Duckdns and Letsencrpyt failed challenge - likely a firewall problem

sgilliar37 · August 14, 2023, 7:26pm

I ran this command: sudo certbot -v --apache -d gilliards.duckdns.org

It produced this output:

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: gilliards.duckdns.org
Type: connection
Detail: 68.132.55.4: Fetching http://gilliards.duckdns.org/.well-known/acme-challenge/Kd1mchCHMDejr5iCTk7ZfZTmEqIs2ZlDr2U608E_HXo: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

Server version: Apache/2.4.57 (Ubuntu)
Server built: 2023-04-08T12:56:02

The operating system my web server runs on is (include version):

Ubuntu 22.04.2 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No, I have sudo access

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2.6.0

I've setup my firewall as :

80,443/tcp ALLOW Anywhere
443,8080/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
80,443/tcp (v6) ALLOW Anywhere (v6)
443,8080/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)

Is there anything I'm missing?

Thank you in advance for any help you can provide.

Steve

9peppe · August 14, 2023, 7:58pm

Are you hosting at home?

Did you forward ports 80 and 443 from your router to your webserver?

MikeMcQ · August 14, 2023, 8:06pm

Looks like they might have got that wrong. Port 80 is not answering (blocked maybe) and port 443 is responding to plain HTTP requests.

@sgilliar37 Port 443 should only handle HTTPS not plain HTTP which is done on port 80. Did you route port 443 to port 80 on your Apache machine? Or, did you setup a VirtualHost for port 443 but only handle HTTP there?

curl -i -m7 gilliards.duckdns.org
curl: (28) Connection timed out after 7001 milliseconds

curl -i -m7 https://gilliards.duckdns.org
curl: (35) error:0A00010B:SSL routines::wrong version number

This should not work but does.  
curl -i -m7 http://gilliards.duckdns.org:443
HTTP/1.1 200 OK
Date: Mon, 14 Aug 2023 20:02:27 GMT
Server: Apache/2.4.57 (Ubuntu)

sgilliar37 · August 14, 2023, 8:09pm

Yes, I am hosting at home and have forwarded ports 80 and 443 on the router. I've also forwarded 8080 as well for nextcloud. This is the error in the letsencrypt.log file:

certbot.errors.CertStorageError: No certificate found with name gilliards.duckdns.org (expected /etc/letsencrypt/renewal/gilliards.duckdns.org.conf).
2023-08-14 16:04:19,283:ERROR:certbot._internal.log:No certificate found with name gilliards.duckdns.org (expected /etc/letsencrypt/renewal/gilliards.duckdns
.org.conf).

9peppe · August 14, 2023, 8:45pm

This looks messy.

Please tell us what you've done

system · September 13, 2023, 8:45pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.