Debian 11 - nginx - let's encrypt setup not work

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | apsago.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: apsago.com

I ran this command: certbot --nginx -d apsago.com -d www.apsago.com

It produced this output: Challenge failed for domain apsago.com Challenge failed for domain www.apsago.com http-01 challenge for apsago.com http-01 challenge for www.apsago.com Cleaning up challenges Some challenges have failed. IMPORTANT NOTES: - The following errors were reported by the server: Domain: apsago.com Type: connection Detail: 113.172.5.194: Fetching http://apsago.com/.well-known/acme-challenge/U3TZgbByMQYK0DZmEUjYC3cqydbUWJTOS52fpeZUCqc: Timeout during connect (likely firewall problem) Domain: www.apsago.com Type: connection Detail: 113.172.5.194: Fetching http://www.apsago.com/.well-known/acme-challenge/5_YbSY6G6yD7eWUCj7V_WsAcDnNV3BNXV0_3zOJBjps: Timeout during connect (likely firewall problem) To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.

My web server is (include version): nginx 1.18.0

The operating system my web server runs on is (include version): Debian 11 Raspberry Pi 4 Model B 4 GB

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.12.0

When I check on Let's Debug, it has output:
ANotWorking

ERROR

www.apsago.com has an A (IPv4) record (113.172.5.194) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

A timeout was experienced while communicating with www.apsago.com/113.172.5.194: Get "http://www.apsago.com/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://www.apsago.com/.well-known/acme-challenge/letsdebug-test (using initial IP 113.172.5.194)
@0ms: Dialing 113.172.5.194
@10001ms: Experienced error: context deadline exceeded

IssueFromLetsEncrypt

ERROR

A test authorization for www.apsago.com to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

113.172.5.194: Fetching http://www.apsago.com/.well-known/acme-challenge/aGjLkCBiNS2068SXZgYn1CKfqLjH3_01Je11sJTHofs: Timeout during connect (likely firewall problem)

Please help, thank you so much

It looks like a firewall problem indeed. Tell us about your firewalls.

I use ufw, I have opened port 80 and 443, Full NGINX, NAT from freeDNS.org to my domain

Something is blocking port 80. Port 443 looks clearer but nothing is listening. Do you recognize port 2022 from your config?

Check your port forwarding and any router firewall (I guess):

PORT     STATE    SERVICE
80/tcp   filtered http
443/tcp  closed   https
2022/tcp open     down

Yes, 2022 is my SSH port

Screenshot_20220506-090950_Termius1221×490 99.4 KB

Good. I see port 80 open now too. You should be able to make progress.
Oops. Still get timeout. Check your port forwarding and nginx listen

Could you please explain how to check port forward and Nginx listen? I have

Screenshot_20220506-091904_Termius1281×1435 131 KB

Are you connected to a router? If so it's in there.

You should have a working HTTP site before trying to get a cert. I cannot reach your site with this from my own test server. Which has nothing to do with Let's Encrypt:

curl -i -m10 http://apsago.com
curl: (28) Connection timed out after 10001 milliseconds

Oddly, I did get a response once and saw a "Welcome to APSAGO.com" page. But, subsequent attempts time out as shown

To have a port forwarding working consistently you should also make your router assign the raspberrypi the same local IPv4 every time, so you can configure the forwarding. You can do that via static assignment or dhcp reservation.

I've set NAT already, but it's not work?!? Checked http://apsago.com is ok

Screenshot_102221×411 32.6 KB

Yeah, your apex works but www doesn't... show us the nginx config you're using.

I was just able to connect to your www subdomain.

Do you have stuff like fail2ban, or maybe just an overburdened CPU?

I have just reinstall my RPI as this tutorial: How To Secure Nginx with Let's Encrypt on Debian 10 | DigitalOcean
Not thing else

That tutorial looks mostly fine, and that's something -- we've seen some horrible ones. But you should install certbot following the instructions on certbot.eff.org instead.

I follow this to step 7: but it's not work

Screenshot_121085×465 19.8 KB

make sure that the internal ip of your raspberry is still 192.168.1.244

Yes, it's 192.168.1.244, I've set static IP for my RPI already

I can see your website. You can probably try again.

At this point if it doesn't work it's probably some firewall you cannot control.

It's worked when I move my RPI to another router.
Thank you for your help,