Certificate authority failed to download files generated by Certbot - npm and Cloudflare

My domain is:
verynas.aydmblaze.com

My hosting provider, if applicable, is:
Cloudflare

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
yes, nginx-proxy-manager in docker

I'm using the jc21/nginx-proxy-manager docker control panel to request a certificate. It fails and the letsencrypt log shows:

2021-12-23 20:32:41,998:INFO:certbot._internal.auth_handler:Challenge failed for domain verynas.aydmblaze.com
2021-12-23 20:32:41,998:INFO:certbot._internal.auth_handler:http-01 challenge for verynas.aydmblaze.com
2021-12-23 20:32:41,998:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: verynas.aydmblaze.com
  Type:   connection
  Detail: Fetching http://verynas.aydmblaze.com/.well-known/acme-challenge/b7mvRw0jV4SfwfvdME4LpRlwYbe8WgGLUGqG26Zhuxc: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

I have my router forwarding ports 80 and 443 to my npm server. The Cloudflare DNS is set to "gray-cloud" (non-proxied).

I'm new to letsencrypt and have tried to solve this issue by searching, but unfortunately I'm a bit over my head. Any help much appreciated! :slight_smile:

Hi @zapp7 and welcome to the LE community forum :slight_smile:

You will need a working HTTP site before it can be secured (via HTTP authentication).

curl -Ii http://verynas.aydmblaze.com/
curl: (56) Recv failure: Connection reset by peer
1 Like

I just discovered that my ISP blocks ports 80 and 443. So frustrating... not sure if I have any alternative with npm :frowning: .

If they allow other ports, then you can still try to obtain a cert via DNS-01 authentication.
Once obtained, you can then use the cert to secure a connection to your NAS via any such other port.
Like (as example):
https://verynas.aydmblaze.com:8765/

2 Likes

Well that defeats the "S" in "ISP"
An "Internet Service Provider" that only provides outbound services - LOL

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.