Failed authorization procedure. Let's Encrypt Installation

Help
1

my ports are open internally but not externally.but whenever i run a command
sudo certbot --apache
i am getting bellow error. Is it possible to install lets encrypt on subdomain and any idea about below error.

Which names would you like to activate HTTPS for?

1: zabbix.xyz.com
2: www.zabbix.xyz.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for zabbix.xyz.com
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. zabbix.xyz.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://zabbix.xyz.com/.well-known/acme-challenge/OcpJ1Nf2z8LitDgCIDDHPN70mNsxVchNTU3JtDaBO8U: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: zabbix.xyz.com
    Type: connection
    Detail: Fetching
    http://zabbix.xyz.com/.well-known/acme-challenge/OcpJ1Nf2z8LitDgCIDDHPN70mNsxVchNTU3JtDaBO8U:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

2

Let's Encrypt needs to be able to connect to your server, so port 80 needs to be open externally.

2 Likes
3

@Osiris so what would say about the error? port 80 is the cause? which is externally closed and posted error is just because of port 80?

4

@Osiris Failed authorization procedure. zabbix.xyz.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://zabbix.xyz.com/.well-known/acme-challenge/PGdxe-2qVwusoF9gIwOxhpZpTXUsVIIPeQ8jVkFXhlI: Timeout during connect (likely firewall problem)

5

Yes. When using the http-01 challenge, port 80 needs to be open. The time out in the error message is expected when port 80 is closed.

2 Likes
6

After you have fixed the port 80 access problem, you should use: "1,2"
[to get both names on the cert]

1 Like
7

@rg305 ok i will check it .more over option 2 www.xyz..com not added in dns server .

8

Then why have it in the vhost config?

1 Like
9

@rg305 removed now.

10

Here's some documentation pages that might help explain why you need port 80 open to the world to get a certificate using the HTTP-01 challenge:

But the short of it is that in order to prove to the world that you own a name, you need a system that responds to that name that's available everywhere in the world. Now, if the intention is that this server is internal-use-only and shouldn't be available to anybody on the outside, then the only way to get a certificate is to use the DNS-01 challenge instead, which involves automating adding a record to your DNS to prove you own the name instead of automating adding a response from the web server. Some DNS servers make this relatively straightforward, others don't and you need to use something like acme-dns to delegate the challenge record to a place where you can automate it.

2 Likes
11

Maybe it is not explicitly added, but there seems to be a wildcard DNS entry.
So that:
{everything-not-defined}.zabbix.xyz.com = 52.8.203.224
which means, that:

Name:    www.zabbix.xyz.com
Address: 52.8.203.224

So, indirectly, "www" is in DNS (because "everything" is in your zone).

2 Likes
12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.