Certbot keeps failing (challenges)

wardverduyn · May 27, 2023, 9:26pm

My domain is: cloud.musicmasterward.be

I ran this command: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-8" --agree-tos --authenticator webroot --email "ward.verduyn@icloud.com" --preferred-challenges "dns,http" --domains "cloud.musicmasterward.be"

It produced this output: `Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Requesting a certificate for cloud.musicmasterward.be

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: cloud.musicmasterward.be
Type: connection
Detail: 81.247.203.115: Fetching http://cloud.musicmasterward.be/.well-known/acme-challenge/t-6XS9vabhiFoHQTjBUMnu0tjXx6xddLp4Odm8-yEm0: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

An unexpected error occurred:
Error creating new order :: too many failed authorizations recently: see Failed Validation Limit - Let's Encrypt
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.`

My web server is (include version): Raspberry Pi running Nginx (Nextcloud)

The operating system my web server runs on is (include version): Raspberry Pi OS Lite with OpenMediaVault

My hosting provider, if applicable, is: Cloudflare

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Nginx Reversed Proxy and Portainer

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.5.0

MikeMcQ · May 27, 2023, 9:51pm

Your domain must be reachable from the public internet on port 80 (HTTP) when using the HTTP Challenge. Yours is not. Check firewall, router settings, and similar. This test site is helpful for new sites

wardverduyn · May 27, 2023, 10:05pm

Thanks for the quick response. My port forwarding looks to be set correctly on my router, my firewall on my router looks good as well.

I'm new to this kind of use of Let's Encrypt, so maybe I'm completely wrong. But when I search or curl the domain, it works (only HTTP ofcourse). Do you need to add the folders to those challenges yourself?

rg305 · May 27, 2023, 10:08pm

Hi @wardverduyn, and welcome to the LE community forum

That implies HTTP authentication [which is the default].
So, this is completely unnecessary:

But, as mentioned, your first problem is port 80 is not connecting from the Internet:

curl -Ii http://cloud.musicmasterward.be
curl: (56) Recv failure: Connection reset by peer

Also, avoid this by using the staging environment:

MikeMcQ · May 27, 2023, 10:18pm

Using the public internet? Try a cell phone without wifi enabled to use your carrier's internet or some other machine outside your local net.

Because we can't see it.

system · June 26, 2023, 10:18pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.