Failed domain authentification

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: fsnews.vpgsensors.com

I ran this command: sudo certbot --apache

It produced this output:
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: fsnews.vpgsensors.com
Type: connection
Detail: 207.59.14.167: Fetching http://fsnews.vpgsensors.com/.well-known/acme-challenge/W6OjuMkBlUKeStidNqWWk87sFqkq2-Diezv8OJQUpkw: Timeout during connect (likely firewall problem)
Domain: www.fsnews.vpgsensors.com
Type: connection
Detail: 207.59.14.167: Fetching http://www.fsnews.vpgsensors.com/.well-known/acme-challenge/BBjM3_qYy7kizxXecszEoZga2MM-ehXvDFbGumNGBjM: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

My web server is (include version): Apache/2.4.59 (Amazon Linux)

The operating system my web server runs on is (include version): Amazon Linux 2023.5.20240708

My hosting provider, if applicable, is:AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0

I don't think you have set your DNS A record for that. It currently points to a "windstream" IP. No server is replying to HTTP requests which is why you see "timeout" error.

4 Likes

The A-record points to the corporate IP, and the internal DNS sends corporate users to AWS. External users can't see it.
It's correct; it works, but how can I get the certificate for this configuration?

Are you trying to get a cert to be used by that Apache system on AWS? And if I understand correctly that Apache is not accessible on the public internet. Is that right?

You can only get a Let's Encrypt cert for a domain name in the public DNS. An HTTP Challenge requires the IP in the public DNS to reply to the HTTP challenge from the Let's Encrypt server. A DNS Challenge has the ACME Client (like Certbot) placing a TXT record in the public DNS which is then verified by the LE Server.

I am guessing a DNS Challenge will be needed but I am not certain I understand your overall setup. Specifically, why HTTP requests to the "corporate IP" timeout.

4 Likes

Are you trying to get a cert to be used by that Apache system on AWS?
Yes
And if I understand correctly that Apache is not accessible on the public internet. Is that right?
Yes
A-record exists for the *.vpgsensors.com. I've got the wildcard certificate.

Thank you for the answers, the issue is solved.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.