CERTBOT install - domain url no longer resolves, but ip addrees works (no cert)

My domain is:
gogolf.online AND registered with OpenSRS

I ran these commands to install CERTBOT:
All commands for a certbot install shown on:

It produced this output:
url for domain gogolf.online no longer resolves
static ip address: 35.84.158.243 resolves from any browser
Note:
IPv6: 2600:1f13:2d9:eb00:bf8b:3a9:ef56:4e41

My web server is (include version):
AWS Lightsail virtual server

The operating system my web server runs on is (include version):
Debian 10
Debian GNU/Linux 10 \n \l

My hosting provider, if applicable, is:
Hosted by AWS Lightsail

I can login to a root shell on my machine (yes or no, or I don't know):
YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
I installed from Lightsail and execute linux commands in an ssh connection from Lightsail. (Not a control panel as such)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

sudo certbot renew --dry-run
all simulated renewals succeeded: :slight_smile:
But url golf.online no longer resloves
It resolved fine before my attempt to install CERTBOT
Note ip address 35.84.158.243 from browser fine (no ssl cert)

Thanks for your help :slight_smile: Ger

2 Likes

Please provide a screenshot that better describes and explains that problem.

3 Likes

"resolving" suggests a problem with the DNS, as the term "to resolve" is usually used in the context of "resolving a hostname using DNS".

However, there's nothing wrong with your DNS, so it's not a resolving issue.

The issue is that port 443 is blocked (used for HTTPS). Port 80 is working fine and is redirecting from HTTP to HTTPS. Please open up port 443 in your firewall and/or portmap port 443 correctly in any router present.

4 Likes

I assume this command will work:
sudo ufw allow 443

1 Like

If ufw actually is the problem: probably.

3 Likes

Thanks very much, I will give it go
I just did this:
https://www.sslshopper.com/ssl-checker.html#hostname=gogolf.online

I believe you are on the right track here

Ger

1 Like

ufw not found

1 Like

I now have ufw set up:

To Action From


443 ALLOW IN Anywhere
22/tcp ALLOW IN Anywhere
80 ALLOW IN Anywhere
443 (v6) ALLOW IN Anywhere (v6)
22/tcp (v6) ALLOW IN Anywhere (v6)
80 (v6) ALLOW IN Anywhere (v6)

$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/gogolf.online.conf


Simulating renewal of an existing certificate for gogolf.online


Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/gogolf.online/fullchain.pem (success)


BUT
I am not seeing a padlock on the url????

2 Likes

ssl checker gives me this:
|### No SSL certificates were found on gogolf.online. Make sure that the name resolves to the correct server and that the SSL port (default is 443) is open on your server's firewall.|

SHOULD I reinstall CERTBOT?

1 Like

No, certbot is not the issue here. Your certificate was issued fine. Your server is probably serving your site through HTTPS (port 443) fine, but the world wide web can't reach it.

You could try to see if HTTPS is working by running the following CURL command on your webserver:

curl -LI4 --resolve gogolf.online:443:127.0.0.1 https://gogolf.online

That command will always connect to localhost (127.0.0.1) so any firewall between your server and the internet shouldn't block it.

Also make sure AWS doesn't have a firewall set up. If I remember correctly, AWS Lightsail also has a firewall up by default.

4 Likes

As recommended, this is what I tried:
$ curl -LI4 --resolve gogolf.online:443:127.0.0.1 https://gogolf.onl
ine
HTTP/1.1 200 OK
Date: Mon, 06 Dec 2021 19:53:57 GMT
Server: Apache/2.4.38 (Debian)
Last-Modified: Sun, 05 Dec 2021 06:58:18 GMT
ETag: "29cd-5d260aa4238d5"
Accept-Ranges: bytes
Content-Length: 10701
Vary: Accept-Encoding
Content-Type: text/html

2 Likes

So that confirms your webserver is working fine on port 443/HTTPS. It's not a problem with your webserver or certbot or the certificate.

You should try to identify where requests on port 443 are being blocked from the world wide web and lift that block. Firewalls (all of them!), routers, that sort of things.

Note that this Community probably isn't the best place to ask help for generic networking issues such as blocking firewalls. We might be able to help, but it's rather out of the scope of this Community if you'd ask me.

5 Likes

I am thinking its time to file a case with Amazon Lightsail.
Thank you so much for all your help.!!!!!!
I appreciate it

Ger

2 Likes

Have you checked the AWS Lightsail firewall as I recommended earlier? See Instance firewalls in Amazon Lightsail | Lightsail Documentation for more info.

5 Likes

I have not yet looked at that.
I will take a look before I file a case
Thanks

3 Likes

Fixed!!!!!
I simply went into LightSail and added a rule for HTTPS for ipv6
HTTP was there but HTTPS was not

Wow!!!
It was so easy with your direction

2 Likes

Nice! I can see a perfectly secure Apache test page now :grinning_face_with_smiling_eyes:

5 Likes

Now I wonder if I will need to add a cron .... for renewals?
I need to Read the CERTBOT docs to confirm and test over time

2 Likes

I assume you've used snap as the method of installation, looking at the recent version of certbot you're using. Snap should automatically install a systemd timer.

You can check the logs at /var/log/letsencrypt/: it should add a log file twice a day, as certbot is intended to check if renewal is necessary twice a day. Most of the time it just checks, does nothing and exits. Only if renewal is actually necessary, it tries to renew (60 days in of the 90 days cert lifetime, or in other words: 30 days before expiry).

Also try renewal manually (to see if everything works, when the time comes) by running:

sudo certbot renew --dry-run

5 Likes

Yes, I did Snap.
It did say automatic.
Snap is new to me

Thanks very much for your help.
I'd be happy to give you a recommendation

Im now ready to write some code, thanks to you :slight_smile:

4 Likes