Error requesting certificate

My domain is: unifi.rozenbergmol.be

I ran this command:

 certbot certonly --standalone -d unifi.rozenbergmol.be

Following these instructions for an Unifi controller on Ubuntu ([https://lazyadmin.nl/home-network/unifi-controller-ssl-certificate/](https://lazyadmin.nl/home-network/unifi-controller-ssl-certificate/))

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for unifi.rozenbergmol.be

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: unifi.rozenbergmol.be
  Type:   connection
  Detail: 144.178.225.222: Fetching http://unifi.rozenbergmol.be/.well-known/acme-challenge/l_8bVhqECSIv7CI76yiYd9xQQKo9E1Iu9DMODCLVmdk: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): unifi.service

The operating system my web server runs on is (include version): Ubuntu 22.04.3 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

Your server doesn't seem to have TCP port 80 open (or traffic is not reaching it), which is required for HTTP validation to work.

I see this

$ nmap -Pn -p80,443 unifi.rozenbergmol.be
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-07 16:56 UTC
Nmap scan report for unifi.rozenbergmol.be (144.178.225.222)
Host is up.

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.88 seconds

Doesn't create certbot a temporary webserver for the validation? Current webserver only operates on port 8443. Is it possible to use this port?

The standalone mode does create a temporary web server but to reach it http traffic has to get through your router and firewall. Externally Let's encrypt is connecting to your public IP over http on TCP port 80, but with network configuration tricks you can make that connect to any machine and port you want internally via your router NAT settings.

If you're not running a port 80 server that's ok, the certbot standlone will start up ok and port 80 will be free for it to use, but your router and firewall (and ISP) still have to allow the incoming TCP port 80 traffic. For instance if your ISP doesn't let you use port 80 for anything then you would be unable to use HTTP validation and would have to perhaps use DNS validation.

Thx for the clarification. I've checked online that the domain refers to the correct ip with tools like "domain to ip" and "myip". On the firewall, I've duplicated a working rule and adapted it to allow incoming traffic on port 80 and refer it to my server. The ISP replied they doesn't block any port.

But I can't check the server on my phone via mobile data. So I've to reevaluate every step then.

I've found an error in the firewall rules. It's solved.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.