This is first time I use Let’s Encrypt to apply the SSL onto my development website.
I run this command to install the SSL to my subdomain, dev.wispri.com. sudo certbot --apache -d dev.wispri.com
After a while, It shows the connection timeout.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for dev.wispri.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. dev.wispri.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://dev.wispri.com/.well-known/acme-challenge/tI0URZiBb1KWJCelIg4kITWTHKhnCzyfbSg6YhJkegs: Timeout after connect (your server may be slow or overloaded)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: dev.wispri.com
Type: connection
Detail: Fetching
http://dev.wispri.com/.well-known/acme-challenge/tI0URZiBb1KWJCelIg4kITWTHKhnCzyfbSg6YhJkegs:
Timeout after connect (your server may be slow or overloaded)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
I am using OS Linux 18.04 and apache2.
This is my UFW Status
To Action From
-- ------ ----
22 ALLOW Anywhere
3306 ALLOW Anywhere
Apache Full ALLOW Anywhere
22/tcp ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
3306 (v6) ALLOW Anywhere (v6)
Apache Full (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
I am not sure what is the exact problem.
Could anyone help me to point the issue out?
Your webserver simply doesn't answer. Let's Encrypt and also my telnet client can connect to dev.wispri.com on port 80, but when asked for a resource (simply http://dev.wispri.com/ for example), there's no answer coming back.
Do you see any kind of error in your Apache error logs? Is there some sort of load balancer or reverse proxy in between?
The firewall may be allowing “Full” (whatever that means…)
But is the web server listening?
And is your vhost config setup correctly to receive port 80 auth requests?
Please show: ls -l /etc/apache/sites-enabled grep -Eri 'listen|virtualhost|servername|serveralias'sslcert' /etc/apache2/
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 dev.wispri.com (/etc/apache2/sites-enabled/wispri.conf:1)
/etc/apache2/mods-available/info.conf: # http://servername/server-info (requires that mod_info.c be loaded).
/etc/apache2/mods-available/status.conf: # with the URL of http://servername/server-status
/etc/apache2/sites-available/wispri.conf:<VirtualHost *:80>
/etc/apache2/sites-available/wispri.conf: ServerName dev.wispri.com
/etc/apache2/sites-available/wispri.conf: ServerAlias dev.wispri.com
/etc/apache2/sites-available/wispri.conf:</VirtualHost>
/etc/apache2/sites-available/000-default.conf:<VirtualHost *:80>
/etc/apache2/sites-available/000-default.conf: # The ServerName directive sets the request scheme, hostname and port that
/etc/apache2/sites-available/000-default.conf: # redirection URLs. In the context of virtual hosts, the ServerName
/etc/apache2/sites-available/000-default.conf: #ServerName www.example.com
/etc/apache2/sites-available/000-default.conf:</VirtualHost>
/etc/apache2/sites-available/default-ssl.conf: <VirtualHost _default_:443>
/etc/apache2/sites-available/default-ssl.conf: # SSLCertificateFile directive is needed.
/etc/apache2/sites-available/default-ssl.conf: SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/apache2/sites-available/default-ssl.conf: SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
/etc/apache2/sites-available/default-ssl.conf: # Point SSLCertificateChainFile at a file containing the
/etc/apache2/sites-available/default-ssl.conf: # the referenced file can be the same as SSLCertificateFile
/etc/apache2/sites-available/default-ssl.conf: #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
/etc/apache2/sites-available/default-ssl.conf: </VirtualHost>
/etc/apache2/conf-available/localized-error-pages.conf:# even on a per-VirtualHost basis. If you include the Alias in the global server
/etc/apache2/conf-available/other-vhosts-access-log.conf:# Define an access log for VirtualHosts that don't define their own logfile
/etc/apache2/ports.conf:# have to change the VirtualHost statement in
/etc/apache2/ports.conf:Listen 80
/etc/apache2/ports.conf: Listen 443
/etc/apache2/ports.conf: Listen 443
/etc/apache2/apache2.conf:# supposed to determine listening ports for incoming connections which can be
/etc/apache2/apache2.conf:# If you do not specify an ErrorLog directive within a <VirtualHost>
/etc/apache2/apache2.conf:# logged here. If you *do* define an error logfile for a <VirtualHost>
/etc/apache2/apache2.conf:# Include list of ports to listen on