Error generating certificate

fighton · August 8, 2023, 11:52pm

Hello-

I haven't had any issues generating certificates since I first started using Let's Encrypt last August or September. Trying to renew now I am getting the message below.

I haven't changed ANYTHING in my setup. I know the port forwarding is working because I tested with PLEX and it connects just fine from outside the network.

I am running on a MacMini using macOS Monterey. I'm using ONLY as a mail server.

I have ports 80 and ports 443 being forwarded to the MacMini.

All help is greatly appreciated!!

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for ellegard.net and widenett.com

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: ellegard.net
Type: connection
Detail: 98.159.90.90: Fetching http://ellegard.net/.well-known/acme-challenge/R37Bk8-ml-m2H6_fOjKPmjwX6B6yWO67ejfOe3Bah5o: Timeout during connect (likely firewall problem)

Domain: widenett.com
Type: connection
Detail: 98.159.90.90: Fetching http://widenett.com/.well-known/acme-challenge/uRo3RONJlh4BWc3Ng0YWNTt8TanwFElGhvkevkdB2i0: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

9peppe · August 9, 2023, 12:13am

Are you sure your port forwarding actually works, the IP address is the right one (both public and private you're forwarding to)?

fighton · August 9, 2023, 12:30am

I’m not understanding your question…

The public IP is what is showing in the error in my post. I then forward the different requests to an internal machine that has a 192.168.1.xxx address.

I have tested using PLEX that is running on a MacStudio and it works fine so I know the forwarding rules in the router are working.

webprofusion · August 9, 2023, 1:55am

Hi, get your website working over http first, then try your certificate order again.

Plex may be working but http over port 80 is not.

Sometime ISPs removes support for port 80 (and possibly even port 443), in which case you'd probably need to switch to DNS validation instead of http validation. You need to confirm port 443 is still working as well otherwise you'd need to run all your services on higher ports.

MikeMcQ · August 9, 2023, 2:07am

The Let's Debug test site is helpful to test changes to get port 80 (http) working
https://letsdebug.net/

It uses its own connection tests from the public internet and also uses the Let's Encrypt Staging system to test connections. Both of these currently fail

Many other ports have connectivity (25,110,143,993,995). So, something unique to port 80 is causing the problem for the HTTP Challenge

system · September 8, 2023, 2:07am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.