I port forwarded 80 and 443 to the IP of my server behind my router. To my knowledge my internet provider does not block 80 or 443, in fact I switched from my old provider because they did block 80 and 443. However I’m still getting this failed challenge error. I have a feeling it might be due the Ubuntu level firewall which is UFW at the moment but I’m not sure what rule exactly I would need to add in there. Any tips?
To Action From
-- ------ ----
22 ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
64738 ALLOW IN Anywhere
137,138/udp (Samba) ALLOW IN Anywhere
139,445/tcp (Samba) ALLOW IN Anywhere
2999:3001/tcp ALLOW IN Anywhere
22 (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
64738 (v6) ALLOW IN Anywhere (v6)
137,138/udp (Samba (v6)) ALLOW IN Anywhere (v6)
139,445/tcp (Samba (v6)) ALLOW IN Anywhere (v6)
2999:3001/tcp (v6) ALLOW IN Anywhere (v6)
P.S. That is if you are using TLS-SNI verification. For HTTP verification you would only need port 80 open and for DNS verification you would not need open ports at all (but you would have to be able to add TXT record in your DNS).
Hrm, I’m still getting the same error message. Do I need to enable SSL and such in my .conf file? Maybe I am mistaken in believing that letsencrypt would do that for me?
Nope, that's correct. The apache plugin should enable SSL in your configuration.
I would recommend verifying basic connectivity to port 443 anyway, you can listen on port 443 with something like nc -k -l localhost 443 and then try to telnet to your WAN IP from a VPS or some other external host.
To rule out issues with the apache plugin, you could try using letsencrypt certonly --standalone -d example.com, which would spawn a temporary web server on port 443. If that succeeds, it's likely an issue with your apache configuration or a bug in the apache plugin. If it doesn't work, a network issue is more likely.