Certificates are issued strangely

I'm trying to issue a certificate for a site

https://ниац.рф/

Prior to this, the certificate was issued automatically. Now the certificate has expired and I tried to update it manually, but it didn't work.

I used the command - sudo certbot certonly -d ниац.рф

Server replied:

Waiting for verification...
Challenge failed for domain ниац.рф
http-01 challenge for ниац.рф
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: ниац.рф
    Type: connection
    Detail: 95.167.76.200: Fetching
    http://ниац.рф/.well-known/acme-challenge/GsUk4ucyYSAXl31-HNPpZg_HGt8bmdF7795f7uxdSmw:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

I cannot understand what is the problem. Maybe we are blacklisted or a new sanction list?

1 Like

Your server is not responding. If I try to browse to your site it does not connect, so you'd have to fix that first, or use DNS validation instead.

5 Likes

Good afternoon! Tell me what exactly is shown to you? What mistake? Because we checked both just like that and through VPN, and the only thing that shows is the lack of a fresh certificate. No blocking

1 Like

image

From Australia.

Geopeeker.com also fails: GeoPeeker - A tool for viewing sites from different geographic locations

5 Likes

Curious. I do not have that. Can you tell me what country you are from?

And if it's not difficult for you, can you show your site tests for DNS? Because from my side they show a normal result.

I'm at a total loss

1 Like

Your website doesn't load for me via various VPN apps, but does load fine without them (testing from Russia). There may be some filtering applied for international trafic at your ISP (Rostelecom).

4 Likes

And how can this be checked?

For example, from which addresses you need to wait for a response (to check that it exists at all) when using certbot?

Acquire a vantage point outside of Russia, be it a VPN, a VPS or an acquaintance.

Let's Encrypt doesn't publish addresses of its validation endpoints, but they use of a number of cloud providers, such as AWS.

In general your website should be reachable from anywhere on the internet, if you intend to get your domains verified via HTTP-01 method, which requires a connection to port 80 of your server.

There's also an option to use DNS-01 method.

3 Likes

The fact of the matter is that we used VPN to check from different companies and everything works. This confuses me the most.
Use DNS-01? I have not heard of such a method and have not seen it in the documentation

1 Like

See the Let's Encrypt page for Challenge Types

and in Certbot docs:

https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins

5 Likes

Note that even with DNS-01, the DNS server needs to be accessible worldwide. It's just that with HTTP-01, both the DNS and the web server need to be accessible worldwide.

7 Likes

Tell me, does letsencrypt have a blocklist? And if so, how can you see it? And is there an email for official inquiries?

2 Likes

The fact of the matter is that we did not put any restrictions on the availability of DNS.
Tell me, are there any reliable services with which you can check this?

1 Like

There is a blocklist but it is not public. We first evaluate the problem here and refer to next level if that looks like the cause of the problem.

Your problem looks resolved. I see you got a cert today and your server is sending it out.

The earlier examples of not reaching your site were not failures in Let's Encrypt. They were connection failures from regular client apps trying to reach your domain. If no one can reach your domain then Let's Encrypt won't be able to either. But, as noted, your connection and cert problems seem to be fixed.

Let us know if there is something else to help with.

5 Likes

Yes you are right. The reason was in one of the supply nodes. It simply rejected traffic from some countries without notifying us.

The traceroute -I command from different machines in different countries helped a lot in diagnosing the problem.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.