Certbot HTTP Challenge Not Passing - Web Server Not Listening on Port 80


#1

Please fill out the fields below so we can help you better.

My domain is:
rudy.tech, www.rudy.tech

I ran this command:
letsencrypt certonly --dry-run --webroot -w /var/www/letsencrypt -d www.rudy.tech -d rudy.tech

It produced this output:

Failed authorization procedure. rudy.tech (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to rudy.tech, www.rudy.tech (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to www.rudy.tech

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: rudy.tech
   Type:   connection
   Detail: Could not connect to rudy.tech

   Domain: www.rudy.tech
   Type:   connection
   Detail: Could not connect to www.rudy.tech

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My operating system is (include version):
Ubuntu 16.04.2 LTS (Raspberry Pi)

My web server is (include version):
nginx version: nginx/1.11.5
built by gcc 5.4.0 20160609 (Ubuntu/Linaro 5.4.0-6ubuntu1~16.04.2)
built with OpenSSL 1.0.2g 1 Mar 2016
TLS SNI support enabled

My hosting provider, if applicable, is:
Self hosted on my pi from home

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

letsencrypt.log copied into pastebin: https://pastebin.com/4np8XD60
(cant upload file, new user)

The setup has been working fine for the last 6 months but it fails to update now, not sure whats wrong, nothing has changed on my end.

Is it possible that letsencrypt cant reach my site? The sire is fully accessible www.rudy.tech

The cert is going to expire in 4 days :frowning:

Thanks in advance


#2

hi @cyberjar09

I think the challenge is with timeouts to your site

I tried rudy.tech and www.rudy.tech and was not able to connect to either

HTTPS versions of your sites seem to work so I am going to narrow it down to a server config not listening on HTTP port (80).

I can confirm only port 443 is listening

Andrei


#3

Thanks for the response @ahaw021
Something in the report does not add up:

  1. Google chrome is able to access the site but Firefox cant
  2. when I ran nmap I can see port 80 is open
nmap -T4 -F rudy.tech

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-01 10:43 +08
Nmap scan report for rudy.tech (132.147.78.3)
Host is up (0.0033s latency).
rDNS record for 132.147.78.3: fnet3-f78-access.vqbn.com.sg
Not shown: 98 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 1.92 seconds

this is baffling.

edit: apologise for the code block not showing the line breaks correctly, can’t seem to get the breaks so I also uploaded the output to pastebin: https://pastebin.com/Bw9ZYVfK


#4

not really

review your firewalls and anything else that may be blocking connections

Andrei


#5

@ahaw021 thats odd… is it possible my ISP is doing something funky with port 80 traffic?


#6

My router ports are forwarded… not sure what the problem could be.
What would be the next steps of diagnosis?

DNS entry?
Router ?
Nginx config ?
???


edit: Im quite confused. I even validated my DNS entries in namecheap:

Type Host Value TTL
A Record @ 132.147.78.3 Automatic
A Record cloud 132.147.78.3 Automatic
A Record gitlab 132.147.78.3 Automatic
A Record www 132.147.78.3 Automatic

I also installed new version of certbot (I was using letsencrypt 0.4.1 before that) but there was not difference.


edit2: I added a test file in the acme-chalenge dir which I am able to access
http://132.147.78.3/.well-known/acme-challenge/test

but I found a post https://serverfault.com/questions/826572/error-installing-letsencrypt-ssl-http-01-urnacmeerrorconnection-the-se which led me to http://isup.me/ and the findings are in line with what @ahaw021 found in zenmap i.e., the site is apparently not reachable from an external network which leads me to believe that there is some issue WRT my ISP.

spent too much time digging in here not sure if I should invest any more or just move the damn site to something like Digital Ocean… Sigh!


#7

can you update your DNS records?

If so use the DNS Challenge.

looks like someone is blocking things

http://isup.me/rudy.tech

Andrei


#8

@ahaw021 update the DNS records to what? I pasted my existing DNS entries below for reference:
Type Host Value TTL A Record @ 132.147.78.3 Automatic A Record cloud 132.147.78.3 Automatic A Record gitlab 132.147.78.3 Automatic A Record www 132.147.78.3 Automatic


#9

search DNS challenge on this forum and there are plenty of articles on how to pass it.

Youtube or google otherwise :smiley:

Andrei


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.