Certbot - Windows 2012 R2 - Tableau

I am attempting to generate a TLS cert for reporting.healthcollab.org it will be used on a Tableau server. I initially tried generating it via certbot but ran into the errors outlined below. I do not believe it is a firewall issues as I have a rule that allows all TCP port 80 traffic inbound. We do not block outbound traffic. I was able to navigate to the web browser and get the response when running it with --debug-challenge -v. I also tried using the win-acme option as it was discussed on the Tableau forums here. But that also ran into issues. I opened up a separate GitHub issue here to see if anyone else might be able to assist.

Any thoughts on why the LetsEncrypt server cannot reach the temp files being hosted? I'd be happy to the post the logs if need be.

My domain is:
reporting.healthcollab.org

I ran this command:

certbot certonly --standalone -d reporting.healthcollab.org -d www.reporting.healthcollab.org

It produced this output:

C:\Windows\system32>certbot certonly --standalone -d reporting.healthcollab.org
--debug-challenge -v
Saving debug log to C:\Certbot\log\letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for reporting.healthcollab.org
Performing the following challenges:
http-01 challenge for reporting.healthcollab.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA.

The following URLs should be accessible from the internet and return the value
mentioned:

URL:
http://reporting.healthcollab.org/.well-known/acme-challenge/***REDACTED***
Expected value:
***REDACTED***
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue




Challenge failed for domain reporting.healthcollab.org
http-01 challenge for reporting.healthcollab.org

Certbot failed to authenticate some domains (authenticator: standalone). The Cer
tificate Authority reported these problems:
  Domain: reporting.healthcollab.org
  Type:   connection
  Detail: 216.68.69.70: Fetching http://reporting.healthcollab.org/.well-known/a
cme-challenge/***REDACTED***: Timeout during connec
t (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the
temporary standalone webserver started by Certbot on port 80. Ensure that the li
sted domains point to this machine and that it can accept inbound connections fr
om the internet.

Cleaning up challenges
←[31mSome challenges have failed.←[0m
Ask for help or search for solutions at https://community.letsencrypt.org. See t
he logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more det
ails.

My web server is (include version):
Tableau or standalone not entirely sure. It might be apache but the application owner is not sure.

The operating system my web server runs on is (include version):
Windows Server 2012 R2

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):
No technically root but admin on the machine.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
N/A

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.24.0

Hi @b-fraley, and welcome to the LE community forum :slight_smile:

HTTP (TCP port 80) is required when authenticating via certbot --standalone.

That said, it is difficult to troubleshoot; As certbot will only spin up the web server while it runs.
That said, it is expected that HTTP requests would go unanswered otherwise.
But I'm getting "connection reset by peer":

curl -Ii reporting.healthcollab.org
curl: (56) Recv failure: Connection reset by peer

which indicates that something is listening (and rejecting connections) on TCP port 80.

1 Like

Also, this FQDN doesn't exist (resovle to any IP):

*** 8.8.8.8 can't find www.reporting.healthcollab.org: Non-existent domain

1 Like

Thanks! Happy to be here :slight_smile: and trying to migrate away from other CAs. So thanks for all you do.

As for the RST response, right now, I have re-enabled the Tableau server since our customers need it but while I was running certbot I disabled Tableau so certbot was the only thing running on port 80, but I still ran into the issue.

As for the other FQDN (www.reporting.healthcollab.org) you can ignore that, I checked our NS and it was not added and we don't plan on adding it, so I won't be using it. I just included it in my initial LE request.

1 Like

hmm...
So, the Tableau is now listening on port 80...
Does it NOT speak HTTP?

1 Like

For me there is nothing listening on port 80 for reporting.healthcollab.org (216.68.69.70). Only timeouts. Nmap too says the host is down.

2 Likes

I think Tableau server is using Apache.

@b-fraley so chances are port 80 is not available for certbot (or win-acme) to work in standalone mode becuase Apache is using it, so you need to use the webroot method instead (write the challenge response to the filesystem of your web app), or stop apache then run whichever tool to do the cert renewal and restart apache. If you can't use http validation (via TCP port 80 to your server) you'd likely need to use DNS validation.

1 Like

Then it isn't doing a very good job of that:

1 Like

Apologies for the radio silence all, I had a slight break through yesterday and wanted to run with it.

To address why port 80 wasn't responding - I checked our NAT rules and it looks like the NAT rule was only allowing HTTPS via port 443 to hit the server. So I changed the NAT rule to allow port 80 and HTTP, stopped Tableau and fired up certbot and boom. I was able to request a TLS cert.

However after generating the cert I ran into a lot of issues with getting Tableau to accept it. But that's an issue for the Tableau forums and not the LE forums.

So the solution, should anyone find themselves in a similar sitation is to check your NAT rules to ensure its allowing HTTP traffic to the server. In this case, mine wasn't.

Thanks to everyone who helped. It was nice to be able to bounce ideas off of everyone.

2 Likes

Try the fullchain.pem file instead of just the cert.pem. Fullchain includes all the necessary intermediates.

3 Likes

Thanks! But the issue is that I cannot change the Tableau TLS settings :slight_smile: so I am not super worried about the cert right now.

1 Like

Find out if Tableau can be placed behind a proxy.
[that might simplify this whole "Tableau TLS problem"]

2 Likes

@b-fraley I assume you are using this guide: Configure SSL for External HTTP Traffic to and from Tableau Server - Tableau
the intructions want you to supply the cert file, the chain file and the private key file.

I also see that if you are trying to automate the cert update you probably need to use the tsm security external-ssl enable command, as tableau will decide where to store the cert for you.

According to Tableau Community Forums (which will be roughly equivalent for windows) you can upload the cert to the service using:

tsm security external-ssl enable --cert-file <path to the fullchain.pem> --key-file <path to the privkey.pem>

Then apply the changes with:

tsm pending-changes apply
2 Likes

Yes. This is the guide I was using and yes it has been helpful but for some odd reason when I try to do it via the WebGUI the Enable SSL for external communication's is disabled. I opened a ticket with Tableau to try and figure out why. But I had not yet tried the CLI option as, again, I am not the app owner just trying to get the cert working. This seems pretty straight forward so I think I will give it a shot. Thanks :slight_smile:

I also should point out I am not really trying to automate this via certbot, our current TLS cert expires in a few days and the application is set to be decommissioned in the next 60ish days, so LE is mostly a stop-gap option, rather then spending some cash to get another Digicert cert.

1 Like

Not to bump this old thread but I was able to figure it out. I just needed to hit the "Reset" button on the Tableau configuration page and select the new cert. Sounds obvious but I would also like to point out that it was not stated anywhere in the documentation nor any of the support threads I found. Hopefully this saves someone some time.

3 Likes