CertBot issues with Asus Router

I've been struggling to get SSL working on my NextCloud setup. It's running on docker, so it has Apache on an image. The issue appears to be that my Asus router is locking port 80, even when I have the Asus admin panel set to a custom HTTPS port. I can't seem to get Port 80 to go through to the machine, so CertBot keeps failing. I can get Port 81 routed, but that doesn't help CertBot. Any suggestions on how to get it working? Once I have the SSL it will still be a challenge because I'll have to figure out how to get it installed on the Apache server running in Docker.

My domain is: roguesquadron.duckdns.org

I ran this command: certbot certonly --standalone

It produced this output: Certbot failed to authenticate some domains (authenticator: standalone). Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

My web server is (include version): apache

The operating system my web server runs on is (include version): Apache in Docker, Windows 10 host

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine: not sure

The version of my client is 1.24.0

1 Like

Have you confirmed that you can get traffic going to port 80 from the outside? Especially if this is on a residential connection, it's likely that the ISP is blocking the traffic.

6 Likes

If you cannot use port 80, you cannot use challenge http-01.

This leaves challenges tls-alpn-01 and dns-01.

Certbot does not support challenge tls-alpn-01, but other acme clients do.

Challenge dns-01 can be hard to automate, depending on who hosts the authoritative nameservers for your domain. (On duckdns, it's easy enough)

4 Likes

Hi @R0gue_One Welcome to the community!

From where I sit your domain and/or IP address are in a "black hole" so to speak.
My first guess is that :

@petercooperjr is probably correct. And you would at least need to speak with your uplink provider for verification.

3 Likes

I didn't consider the ISP, and now I feel silly. I assumed that since I couldn't get Port 80 going it was consumed by my router, since it was using it's built in port. But yes I have a residential connection, so I hadn't thought that the ISP is blocking it. It probably is, and I'll have to see what other methods I can pursue. Thanks for jogging me in that direction!

4 Likes

The IP that domain name currently points to is in a block owned by Cox Communications, and their web site specifically says that they block port 80 inbound on residential connections.

So, you need to use a different challenge type, which may involve changing which client your server uses. It looks (from that documentation page) that 443 isn't blocked (for now), meaning that a client supporting TLS-ALPN-01 could work for you, though certbot doesn't use that challenge type. Your best bet, though, is probably using DNS-01, though I don't know offhand if certbot has a plugin for automating the DNS updates with duckdns that you'd need to use.

4 Likes

There must be. The duckdns TXT API is literally a curl command not unlike the one to update the IP address. You might even write it entirely inside the certbot command line options.

4 Likes

Certbot itself does not have a DuckDNS plugin in their repository, but there is a third party plugin available. See the list of third party plugins here: User Guide — Certbot 1.24.0 documentation

That said, when using WIndows, using those third party plugins can be a little bit of a hassle. I have written how I managed to install a different third party plugin on Windows here: How to install custom authenticator plugin on windows · Issue #9222 · certbot/certbot · GitHub But the DuckDNS plugin is probably different than that plugin, so that """how-to""" might not work for you.

4 Likes

I've been trying to go through the Infomaniak / DuckDNS options but I admit I'm finding it confusing. I believe I have the plugin installed/available but I am now trying to understand how to get CertBot to use it.

I think I got the CertBot commands working, but it fails to find it. Anyone familiar with why?

Encountered exception during recovery: certbot.errors.PluginError: Domain not found
Domain not found

Could you post the entire log file/output?

