Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: shammas.firmsoft.tech
I ran this command: sudo certbot certonly --nginx
It produced this output:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Detail: 22.214.171.124: Fetching http://shammas.firmsoft.tech/.well-known/acme-challenge/36tUZKzX9wyt8S9SIfsax8oYrrVl0kncM1Q68Fg3bmg: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): nginx/1.18.0 (Ubuntu)
The operating system my web server runs on is (include version): Ubuntu 22.4
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0
Yes, my router has a port forwarding to this server--I am forwarding all ports in the range 12 to 20000 !!
Accessing http://shammas.firmsoft.tech using my cell phone when I am not on wifi works fine for me, so port forwarding must be working.
Please note that I am geographically located in Bahrain (a country in the Middle East). Could it be just an issue of timing out? The site is reachable for me because I am close by but not for you because I assume you are physically far away? Does that make sense? I am on at a decent internet speed however (more than 100mbps for both upload and download). Is there away to increase the timeout period for certbot to test this hypothesis?
Your site is not accessible to the Internet. Maybe the firewall blocking it is only allowing connections from within your country, but it needs to be globally accessible in order for Let's Encrypt to be able to validate that you own that name.
Thank you guys for your kind replies but blocking at the country level does not apply in Bahrain. I just tried VPN to a server in the US so that I have a US IP address on my cell phone. Trying multiple times under this setting, the site was reachable at the rate of like once every 3 to 5 trials. It takes time to successfully connect, but times out frequently. So it is the slow connection as far as I can see it. Now my question is whether there is a way to extend the timeout period of certbot---just making it a bit more patient.
I also think you have a fundamental problem with ports 80 and 443. I even tried a testing tool with a server in Manama and it could not see you either.
No, there is no way to tell the Let's Encrypt servers to increase their timeout values.
I think you need to find out why Let's Debug and Let's Encrypt can't see you using HTTP as that points to a general problem of anyone being able to connect.
But, just to get a cert you could use a DNS Challenge instead. I don't see support for your DNS Provider (Wild West?) so you would do this manually and repeat it every 60 days or so to renew your cert.
Or, you could try another (free) ACME CA. I think that will fail too but maybe that will convince you that you have a problem and that it is not with Let's Encrypt.
Using: traceroute -T -p 80 shammas.firmsoft.tech
We can see that the blocks are very close to the endpoint.
10 be2331.ccr31.bio02.atlas.cogentco.com (126.96.36.199) 109.282 ms 109.212 ms 108.624 ms
11 be3078.ccr32.mrs02.atlas.cogentco.com (188.8.131.52) 122.192 ms 121.609 ms 119.847 ms
12 be2066.agr21.mrs02.atlas.cogentco.com (184.108.40.206) 120.595 ms be2753.agr21.mrs02.atlas.cogentco.com (220.127.116.11) 120.393 ms 121.857 ms
13 18.104.22.168 (22.214.171.124) 216.497 ms 217.217 ms 217.100 ms
14 * * *
15 dynamic.ip.126.96.36.199.batelco.com.bh (188.8.131.52) 214.892 ms 213.395 ms 213.925 ms
16 dynamic.ip.184.108.40.206.batelco.com.bh (220.127.116.11) 225.630 ms 225.219 ms 224.030 ms
17 dynamic.ip.18.104.22.168.batelco.com.bh (22.214.171.124) 225.992 ms 219.300 ms 212.528 ms
10 126.96.36.199 (188.8.131.52) 208.022 ms 208.052 ms 184.108.40.206 (220.127.116.11) 214.304 ms
11 * 18.104.22.168 (22.214.171.124) 198.329 ms 126.96.36.199 (188.8.131.52) 201.075 ms
12 184.108.40.206 (220.127.116.11) 211.013 ms * *
13 18.104.22.168 (22.214.171.124) 216.067 ms dynamic.ip.126.96.36.199.batelco.com.bh (188.8.131.52) 196.861 ms 193.104 ms
14 184.108.40.206 (220.127.116.11) 195.520 ms 190.950 ms *
15 * * *
16 dynamic.ip.18.104.22.168.batelco.com.bh (22.214.171.124) 199.311 ms 196.076 ms 197.138 ms
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *