Error starting Certbot (Likely firewall problem)

My domain is: pinkhas.hopto.org (DDNS)

I ran this command: certbot -d pinkhas.hopto.org certonly --standalone

It produced this output:
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: pinkhas.hopto.org
Type: connection
Detail: Fetching http://pinkhas.hopto.org/.well-known/acme-challenge/LVnPZugERvDh4Z03gBfcFnqQnL1AMLHOrDWCjZ3SeJY: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

My web server is (include version): creating one myself, clicked on "Other" in the certbot installation

The operating system my web server runs on is (include version): Win11 (My PC)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.24.0

Soooooo
I've disabled the firewall on my pc (Win11 - the webserver host) and forwarded ports 80 and 443 (Also tried DMZ on/off - same result either way).
When I ran the command with the --manual option, it did create and deleted almost immediately after a .well-known directory contaning a few files.

Any ideas?
Thanks!

Same for me.

Are you sure your IP address is 46.117.123.105 and you have allowed inbound connections on your firewalls (pc, router, isp) and port forwarding on your router?

1 Like

When I run my web app, I can connect via my external ip as well as the domain name using a browser (port 80 - indicating that my firewalls aren't blocking the connection).
I've also set up a windows firewall "Inbound Rule" and configured a port forwarding rule that leads to my PC to allow all connection using port 80 as TCP.

@pinkhas Welcome to the community

You could add --debug-challenge -v to your command

That will pause before doing the challenge so you (or we) could try it.
The standalone mode is harder to debug otherwise since port 80 is only connected while the standalone server is running.

2 Likes

Ran the command with the suggested args.
As the cmd described, I created a file in C:.well-known\acme-challenge\ with the proper name and value and pressed a key in order to let the program run.

Output:
C:\WINDOWS\system32>certbot -d pinkhas.hopto.org certonly --standalone --debug-challenge -v
Saving debug log to C:\Certbot\log\letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for pinkhas.hopto.org
Performing the following challenges:
http-01 challenge for pinkhas.hopto.org


Challenges loaded. Press continue to submit to CA.

The following URLs should be accessible from the internet and return the value
mentioned:

URL:
http://pinkhas.hopto.org/.well-known/acme-challenge/-HyRonz0BP-nCdlCvBbl-AWuyPaJb_YyK2Pncxm5Ka8
Expected value:
-HyRonz0BP-nCdlCvBbl-AWuyPaJb_YyK2Pncxm5Ka8.sy6COMqEWsXkSUoZr-PnXJUvioeTCAQ1DOh0I2vvBDI


Press Enter to Continue
Waiting for verification...
Challenge failed for domain pinkhas.hopto.org
http-01 challenge for pinkhas.hopto.org

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: pinkhas.hopto.org
Type: connection
Detail: Fetching http://pinkhas.hopto.org/.well-known/acme-challenge/-HyRonz0BP-nCdlCvBbl-AWuyPaJb_YyK2Pncxm5Ka8: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

You should not create any challenge files certbot does that for you.

Do you have any geo blocking in your firewall?

Try running the command again but when it says "Press Enter to Continue" don't do anything and let us know the URL it is looking for. We can evaluate it better in that condition

2 Likes

Does the Windows firewall allow certbot to listen on port 80 and serve clients? Or just your webapp?

I seem to remember you need to allow each app by itself, on Windows.

2 Likes

Just an observation...

Nmap scan report for pinkhas.hopto.org (46.117.123.105)
Host is up (0.23s latency).
rDNS record for 46.117.123.105: 46-117-123-105.bb.netvision.net.il

PORT    STATE    SERVICE
22/tcp  filtered ssh
53/tcp  filtered domain
80/tcp  filtered http
443/tcp filtered https

4 Likes

defined it as "Any App" - port 80 is open
I'll try to make an outbound rule aswell

Ran, Output:

C:\WINDOWS\system32>certbot -d pinkhas.hopto.org certonly --standalone --debug-challenge -v
Saving debug log to C:\Certbot\log\letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for pinkhas.hopto.org
Performing the following challenges:
http-01 challenge for pinkhas.hopto.org


Challenges loaded. Press continue to submit to CA.

The following URLs should be accessible from the internet and return the value
mentioned:

URL:
http://pinkhas.hopto.org/.well-known/acme-challenge/alzUuQrksKqVp9rkKVe0wpkFod1C1HwSsnpmmHl9aQ0
Expected value:
alzUuQrksKqVp9rkKVe0wpkFod1C1HwSsnpmmHl9aQ0.sy6COMqEWsXkSUoZr-PnXJUvioeTCAQ1DOh0I2vvBDI


Press Enter to Continue

Waiting :slight_smile:

That nmap scan is a lot better than the one I did earlier. There was not a single port answering.

Still timeout, @Pinkhas

3 Likes

Great. I can see the correct value using an AWS region in US East Coast (one Let's Encrypt server also in that AWS region).

But, Let's Debug also still cannot see it. It does similar method to Let's Encrypt. Could you have a geo block on Germany or other US areas? Let's Encrypt needs to challenge from several points around the globe (currently usually Germany and up to 3 US sites).

Sure seems like GEO based firewall - maybe in your ISP or router?

Here is my detailed results:

curl -i  http://pinkhas.hopto.org/.well-known/acme-challenge/alzUuQrksKqVp9rkKVe0wpkFod1C1HwSsnpmmHl9aQ0

HTTP/1.0 200 OK
Server: BaseHTTP/0.6 Python/3.9.7
Date: Wed, 02 Mar 2022 20:31:34 GMT

alzUuQrksKqVp9rkKVe0wpkFod1C1HwSsnpmmHl9aQ0.sy6COMqEWsXkSUoZr-PnXJUvioeTCAQ1DOh0I2vvBDI
2 Likes

How can I check GEO blocking?
Also, what can I do with your "detailed result"?

You cannot do anything with my 'detailed result'. Just providing more info to other volunteers to confirm what is happening. It just proves the standalone certbot server can be reached from someone.

Check your router for any geographic based firewall (that's what I meant by geo). I think @9peppe is in Italy so he is failing and also Let's Debug and Let's Encrypt which both try from Europe so might be the key pattern.

3 Likes

On it - brb!
Thanks for the tip!

3 Likes

I tried a global reachability website test and it's completely random. Sometimes it works sometimes it doesn't. It doesn't look like it's geographical.

1 Like

Used @9peppe 's tool, doesn't seem too odd - works with everything but Amsterdam
Should I use a VPN to manipulate geoblocking?

Also, should I terminate the last Certbot request? It is still waiting
@MikeMcQ

It is a bit of a mess, I mean:

2 Likes

No, fine to leave it while debugging it is helpful.

curl to that URL works for me every time from AWS EC2 East Coast. Yet another location at another provider on US East coast times out.

Maybe not geo but could your firewall be blocking requests with certain user-agents?

I don't know the site 9peppe used well enough to evaluate its results. My user-agent was curl from AWS but I will try some others

2 Likes