Challenge failed when trying to activate HTTPS

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: davidt.me

I ran this command: certbot --apache

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: davidt.me
2: www.davidt.me

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for davidt.me
http-01 challenge for www.davidt.me
Waiting for verification...
Challenge failed for domain davidt.me
Challenge failed for domain www.davidt.me
http-01 challenge for davidt.me
http-01 challenge for www.davidt.me
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: davidt.me
  Type: connection
  Detail: Fetching
  http://davidt.me/.well-known/acme-challenge/d74wWh9gw0Ns7npt3DoiC5l29O8dWdWdvlVcHOI07UA:
  Timeout during connect (likely firewall problem)

  Domain: www.davidt.me
  Type: connection
  Detail: Fetching
  http://www.davidt.me/.well-known/acme-challenge/S-h9LpCQ-2Ra1y7EZgnr6GUOMXVyQUSeEMB5uzpTKYw:
  Timeout during connect (likely firewall problem)

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you're using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

My web server is (include version): Unknown

The operating system my web server runs on is (include version): Ubuntu 20.

My hosting provider, if applicable, is: None.

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Wordpress Admin Dashboard

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

Welcome to the Let's Encrypt Community

In order to use http-01 challenges (files) via apache to prove your control over davidt.me, port 80 must be open. Right now davidt.me is completely unresponsive over HTTP (port 80) and HTTPS (port 443).

This is what I have for my firewall on Ubuntu.

Please show:
netstat -pant | grep -i listen

And does your ISP block port 80?

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

image890×122 5.07 KB

I don't believe my ISP blocks port 80.

None of those ports are externally reachable, so I would be looking at the port forwarding configuration on the modem/router.

I see Apache2 on port 80
But I can't reach it from the Internet:

Name:    davidt.me
Address:  209.237.104.251

curl -Iki 209.237.104.251
curl: (7) Failed to connect to 209.237.104.251 port 80: Connection timed out

So...
Let's verify your current external IP with:
curl ifconfig.co

The IP is a match; so that's good.

OK then it may what @_az thought:

Can you show the port forwarding page of the modem/router?

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

OK that step was missed...

You will need to add entries to forward port 80 (and whichever other ports you might need) to the real internal IP of your server.
ifconfig | grep -Ei 'add|inet'

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

Would the "Source Net" be my router gateway? Or my public IP?

Source net should be:
0.0.0.0/0
[the Internet]

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

Make sure your server is using either a reserved IP or a statically assigned IP.
[you don't want that IP to change on any reboots]

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

Okay yea my IP is static as well. Thanks for the information, this worked!

Well... Sort of.

The pieces are starting to line up though.

This redirection will not work - it needs some care:

curl -Iki {your.external.IP}
HTTP/1.1 301 Moved Permanently
Date: Wed, 21 Oct 2020 23:57:34 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Redirect-By: WordPress
Location: http://{your.internal.IP}/
Content-Type: text/html; charset=UTF-8

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

These do look good:

curl -Iki davidt.me
HTTP/1.1 301 Moved Permanently
Date: Wed, 21 Oct 2020 23:59:29 GMT
Server: Apache/2.4.41 (Ubuntu)
Location: https://davidt.me/
Content-Type: text/html; charset=iso-8859-1

curl -Iki www.davidt.me
HTTP/1.1 301 Moved Permanently
Date: Wed, 21 Oct 2020 23:59:41 GMT
Server: Apache/2.4.41 (Ubuntu)
Location: https://www.davidt.me/
Content-Type: text/html; charset=iso-8859-1

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]

Okay is there anything else I need to do?

I would do a test run cert request, with:
certbot certonly --dry-run

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]