Challeges failed

I've a lot of potential solutions, but none of them have worked. I have been told port 80 has been allowed to my server on the college's parameter firewall. I appreciate any help you can provide!

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hopper.ws.edu

I ran this command: sudo certbot --apache

It produced this output:
Requesting a certificate for hopper.ws.edu
Performing the following challenges:
http-01 challenge for hopper.ws.edu
Waiting for verification...
Challenge failed for domain hopper.ws.edu
http-01 challenge for hopper.ws.edu

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: hopper.ws.edu
Type: connection
Detail: During secondary validation: 198.161.167.31: Fetching http://hopper.ws.edu/.well-known/acme-challenge/W21Q1BYR1mK2uhPKL0EjwNcyS_UKexx-aoquNLoCcEc: Connection refused

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache/2.4.62 (AlmaLinux)

The operating system my web server runs on is (include version): AlmaLinux 9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.11.0

Here's the latest error log:
letsencrypt.txt (268.0 KB)

In order for the way you're trying to get a certificate to work, the site needs to be accessible. The "During secondary validation" in the error indicates that some of Let's Encrypt validation systems were able to connect to your site to validate that you control it, but some of them could not. And in my testing I couldn't connect to it from anywhere.

Is the site intended to be publicly accessible? If so, you need to fix that before trying to get a certificate.

On the other hand, if the site needs to be blocked from most of the Internet, then you might need to switch to using DNS validation, assuming that your DNS server doesn't need to be blocked.

You may also find this FAQ helpful about how Let's Encrypt checks from multiple places around the world:

4 Likes

Since port 80 is open, I have to poweroff the server when I'm not trying for the certificate.

For security, my server is geolocked to the United States. Is it possible those servers are trying to connect outside the USA?

I'm not quite understanding you. Your command uses --apache, which would configure apache on port 80 to respond to the challenge. Is Apache not what's normally running? Is the server itself not normally running?

Definitely. Let's Encrypt needs to make sure that you control the domain name worldwide, since the certificates are valid worldwide. So, they need to make sure that an attacker in other countries isn't trying to get a certificate for your domain, which means that in those other countries you still need to prove that you control the domain name. See that FAQ I linked.

5 Likes

Instead of jumping through hoops to implement HTTP domain validation, consider switching to DNS based domain validation.

If you don't have API control over the domains DNS you could consider using acme-dns either self-hosted or the free public service : GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.

Once you create the initial CNAME record pointing to that service DNS challenges can be completed without updating your own DNS zone.

3 Likes