The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0
I want to set up Windows and the Ubuntu machine to be able to request a certificate. It's ultimately for a VPN service on a firewall, so I'm letting Certbot set up the temp port 80 site for the certificate request, but there's obviously still something up with the firewalling.
I've set up port forwarding on my office firewall to send port 80 to my Windows host. And the Windows host in turn is set up to map port 80 traffic to the WSL machine's address using the PowerShell command
netsh interface portproxy add v4tov4 listenport=80 listenaddress=0.0.0.0 connectport=80 connectaddress=(wsl hostname -I)
However, the access to port 80 is still not working.
I attempted to stand up an apache2 test page on WSL, and that was accessible from my Windows host, though via the WSL IP and not the localhost IP address as I would have hoped.
Is it obvious to anyone here what I may be missing?
Should I give up on Certbot and instead use a Windows client instead? If so, which would you recommend?
ANotWorking
ERROR
remde.dnsalias.net has an A (IPv4) record (76.113.138.133) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
A timeout was experienced while communicating with remde.dnsalias.net/76.113.138.133: Get "http://remde.dnsalias.net/.well-known/acme-challenge/letsdebug-test": context deadline exceeded
Trace:
@0ms: Making a request to http://remde.dnsalias.net/.well-known/acme-challenge/letsdebug-test (using initial IP 76.113.138.133)
@0ms: Dialing 76.113.138.133
@10000ms: Experienced error: context deadline exceeded
IssueFromLetsEncrypt
ERROR
A test authorization for remde.dnsalias.net to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
76.113.138.133: Fetching http://remde.dnsalias.net/.well-known/acme-challenge/pU34ipCXX7TSpDdgh5sPZLInsaKOnH-mnK7uqHMSgjk: Timeout during connect (likely firewall problem)
Using nmap I see Port 80 filtered.
$ nmap -Pn -p80,443 remde.dnsalias.net
Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-03 22:58 UTC
Nmap scan report for remde.dnsalias.net (76.113.138.133)
Host is up (0.072s latency).
rDNS record for 76.113.138.133: c-76-113-138-133.hsd1.mn.comcast.net
PORT STATE SERVICE
80/tcp filtered http
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 1.91 seconds
So I would focus on getting the server working for HTTP on Port 80 first; and through all the firewalls.
Then see which ACME Client best suit you needs.
Stepping back a little, what's your overall objective? Not getting a cert, but what is your web server for?
You're using WSL to host an Apache website instead of just using IIS on Windows (the "native" choice), or even Apache on Window (a common alternative).
HTTP domain validation works by making an http request to your domain which has to result in the challenge response being served. On "native" windows with IIS that's often done using clients like Certify The Web (which I develop) or win-acme etc, because they can host the http challenge listener themselves (if there is nothing like Apache involved). But from there it depends what webserver you want to use to serve your website as this determines how deployment works.
To get an http challenge to work in WSL the http request needs to resolve to your network IP, be routed to the correct host machine, and be forwarded to the listening process. WSL is definitely an extra complication, it should be achievable but I suppose my question is why are you trying to achieve that?
