Domain name from dyndns.org

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:chidlow.dyndns.org
The web server is chidlow.dyndns.org:1031

I ran this command:
sudo certbot --apache -v
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): chidlow.dyndns.org:1031
Requesting a certificate for chidlow.dyndns.org:1031
Performing the following challenges:
http-01 challenge for chidlow.dyndns.org
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain chidlow.dyndns.org
http-01 challenge for chidlow.dyndns.org

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: chidlow.dyndns.org
Type: connection
Detail: 99.73.230.14: Fetching http://chidlow.dyndns.org/.well-known/acme-challenge/5oeiI5WMeUcrZrkmUpAsPAi187pFHfRxLZpKL-whmH8: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.

My web server is (include version): Apache/2.4.52 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22.04.4 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Assume Y as I am sole user.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.11.0

I installed Linux and a LAMP stack on an unused box to learn how it works. I have managed to create a basic working web page accessible from Internet. My ISP does not assign static ip's so I use dyndns.org for external access (this web server + ip cameras etc). I assigned a static local ip to the Linux box and used 1031 as the port on my router. (I also have a Mac and a Windows PC on my network but they are not used for any kind of development.)
My next step was to try to acquire an SSL certificate for my website which is where I have run into the above problem. I'm not sure how my domain name from dyndns relates to the actual web server for SSL purposes.

Hi @ziggy,

The port number isn't part of the certificate (the certificate just covers a domain name, regardless of which port is used) and Let's Encrypt requires—following certificate industry standards—that your proof of control has to be performed using some specific port numbers, not any port number that you choose.

Do you have a way that you can receive incoming connections on port 80?

6 Likes

Hello @ziggy,

Presently Ports 80 & 443 are being filtered, the port 1031 you mentioned is open.

$ nmap -Pn -p80,443,1031 chidlow.dyndns.org
Starting Nmap 7.80 ( https://nmap.org ) at 2024-06-08 20:36 UTC
Nmap scan report for chidlow.dyndns.org (99.73.230.14)
Host is up (0.071s latency).
rDNS record for 99.73.230.14: 99-73-230-14.lightspeed.austtx.sbcglobal.net

PORT     STATE    SERVICE
80/tcp   filtered http
443/tcp  filtered https
1031/tcp open     iad2

Nmap done: 1 IP address (1 host up) scanned in 1.80 seconds

And from around the world a Result of "Connection timed out" Permanent link to this check report

Also here is a list of issued certificates crt.sh | chidlow.dyndns.org, the latest being 2024-06-08.

You are using the HTTP-01 challenge of the Challenge Types - Let's Encrypt and it states:
"The HTTP-01 challenge can only be done on port 80."

Best Practice - Keep Port 80 Open

2 Likes

This is all a "learning experience" for me so I'm not sure even what questions to ask! I understand that the cert is for a domain. My confusion comes from the fact that my web server setup is on a separate box in my network (which is where I ran certbot). I thought that the cert needed to be stored on the web server itself but not sure how to do that as obviously my domain is also connected with other devices - Mac, PC etc. Connecting to just "chidlow.dyndns.com" does to not get me to me to my website.
I've tried looking through numerous web sites/discussions but haven't quite found anything that explains this.
Is there a way I could receive incoming on port 80 and direct to my Linux/Apache internal ip?

Hi @ziggy,

Here details on Apache can be found in documentation and forums. Might be useful to you, or not.

What does your router provide for port forwarding or DMZ?

Edit:

@ziggy it does seem that you forward port 1031 from the Internet to your server with the HTTP (not HTTPS) protocol.

$ curl -i http://chidlow.dyndns.org:1031
HTTP/1.1 301 Moved Permanently
Date: Sat, 08 Jun 2024 23:01:52 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: https://chidlow.dyndns.org/
Content-Length: 321
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://chidlow.dyndns.org/">here</a>.</p>
<hr>
<address>Apache/2.4.52 (Ubuntu) Server at chidlow.dyndns.org Port 1031</address>
</body></html>

Do note that you are redirecting HTTP to HTTPS (which is fine, some might even say good).
by this line Location: https://chidlow.dyndns.org/

And the same is true for the HTTP-01 ACME Challenge

$ curl -i http://chidlow.dyndns.org:1031/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Date: Sat, 08 Jun 2024 23:05:14 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: https://chidlow.dyndns.org/.well-known/acme-challenge/sometestfile
Content-Length: 360
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://chidlow.dyndns.org/.well-known/acme-challenge/sometestfile">here</a>.</p>
<hr>
<address>Apache/2.4.52 (Ubuntu) Server at chidlow.dyndns.org Port 1031</address>
</body></html>
2 Likes

Hi @ziggy,

Presently Port 443 is serving HTTP not HTTPS

Failing to serve HTTPS on port 443

$ curl -ki https://chidlow.dyndns.org/.well-known/acme-challenge/sometestfile
curl: (35) error:0A00010B:SSL routines::wrong version number

Successfully serving HTTP on port 443

$ curl -i http://chidlow.dyndns.org:443/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Date: Sat, 08 Jun 2024 23:07:58 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: https://chidlow.dyndns.org/.well-known/acme-challenge/sometestfile
Content-Length: 359
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://chidlow.dyndns.org/.well-known/acme-challenge/sometestfile">here</a>.</p>
<hr>
<address>Apache/2.4.52 (Ubuntu) Server at chidlow.dyndns.org Port 443</address>
3 Likes

Router is port forwarding. After thinking about your responses I added port 80, 443 to the existing 1031 router rule. I could access web page ok so I re-ran certbot. This gave me a clean install with no errors and "You have successfully enabled HTTPS on https://chidlow.dyndns.org".
So some progress!
However now I cannot access the web site externally (but localhost works) - with message "...Safari cannot establish a secure connection...".
I guess I now have a different problem. Unless you have any advice should I close this thread and start a new one if I can't figure it out? I am trying to brush up on my 20 year old Linux, learn mysql, do a bit of php/html all at the same time! When did things get so complicated? :frowning: Thanks for help.

2 Likes

One step at a time, many many steps ago.

3 Likes

You should be forwarding incoming port 80 to port 80 at your Apache server. And port 443 to port 443 at your Apache. Looks like you Might be sending all incoming requests to port 80 at Apache

4 Likes

What is it about this? Not "Best Practice" not conventional ... NOT GOOD
Maybe I don't understand the reason for this but... Does Anyone?
sorry

443 = 443
80 = 80
2 Likes

Per your request.

$ sudo apachectl -t -D DUMP_VHOSTS
[sudo] password for :
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 chidlow.dyndns.org (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)

1 Like

I have not used Apache in at least a decade.
Kindly wait to see if there are more knowledgeable Let's Encrypt community volunteers willing to assist.

2 Likes

I am up and running. After I got my ancient brain working I realised that I was missing some basic understanding of how things worked. I am now a bit smarter thanks to all who replied!

4 Likes

Ok so I see that there is a site and a cert. Are you done with this or do you want to configure your site correctly?

These references to locahost and the ServerName have to be a concern.
If you would, please share the out put from

apache2ctl -S

And the output from

ls -la /etc/apache2/sites-enabled/000-default-le-ssl.conf:2

And the output from

ls -la /etc/apache2/sites-enabled/000-default.conf:1

Please remember you came to us for help. It is a two way street.

3 Likes