Error getting new cert behind home WAN

I've always used VPS's previously and not had an issue with certbot til now and the difference is my host is now on my home network with port forwarding enabled
usually i access the public facing IP from a VPN but have turned this off to obtain a cert and allowed traffic in and out on ports 443 and 80 but seeing the following ?
I have updated mydomain A record to my ISP WAN address which works for my app

Help - thanks

My domain is: mydomain.com

I ran this command:
certbot certonly --standalone
certbot certonly --www

It produced this output:

certbot certonly --standalone

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): mydomain
Requesting a certificate for mydomain

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: mydomain
Type: connection
Detail: 1.2.3.4: Fetching http:/mydomain/.well-known/acme-challenge/rAm9j3v_ZNTH6p8qAaO9e2yTrC3W8qojJnpMQUec-rs: Timeout during connect (likely firewall problem)

Domain: mydomain
Type: connection
Detail: 1.2.3.4: Fetching mydomain/.well-known/acme-challenge/Ms18oRTNJhVoF8glZNh22R2OMKsoAGpqLH8eJQk8nr4: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
an app

The operating system my web server runs on is (include version):
centos 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

Make sure your system is accessible from the internet.

There's a couple things to check:

  1. Does your ISP allow inbound port 80? Not all do.
  2. Is your port forward set up properly?
  3. Do you have any firewall on your system?

It's probably easier to test with a plain HTTP server than with certbot --standalone.

3 Likes

Make sure your system is accessible from the internet. : yes

There's a couple things to check:

  1. Does your ISP allow inbound port 80? Not all do : yes - tested port 80 works
  2. Is your port forward set up properly? no - i had port 80 forwarding to the wrong address
  3. Do you have any firewall on your system? disabled temporarily

It's probably easier to test with a plain HTTP server than with certbot --standalone. :

Thanks - all good

The --standalone method is difficult to debug because you need to keep it running to test connection from the public internet.

A way to test this easier is to use these command options

certbot certonly --standalone --dry-run --debug-challenges -v -d (domain)

This command will show you the challenge URL to try from the public internet and the proper response. After showing you this it will say "Press Enter to Continue". DO NOT PRESS ENTER.

Leave it paused like that and use a different device to test connection. You can use a mobile phone with wifi disabled so use your carrier's network.

You do not have to use the full URL. Just try http://(yourdomain)

If the connection works this shorter URL should see a response like below. I am pretty sure you will get a timeout error instead just like Let's Encrypt did. But, use this technique to modify your comms setup until it works.

ACME client standalone challenge solver
4 Likes

confirmed in previous post - working now - thanks

2 Likes

Sure, but now you know a better way to test should it ever fail again :slight_smile:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.