Certbot standalone time out windows

Bezthian · June 1, 2023, 1:37pm

I ran this command:
certbot certonly --standalone -v

It produced this output:
Saving debug log to C:\Certbot\log\letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): bearinmind.duckdns.org
Requesting a certificate for bearinmind.duckdns.org
Performing the following challenges:
http-01 challenge for bearinmind.duckdns.org
Waiting for verification...
Challenge failed for domain bearinmind.duckdns.org
http-01 challenge for bearinmind.duckdns.org

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: bearinmind.duckdns.org
Type: connection
Detail: 84.215.178.244: Fetching http://bearinmind.duckdns.org/.well-known/acme-challenge/_xN_0Mp1JgSuihg6l6ZlGuMvtO2KpsXFnKUHWSoi_qQ: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Cleaning up challenges
Some challenges have failed.

My web server is (include version):
Apache2.4

The operating system my web server runs on is (include version):
Windows 11 Pro, 22H2

My hosting provider, if applicable, is:
Testing on own machine

I can login to a root shell on my machine (yes or no, or I don't know):
yes (i should, not sure how)

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.6.0

Context: Poc for https hosting from my windows machine. I have enabled port forwarding on routing for 80 and 443 and given rules for inbound traffic on firewall (also tried turning off). Result is: If I run a server on localhost and host content I can reach it by going to bearinmind.duckdns.org
Still, as message above hints: If I run certbot (instead of server), it seem to have issues when attempting its challenges

Last bit of debug log:
2023-06-01 15:10:51,527:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "runpy.py", line 197, in _run_module_as_main
File "runpy.py", line 87, in run_code
File "C:\Program Files\Certbot\bin\certbot.exe_main.py", line 29, in
sys.exit(main())
File "C:\Program Files\Certbot\pkgs\certbot\main.py", line 19, in main
return internal_main.main(cli_args)
File "C:\Program Files\Certbot\pkgs\certbot_internal\main.py", line 1864, in main
return config.func(config, plugins)
File "C:\Program Files\Certbot\pkgs\certbot_internal\main.py", line 1597, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "C:\Program Files\Certbot\pkgs\certbot_internal\main.py", line 141, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "C:\Program Files\Certbot\pkgs\certbot_internal\client.py", line 517, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "C:\Program Files\Certbot\pkgs\certbot_internal\client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "C:\Program Files\Certbot\pkgs\certbot_internal\client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "C:\Program Files\Certbot\pkgs\certbot_internal\auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "C:\Program Files\Certbot\pkgs\certbot_internal\auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-06-01 15:10:51,532:ERROR:certbot._internal.log:Some challenges have failed.

MikeMcQ · June 1, 2023, 1:50pm

Welcome @Bezthian

First, make sure your ISP allows inbound requests to your server on port 80 (and 443). Some residential ISPs block these ports or use CGNAT so these don't work for inbound to your server.

Double check that the IP in the DNS for that name is your public IP

If it should work then try

certbot --standalone --debug-challenges -v -d bearinmind.duckdns.org

This will show you a URL and pause. Leave it paused and use a machine outside your network to try to reach that URL. Use your cell phone with wifi off, for example, to use your carrier's network.

You need to find the reason you won't be able to reach that URL. The Let's Encrypt servers were timing out trying to reach you.

Bezthian · June 2, 2023, 6:15am

Thank you for your engagement.
Seems like you are on spot. Even with my portforwarding and firewall setting on router that should allow connection I could not reach my ip from the internet only from within network.
However by placing device in DMZ on router it becomes visible. Not recommended of course, but indicates something still off with router settings. I need to troubleshoot that, but that's another topic.
With visibility I could fetch certificate with Certbot

system · July 2, 2023, 6:15am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.