Creating a Certificate for our Website

Help
1

My domain is: sybestreaming.ch

I ran this command: certbot certonly --standalone -v

It produced this output:

root@sybevm01:/home/sybeuser01# certbot certonly --standalone -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): sybestreaming.ch
Requesting a certificate for sybestreaming.ch
Performing the following challenges:
http-01 challenge for sybestreaming.ch
Waiting for verification...
Challenge failed for domain sybestreaming.ch
http-01 challenge for sybestreaming.ch

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: sybestreaming.ch
  Type:   connection
  Detail: During secondary validation: 170.17.155.156: Fetching http://sybestreaming.ch/.well-known/acme-challenge/21FoItCKiaxyMVIWz-etRoyOsbj9DfUNXc7TSV42i3c: Error getting validation data

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Jellyfin mediaserver, running on port 8096

The operating system my web server runs on is (include version): JellyFin

My hosting provider, if applicable, is: hostpoint.ch

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.32.2

Additional Info: I have adjusted the firewall to allow inbound connections from Port 80

2

What country are you located in (ok, Switzerland) and are you blocking connections from either Germany or the US?

3 Likes
3

At least not actively, no. Is there a way to test this?

4

Did you only try once? Same result each time?

It could just be a disturbance in the for... in the internet routing.

3 Likes
5

Yes, I tried multiple times.

6

always "during secondary validation"?

are you opening your firewall manually? if so, don't close it after the first request. you should get at least four.

if you're not doing this, it's some other firewall that's veeeery trigger happy -- you have to find out which: OS? ISP?

3 Likes
7

I can't reach your site from my US test server. And, neither can the Let's Debug test site (link here)

A different test site which checks from various points around the world also cannot connnect from any location (link here).

I am not sure why it says secondary failure (implying the primary suceeded) but your system isn't reachable by most points on the internet

Fix your firewall or connectivity and use the Let's Debug test site until it shows OK

4 Likes
8

Hello Mike

That is strange...i opened up Port 80 for incoming connections. Can you please try sybestreaming.ch:8096 ? That is our loginpage for jellyfin. There isn't any service running on port 80 currently.

9

Yes, sorry. Forgot you were using --standalone. I can see your port 8096 Kestrel.

Can you add --debug-challenges -v to your certbot standalone command? This will pause the standalone so connectivity can be checked. Let us know when that's available

4 Likes
10

Here it is... looks pretty similar unfortuantely:


root@sybevm01:/home/sybeuser01# certbot certonly --standalone --debug-challenges -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): sybestreaming.ch
Requesting a certificate for sybestreaming.ch
Performing the following challenges:
http-01 challenge for sybestreaming.ch

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA.

The following URLs should be accessible from the internet and return the value
mentioned:

URL:
http://sybestreaming.ch/.well-known/acme-challenge/NxkA-UKt0ZmVTI5L6fXyMHXe6DbE8DJ0ZbYt0p5whVI
Expected value:
NxkA-UKt0ZmVTI5L6fXyMHXe6DbE8DJ0ZbYt0p5whVI.5RcDH33MJkwhe1JtsIayc00RMKKkixcy8C6EFED8RQA
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Challenge failed for domain sybestreaming.ch
http-01 challenge for sybestreaming.ch

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: sybestreaming.ch
  Type:   connection
  Detail: 170.17.155.156: Fetching http://sybestreaming.ch/.well-known/acme-challenge/NxkA-UKt0ZmVTI5L6fXyMHXe6DbE8DJ0ZbYt0p5whVI: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
11

When it shows this just leave it sit. Do not press Enter.

Then, either we can look at it from the public internet. Or, you could try accessing that URL from a machine on the public internet and see if you can connect.

You likely have a firewall or something else wrong in your comms config.

3 Likes
12

Yes...Im at this point again. I am also not able to access it over Port 80. I am not quite sure why...does it need any other ports than 80?

13

Okay, im able to access it locally at least:
grafik

But not externally...which is strange, since I opened port 80.

Edit 2: Okay, so I opened it for UDP as well and now I'm able to see it externally as well and it worked! Thank you for your help guys.