2 Likes

2022-03-03 11:17:20,246:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-03-03 11:17:20,246:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-03-03 11:17:20,246:DEBUG:certbot_dns_infomaniak.dns_infomaniak:del_txt_record roguesquadron.duckdns.org _acme-challenge.roguesquadron.duckdns.org soA1E7nAg4fe813_LERcTwbsm7dl34oMizOvMt04BYw
2022-03-03 11:17:20,246:DEBUG:certbot_dns_infomaniak.dns_infomaniak:GET https://api.infomaniak.com/1/product?service_name=domain&customer_name=roguesquadron.duckdns.org
2022-03-03 11:17:20,246:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.infomaniak.com:443
2022-03-03 11:17:21,002:DEBUG:urllib3.connectionpool:https://api.infomaniak.com:443 "GET /1/product?service_name=domain&customer_name=roguesquadron.duckdns.org HTTP/1.1" 200 30
2022-03-03 11:17:21,002:DEBUG:certbot_dns_infomaniak.dns_infomaniak:GET https://api.infomaniak.com/1/product?service_name=domain&customer_name=duckdns.org
2022-03-03 11:17:21,492:DEBUG:urllib3.connectionpool:https://api.infomaniak.com:443 "GET /1/product?service_name=domain&customer_name=duckdns.org HTTP/1.1" 200 30
2022-03-03 11:17:21,492:ERROR:certbot._internal.error_handler:Encountered exception during recovery: certbot.errors.PluginError: Domain not found
2022-03-03 11:17:21,492:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "runpy.py", line 197, in _run_module_as_main
File "runpy.py", line 87, in run_code
File "C:\Program Files (x86)\Certbot\bin\certbot.exe_main
.py", line 29, in
sys.exit(main())
File "C:\Program Files (x86)\Certbot\pkgs\certbot\main.py", line 19, in main
return internal_main.main(cli_args)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\main.py", line 1679, in main
return config.func(config, plugins)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\main.py", line 1538, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\main.py", line 139, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\client.py", line 513, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\client.py", line 441, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\client.py", line 493, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\auth_handler.py", line 86, in handle_authorizations
resps = self.auth.perform(achalls)
File "C:\Program Files (x86)\Certbot\pkgs\certbot\plugins\dns_common.py", line 76, in perform
self._perform(domain, validation_domain_name, validation)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_dns_infomaniak\dns_infomaniak.py", line 64, in _perform
self._api_client().add_txt_record(decoded_domain, validation_name, validation)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_dns_infomaniak\dns_infomaniak.py", line 213, in add_txt_record
(domain_id, domain_name) = self._find_zone(domain)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_dns_infomaniak\dns_infomaniak.py", line 202, in _find_zone
raise errors.PluginError("Domain not found")
certbot.errors.PluginError: Domain not found
2022-03-03 11:17:21,492:ERROR:certbot._internal.log:Domain not found

I have no idea what infomaniak is. The duckdns API is documented here: Duck DNS - spec

And there are a couple plugins specifically for duckdns.

1 Like

The developer of the plugin.Nevermind that, that's infinityofspace.. I also have no idea what that infomaniak thingy is..

Ah, I understand.. @R0gue_One You've used my """how-to""" on the Github issue literally where I said that """how to""" was for a different plugin. You're now using a DNS plugin for the "infomaniak" DNS provider and not DuckDNS. When using the """how to""" I linked to, you should replace any reference to the infomaniak plugin with the DuckDNS plugin. And even then it might not work. This is pretty much uncharted territory.

3 Likes

Yeah I'm thinking it won't work. Obviously this is all new territory for me. At this juncture, I'm really starting to speculate that I can't use CertBot in any form, and I'm not sure what my other options are. Sorry to have taken up people's time

Have you tried it?

There are other ACME clients available for Windows.

2 Likes

I have been trying to get it working for hours. The DuckDNS information I found seemed to be how to update your IP to DuckDNS. I already have that going with their Windows utility on a different box. The other SSL options I found where to verify by email, TXT record or CNAME, which I can't use, because I can't upload a TXT file to the duckdns site, and I don't have a webserver, available, plus my ISP is blocking port 80, and since I technically don't own the domain with duckdns, I can't update any CNAME information.

My situation is complicated in the sense that I am using Docker (which I have no prior experience with) to run an image of NextCloud (again, no prior experience) so I have an apache environment running the site, but it's all behind docker. So my Windows machine, which I'm running the CertBot from, isn't running IIS locally or anything like that.

Have you also tried installing the DuckDNS plugin from certbot-dns-duckdns · PyPI using the instructions I mentioned on github, linked above?

2 Likes

Read the page I linked, starting from the bottom

1 Like

I tried yes. But neither CMD prompt nor PowerShell allows me to do it:
image