it now has this capability. Given that Certbot for Windows appears to still be identified as a Beta version utility, I believe this further demonstrates my belief that Certbot for Windows is not really ready for production release and is really not in a state I would expect Beta versions to be in. It is looking like from the Log entries that Certbot for Windows doesn't handle challenges over DNS and a challenge for DNS-01 is a part of Certbot for Windows as shown in the Log Entries.
Hi Jim,
If certbot can't bind to port 80 when running as administrator from an elevated command prompt then something else is using that port, whether its something you installed or not. Note that "Microsoft-HTTPAPI/2.0" is the default server header for http.sys which is the built in windows kernel http request handler, this narrows does the type of service that's listening.
The good news (for one of your domains) is that http.sys supports http pipeline sharing, so tools specifically built for windows such as win-acme or Certify The Web can still register their challenge response handlers without interrupting whatever service is using that port. Certbot does not support http.sys pipeline sharing because it use it's own socket based listener instead of registering an http.sys listener. As an aside you are using the new 64-bit version of Certbot and the instructions are generally referring to the older 32-bit edition.
As already mentioned though, it's difficult to use http validation when your two domains point to different IP addresses, in which case if you really want to combine the two domains into one cert then I would suggest using DNS validation instead or get each certificate on each machine (corresponding to the IPs). Certify the Web (which I develop) has built in support for GoDaddy as a DNS provider, if that's who is hosting your DNS.
4 Likes
First let me say I am much of a novice when it comes to setting up Certificate Requests and websites. In this case I am not trying to set up a website but rather just get the Certificate to use in my Email Server. My failed Synology NAS DSM application had a Certificate Utility which would get these Certificates for use on the NAS which I could also export for use in my Email Server.
Thanks for your response but I already determined Certbot for Windows documentation was not matching reality as shown in the Log Entries. The installer is 64bit and installs Certbot in C:\Program Files where it belongs but Documentattion indicates it goes in C:\Program Files (x86) which is for 32bit applications. Logs show seemingly that it uses challenges for http-01, dns-01, and tls-alpn-01.
As I stated earlier, I have uninstalled IIS so that is not a webserver which is running. I have also run Certbot for Windows with the 'standalone' option. I ran Certbot for Windows for only the domain mail.jbsbtech.com so there is only one Domain IP Address to set up with a Certificate.
Certbot for Windows seems to fail right after the Challenges. See the Log Entries:
2023-01-25 11:49:26,444:DEBUG:acme.client:Storing nonce: 1DFAfCpnyGp0KXao41ZHaIeBrmP28D12wsfGFn7LBLSdpRs
2023-01-25 11:49:26,446:INFO:certbot._internal.auth_handler:Performing the following challenges:
2023-01-25 11:49:26,447:INFO:certbot._internal.auth_handler:http-01 challenge for mail.jbsbtech.com
2023-01-25 11:49:26,448:DEBUG:acme.standalone:Failed to bind to :80 using IPv6
2023-01-25 11:49:26,449:DEBUG:acme.standalone:Failed to bind to :80 using IPv4
2023-01-25 11:49:26,458:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "C:\Program Files\Certbot\pkgs\certbot_internal\plugins\standalone.py", line 79, in run
servers = acme_standalone.HTTP01DualNetworkedServers(
File "C:\Program Files\Certbot\pkgs\acme\standalone.py", line 219, in init
super().init(HTTP01Server, *args, **kwargs)
File "C:\Program Files\Certbot\pkgs\acme\standalone.py", line 122, in init
raise last_socket_err
File "C:\Program Files\Certbot\pkgs\acme\standalone.py", line 97, in init
server = ServerClass(*new_args, **kwargs)
File "C:\Program Files\Certbot\pkgs\acme\standalone.py", line 209, in init
super().init(
File "C:\Program Files\Certbot\pkgs\acme\standalone.py", line 201, in init
super().init(*args, **kwargs)
File "socketserver.py", line 452, in init
File "http\server.py", line 136, in server_bind
File "socketserver.py", line 466, in server_bind
OSError: [WinError 10013] An attempt was made to access a socket in a way forbidden by its access permissions
I have tried using WIN-ACME Simple and it isn't simple to use at leas on a Wiondows machine. The instructions for use with it to get the desired end result are not performable such as entering command line options. To possibly enter the necessary paramters to end up with at least a .PEM file and ideally an Ecliptic Curve Key file require me to know Java, meaning how to set up the .JSON settings file for which I don't exactly have any expample of as the .JSON file the utility used was all default so I couldn't get a sense of the format to use for the necessary values. So while I sucessfully created a Let's Encrypt Certificate with Win-ACME Simple (WACS.exe), it was a useless Certificate because I needed a .PEM Certificate which it is capable of producing if I knew how to enter the settings correctly in the .JSON file. Certbot for Windows does look like it would produce the .PEM file at least as I could see it what looked like it was in process of doing in the Log Entries. I'm now going to have to Revoke the Win-ACME Certificate so I can create a .PEM Certificate when I'm able to get a successful creation of one.
The Device (Router) is the device that IP 99.47.170/145 points to. This Router does have NAT but I Port Forward port 80 and 443 to the Fixed LAN IP of the computer which runs my EMail Server and also is running Certbot for Windows to create the Certificate. I Port Forward Port 443 also to this Windows computer because Certbot for Windows will use Port 443, I believe to deliver the Certificate to the Windows Computer for manual installation. Certbot for Windows does not install the Certificate but delivers it to a Folder on the Windows computer where I would have to manually install the Certificate where I wanted to which is what I had to do with my Synology NAS that failed as well for installing in my Email Server on the Windows Computer running the Email Server..
Please don't do that [for such a reason].
3 Likes
You really should look at Certify the Web. It is a popular gui and well-suited for novices as you describe yourself.
See the link in the Let's Encrypt list below
4 Likes