Failed HTTP-01 challenge for SSL certificate

Help
1

Hi All,
i'm running the certbot challenge to get certificate for SSL.
i have followed the following link certbot for apache server .
after following the steps, we are getting error saying the HTTP-01 challenge failed for domain.
To test the Domain for error i used letsdebug.net, all details including errors are given below:

My domain is: itam-blr.cdot.in

I ran this command: sudo certbot --apache -v

It produced this output:

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.

1: itam-blr.cdot.in

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for itam-blr.cdot.in
Performing the following challenges:
http-01 challenge for itam-blr.cdot.in
Waiting for verification...
Challenge failed for domain itam-blr.cdot.in
http-01 challenge for itam-blr.cdot.in

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: itam-blr.cdot.in
Type: connection
Detail: 49.128.109.87: Fetching http://itam-blr.cdot.in/.well-known/acme-challenge/EVXYbQhI75gI2SRzKxyWTyzNofuqdq8qC6CV1acogec: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

##further errors are attached.

Screenshot 2024-02-29 112220
Screenshot 2024-02-29 1122201533×744 76 KB

My web server is (include version): Apache 2.4.41

The operating system my web server runs on is (include version): Ubuntu 20.02

I can login to a root shell on my machine: Yes

The version of my client is : 0.40.0

2

Hi @simran, and welcome to the LE community forum :slight_smile:

That means LE wasn't able to reach your site via HTTP.
You must ensure that the Internet can reach your site via HTTP.

You must NOT have followed that link entirely.
You should have removed the apt version of certbot and then installed the snap version.
Go back and do that part over.

3

I see Port 80 & 443 are filtered

$ nmap -Pn -p80,443 itam-blr.cdot.in
Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-01 17:56 UTC
Nmap scan report for itam-blr.cdot.in (49.128.109.87)
Host is up.

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 4.15 seconds
4

How can i make it open, since in firewall (ufw) both the ports are allowed.

6

You removed these questions from the "HELP" form:

My hosting provider, if applicable, is:

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

Maybe if we knew those answers we could provide informed answers to your question:
7

You need to make sure ALL the routers and firewalls along
the way from the Public Internet to your server are OPEN.

8

My hosting provider: Lets encrypt free version
I'm using a control panel to manage my site: No

9

Let's Encrypt does not offer hosting service. Where do you run your servers?

Do connections to your domain allow access from outside your country? Let's Encrypt uses multiple locations to check connections and some will be in the US.

The Let's Debug site you used is good for testing comms and it clearly shows a problem reaching your domain / server.

I also cannot reach your domain from my own test server in US

10

Servers are running on VMs (In vsphere Client) and we are using our own self hosted public dns.