Error using DDNS by noip

Hi,

I’m trying to get my own private cloud, working fine with access on port 80. However I need SSL authentication but any tutorial I found online didn’t work.
Please help…

My domain name (DDNS): asds.noip.me
I set up a VPS with apache on ubuntu 16.04, nextcloud as cloud server.
Port 80 and 443 open on my router firewall.

I tried several commands including:
1)sudo letsencrypt --apache --agree-tos --email struzzoang@gmail.com -d asds.noip.me
2)sudo certbot --apache -d asds.noip.me
3)sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache sudo certbot --apache

What I get is always: "Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for asds.noip.me
Enabled Apache ssl module
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. asds.noip.me (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: asds.noip.me
    Type: connection
    Detail: Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

The TLS-sni-01 challenge requires port 443.
Ensure your firewall is allowing port 80 and 443 inbound.
And place a test.txt file (with minimal content) in the challenge folder for testing:
asds.noip.me/.well-known/acme-challenge/test.txt

That won’t affect or predict the success of --apache because --apache only uses TLS-SNI-01, not HTTP-01 challenges.

1 Like

True, but it could verify the path to the file is correct (at least via HTTP)

This is still a less relevant test because there is no file, nor /.well-known directory, nor use of a webroot, nor even a completed HTTP request, in TLS-SNI-01. It only creates a self-signed certificate and does not perform a full web request.

I have much to learn, sensei

Many thanks for your reply!
I checked using https://www.yougetsignal.com/tools/open-ports/: ports 443
and 80 are open

I couldn’t find a “acme-challenge” folder on my root partition or /var/www
folder. So I made one new folder (asds.noip.me/.well-known/acme-challenge/)
and put a simple test.txt on it; then chowned using www-data:www-data. I
tried to point it from outside: "The requested URL
/.well-known/acme-challenge/test.txt was not found on this server."
http://asds.noip.me/.well-known/acme-challenge/test.txt

Sorry, I’m an absolute beginner, I may have misanderstood your suggestion!
We need this to share mediacal research stuff (mainly using nextcloud) and
set up a stata software server - but we are stuck with SSL authentication.

Hi @angelodl,

The thing I was discussing above is that the acme-challenge directory is only relevant if you use --webroot, not if you use --apache. The --webroot method is less automated than the --apache method; for example, it doesn’t install your certificate for you.

The experiment you tried shows that --webroot won’t work either (without figuring out and fixing whatever went wrong), but it doesn’t explain the error that you saw with --apache. I think that error is most likely explained by a firewall (either a network-based firewall or a host-based firewall) dropping the inbound connections to port 443.

Weird, this is beyond my possibilities, actually I’m a newbie.

I can ssh using port 443 from outside, and my lamp-stack is “standard”.
I tried to stop my router firewall, no luck. I’m using the main ISP in
Italy (Tim), so that shouldn’t be an issue.
I may try to reinstall the system, but this would be a panic!

Thank you
A

That's the issue. Port 443 is OpenSSH. Port 443 needs to be Apache.

You need to move OpenSSH to a different port, or use a multiplexing program like sslh so that OpenSSH and Apache can share the port. (Apache and Certbot would have to be configured carefully, though.)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.