Creating SSL certificate

olacit · November 21, 2023, 4:09pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:stg-olac.berkeley.edu

I ran this command:certbot certonly --webroot

It produced this output:Saving debug log to C:\Certbot\log\letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): stg-olac.berkeley.edu
Requesting a certificate for stg-olac.berkeley.edu
Input the webroot for stg-olac.berkeley.edu: (Enter 'c' to cancel): C:\wamp64\www\olac

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: stg-olac.berkeley.edu
Type: connection
Detail: 169.229.250.13: Fetching http://stg-olac.berkeley.edu/.well-known/acme-challenge/N8akWIWnqWS4Yif_G9WsA0lN3ZxzMhq7G11XYXyL1SA: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Drupal 10.1.6 Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.10

The operating system my web server runs on is (include version): Windows Server 2022

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):2.7.4

MikeMcQ · November 21, 2023, 4:15pm

The --webroot uses an HTTP Challenge so needs port 80 open. Yours is closed. You have port 443 open so you might consider using Apache mod_md and the TLS_ALPN challenge.

If that works you would not even need Certbot and just rely on the required Apache config settings for mod_md

Apache has its own docs but I like the ones here better. It is where mod_md got started

olacit · November 21, 2023, 4:28pm

Hi and thank you so much for the quick response.
I opened port 80 and retried again but I still got the same error.
I am not familair with the other solution you suggested. Please could you point me in the direction where I can get information about it?
Thank you very much

linkp · November 21, 2023, 4:31pm

@MikeMcQ already provided a link to where you can learn more about mod_md at the end of the message to which you replied.

olacit · November 21, 2023, 4:39pm

Oh, thank you very much.

MikeMcQ · November 21, 2023, 4:49pm

I see a different error. You were getting a Timeout but now a "Reset By Peer" error. It looks like you have a Palo Alto Networks brand firewall blocking ACME Challenge requests. You should show the below requests to your network team and have them allow the "acme-protocol" in the Applications section in that firewall. We have seen this problem often.

Notice the request with a default curl request works. But, a user-agent for Let's Encrypt fails with "reset by peer"

curl -I stg-olac.berkeley.edu/.well-known/acme-challenge/Test404
HTTP/1.1 404 Not Found
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.10 mod_fcgid/2.3.10-dev

curl -I stg-olac.berkeley.edu/.well-known/acme-challenge/Test404 -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
curl: (56) Recv failure: Connection reset by peer

olacit · November 21, 2023, 4:57pm

Yes, we have Palo Alto Network firewall. I will take this up with the Network team.
Thank you very much

Osiris · November 21, 2023, 4:58pm

See also:

Also note that Certbot is phasing out support for Windows. As already said I also, with the phasing out of Windows support of Certbot, encourage you to look into other clients like mod_md. Or if mod_md is not something you like, other Windows based ACME clients.

olacit · November 21, 2023, 5:02pm

Yes, I am reading about the mod-md now and I might be implementing it.
Thank you so much

olacit · November 21, 2023, 6:58pm

Hi all,
I got the keys and certificates for the stg-olac site after acme-protocol was allowed through the firewall.
However, the stg-olac is just the staging site but when I tried to do the same on the PROD, I got a different error.
The error says UNATHORIZED:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: olac.berkeley.edu
Type: unauthorized
Detail: 169.229.250.12: Invalid response from http://olac.berkeley.edu/.well-known/acme-challenge/bpnU0Ro20B5Mm5u09-TX8M28dR8JqBZPwQ9mXDGkSwQ: 404

Domain: www.olac.berkeley.edu
Type: unauthorized
Detail: 169.229.250.12: Invalid response from http://www.olac.berkeley.edu/.well-known/acme-challenge/gcuIoLy0sM40_zTgLA5CpgLpJqpXM1jqPJfQTmTLUxY: 403

rg305 · November 22, 2023, 3:02am

The first site returned 404 via HTTP:

I get 301:

curl -Ii olac.berkeley.edu/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 301 Moved Permanently     <<<<<<<<<<<<<<<<<<<<<<<<<
Date: Wed, 22 Nov 2023 03:00:35 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.10 mod_fcgid/2.3.10-dev
X-Powered-By: PHP/8.2.10
Location: https://olac.berkeley.edu/.well-known/acme-challenge/Test_File-1234
X-Drupal-Dynamic-Cache: UNCACHEABLE
Content-language: en
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Generator: Drupal 10 (https://www.drupal.org)
X-Drupal-Cache: MISS
Content-Type: text/html; charset=UTF-8

The www site does require authentication:

curl -Ii www.olac.berkeley.edu/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 403 Forbidden     <<<<<<<<<<<<<<<<<<<<<<<<<
Date: Wed, 22 Nov 2023 03:02:21 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.10 mod_fcgid/2.3.10-dev
Content-Type: text/html; charset=iso-8859-1

olacit · November 22, 2023, 2:59pm

Thank you for looking into this.
As someone suggested on the forum, Palo Alto network firewall is in use and was blocking ACME protocol
Then I tried the stand alone command and I was able to generate the certificate successfully.
Again, I am very grateful for your help and help from all the good people in the forum

system · December 22, 2023, 3:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
New SSL certificate creation Help	7	478	July 5, 2024
Can't create ssl Help	5	677	April 25, 2020
Generate certificate problem Help	10	1089	January 6, 2019
I cant create ssl certificates Help	17	514	June 17, 2024
Cant generate ssl Help	8	532	December 1, 2020

Creating SSL certificate

Related topics