I'm having the same issue and simply can't figure it out.
My domain is:
itapmobile.townofantigonish.ca
I ran this command:
certbot certonly -d itapmobile.townofantigonish.ca --webroot -w D:\OscidV4\Antigonish\Itap\Mobile
It produced this output:
Saving debug log to C:\Certbot\log\letsencrypt.log
Simulating a certificate request for itapmobile.townofantigonish.ca
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: itapmobile.townofantigonish.ca
Type: connection
Detail: 184.171.208.199: Fetching http://itapmobile.townofantigonish.ca/.well-known/acme-challenge/hWjh4bG0XxRumCKu8YWuL5pM8fL2nghyo_v8AeaCOes: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version):
Windows IIS
The operating system my web server runs on is (include version):
Windows Server 2019 Standard
My hosting provider, if applicable, is:
self hosted
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.22.0
@steve.rogers I moved your post into its own thread. We like each problem to be its own. Almost always the same symptom is caused by different things.
First, in your case Certbot is no longer supported by the EFF on Windows. You should choose an ACME Client designed for Windows such as Certify the Web or one of the others mentioned in the EFF's post: Certbot Discontinuing Windows Beta Support in 2024
You are still left with the "timeout" which means HTTP request on port 80 to your domain server fails. Often this is a firewall but for residential setups this is often caused by wrong port forwarding or NAT in your router. Or, in some cases being blocked by your ISP.
Make sure your server can be reached using HTTP. This is a good test site: Check website performance and response : Check host - online website monitoring
Or https://letsdebug.net
3 Likes
Thanks very much. I'm currently without a network administrator so I'm floundering a bit. I'll see what I can do. Thanks for the assistance, very much appreciated.
1 Like
@steve.rogers I would strongly recommend getting an experienced system administrator to help, because running websites and especially getting valid certs can get complicated quickly,
If you wanted to try using https://certifytheweb.com (which I work on) the general process is:
Decide whether to validate your domain using HTTP or DNS.
- This is the default and most common method. For HTTP to work your server needs to be able respond to an http request (TCP port 80). Currently your server does not respond to an http request if I check it from here, so I suspect your firewall has blocked port 80.
- For DNS you need to be able to make automated updates to your domains DNS provider, or you need a CNAME record pointing to a domain which can be updated. This method is a little more complex but can be useful if HTTP domain validation is not an option for you.
Install Certify Certificate Manager on your webserver:
- click New Certificate (first time you also need to setup a Let's Encrypt account), select your IIS website to get a cert for, if the hostnames are setup in IIS then they will be auto populated for the certificate requests, otherwise you need to add them.
- On the Authorization tab decide if you are using HTTP or DNS validation (http is the default). If http you can leave it all as default.
- Review the Preview tab to see if the settings and action the app will perform look good to you, in particular that the IIS website you expect to update will be updated with a new/updated https configuration.
- Click Request Certificate to try a certificate order. If it fails it will probably be because a firewall or security tool is blocking http traffic to TCP port 80 on that machine, and you need to get that resolved by a system administrator. If it succeeds check your IIS site https bindings are now updated, thereafter certificate renewal will happen automatically.
2 Likes
OK, very helpful. Thanks very much for taking the time to respond. I'll give Certify Certificate Manager a try.
2 Likes