3 Likes
14

I do not see Port 80 open

$ curl -Ii http://sybestreaming.ch/.well-known/acme-challenge/sometestfile
curl: (7) Failed to connect to sybestreaming.ch port 80 after 339 ms: Connection refused

$ nmap -Pn sybestreaming.ch
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-30 15:14 UTC
Nmap scan report for sybestreaming.ch (170.17.155.156)
Host is up (0.17s latency).
rDNS record for 170.17.155.156: 156.155.17.170.static.wline.lns.sme.cust.swisscom.ch
Not shown: 998 filtered ports
PORT     STATE  SERVICE
80/tcp   closed http
3389/tcp open   ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 12.94 seconds

$ sudo traceroute --port=80 sybestreaming.ch
traceroute to sybestreaming.ch (170.17.155.156), 30 hops max, 60 byte packets
 1  192.168.1.1 (192.168.1.1)  0.214 ms  0.220 ms  0.285 ms
 2  96.120.60.137 (96.120.60.137)  8.844 ms  8.825 ms  8.807 ms
 3  162.151.125.157 (162.151.125.157)  11.970 ms  11.951 ms  11.932 ms
 4  68.85.243.154 (68.85.243.154)  8.885 ms  15.199 ms  15.181 ms
 5  96.216.60.245 (96.216.60.245)  8.677 ms  14.156 ms  8.640 ms
 6  24.124.129.61 (24.124.129.61)  8.621 ms  13.594 ms  13.809 ms
 7  ae-69-ar01.beaverton.or.bverton.comcast.net (96.216.60.157)  13.930 ms  10.127 ms  20.487 ms
 8  be-36221-cs02.portland.or.ibone.comcast.net (68.86.94.197)  7.658 ms be-36211-cs01.portland.or.ibone.comcast.net (68.86.94.193)  11.809 ms be-36241-cs04.portland.or.ibone.comcast.net (68.86.94.205)  11.909 ms
 9  be-1311-cr11.portland.or.ibone.comcast.net (96.110.46.242)  11.678 ms be-1111-cr11.portland.or.ibone.comcast.net (96.110.46.210)  11.801 ms  9.563 ms
10  be-303-cr13.sunnyvale.ca.ibone.comcast.net (96.110.39.41)  23.139 ms be-301-cr13.sunnyvale.ca.ibone.comcast.net (96.110.36.121)  23.102 ms be-302-cr13.sunnyvale.ca.ibone.comcast.net (96.110.36.125)  23.067 ms
11  be-1313-cs03.sunnyvale.ca.ibone.comcast.net (96.110.46.33)  23.412 ms be-1113-cs01.sunnyvale.ca.ibone.comcast.net (96.110.46.9)  23.379 ms be-1313-cs03.sunnyvale.ca.ibone.comcast.net (96.110.46.33)  23.344 ms
12  be-3202-pe02.529bryant.ca.ibone.comcast.net (96.110.41.214)  23.323 ms be-3102-pe02.529bryant.ca.ibone.comcast.net (96.110.41.210)  23.559 ms be-3202-pe02.529bryant.ca.ibone.comcast.net (96.110.41.214)  22.955 ms
13  80.156.163.153 (80.156.163.153)  22.900 ms  27.394 ms  27.359 ms
14  nyc-sb5-i.NYC.US.NET.DTAG.DE (62.154.5.241)  85.805 ms  85.784 ms  85.765 ms
15  80.156.162.162 (80.156.162.162)  160.707 ms  160.646 ms  160.608 ms
16  i62bsw-015-ae16.bb.ip-plus.net (138.187.129.52)  160.572 ms  160.538 ms  160.517 ms
17  i73olt-005-ae8.bb.ip-plus.net (138.187.129.27)  164.182 ms  164.163 ms  164.144 ms
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

HTTP Port 80 does not seem open from around the world Check website performance and response: Check host - online website monitoring

However here is a list of issued certificates (only 1) crt.sh | sybestreaming.ch, latest being 2023-01-30.

1 Like
15

It will only be open when they have certbot standalone running.

4 Likes
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.