Couldn't renew cert, and now can't install a new one. Any help appreciated!

Help
1

Hello

I’ve messed things up on the server I use for my school classes. Hoping someone can help me. I’ve read through a lot of similar posts on this forum, but no fixes / advice seems to directly apply to my problem.

My server is used for web development by lots of classes, so is setup to serve pages from user home folders, as well as the main web root. It also hosts some other services such as a Moodle install, a Jobe code server, etc.

Everything was working beautifully until I broke things this morning…

What I did… Previous cert had expired yesterday (I’d not set up an auto-renew) and I tried to renew today. This failed (challenge failed), so I thought I’d be ‘smart’ and remove all traces of previous certs and obtain a new one. This failed, so I removed certbot and all traces of it, and reinstalled. Also disabled the Apache SSL site. Tried to obtain a new cert. This failed.

So I’m stuck with a working server on port 80 (I’ve temporarily removed the redirect rule for HTTP->HTTPS) but I can’t get a cert setup to allow me to switch back to HTTPS. Nothing seems to work, and I’m stuck.

Any help/advice appreciated

Steve

P.S. The Apache site conf is not just simple one. I can post it if it’ll help. Also the conf for the SSL site that’s presently disabled.

My domain is: dt.waimea.school.nz

I ran this command:

sudo certbot --apache -d dt.waimea.school.nz

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for dt.waimea.school.nz
Waiting for verification...
Challenge failed for domain dt.waimea.school.nz
http-01 challenge for dt.waimea.school.nz
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: dt.waimea.school.nz
   Type:   connection
   Detail: Fetching
   http://dt.waimea.school.nz/.well-known/acme-challenge/8-74qKVH_C2NQLBemXWGewmo7JZ2UX6YYztC4uDPzFY:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version): Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04 LTS

My hosting provider, if applicable, is: Self-hosted

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.40.0

1 Like
2

Your IP (122.56.184.10) is unreachable via port 80 (HTTP).
[HTTP access is required for validation]

As the error message states, it is most likely a firewall problem.
curl: (7) Failed to connect to dt.waimea.school.nz port 80: Connection timed out

See: https://letsdebug.net/dt.waimea.school.nz/189661

1 Like
3

Hi.

Well, that’s strange. If I access that IP via my phone’s 4G (i.e. outside of my school domain) I can see the server just fine…

dtserver
dtserver1080×2280 370 KB

1 Like
4

Even stranger… seems to be a geographical issue… Only accessible from NZ and Australia!

See: https://www.host-tracker.com/v3/check/1/3185dc81-2f3e-4036-bc91-adc0d5daad6b

Having a chat with my sysadmins…

1 Like
5

Yep… Seems our education network in NZ, N4L, geo-fences all school IPs by default. This must not have been the case when I first installed the LetsEncrypt cert last year…

Will look at getting an exception to the geofence for this server. Hopefully everything will then go smoothly.

Thanks for pointing me in the right direction!

2 Likes
6

If you can’t get an exception, you can also consider using the DNS authentication method, although that’s much harder to automate unless you have an API that can be used to update DNS records from software.

2 Likes
7

Thanks.

Bypassing the geo-fence ended up being too much of a hassle, so I’ve ended up manually authenticating via DNS using the steps at https://gethttpsforfree.com/ (our DNS has no API for TXT records).

Didn’t take long… 20mins of hassle every 90 days! (I’ll see how many repeats of that I cope with before I give in a buy a cert!)

1 Like
8

Or maybe switch to a DNS provider that does offer an API! :slight_smile:

1 Like
9

(it’s possible to delegate just the _acme-challenge record to another zone via a CNAME record, which the validator will follow, so you can use a different provider for your ACME challenge than for your other DNS entries, if necessary!)

1 Like
10

I don’t have those sorts of powers here… I’m just a lowly teacher!

2 Likes
11

Or maybe you can convince the network "powers that be" to handle such certificate issuances for the entire school. [Presuming you are not the only one that is trying to use LE.]
Maybe giving them the entire "problem" and allowing them to come to their own acceptable "solution" will, in the end, provide you with what you need.
:crossed_fingers:

Best of luck and cheers from Miami :beers:

12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.