Failed to connect to let’s encrypt, confirm domain

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

anderville.co.uk (Name servers are afraid.org)

I ran this command:

Using native certificate tool on Synology, anything I try (replace certificate, add new etc has the same result)

It produced this output:

Failed to connect to lets encrypt, please check that ddomain name is valid

My web server is (include version):

Nginx

The operating system my web server runs on is (include version):

DSM 6.2.2-24922 Update 4

System time

GMT

My hosting provider, if applicable, is:

NA

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Using the certificate centre in Synology Security Settings

Hello,

My updates were working fine and then suddenly stopped about 2 months ago. I currently am using a temporary certificate manually installed from comodo, but I would like to re-instate my lets encrypt certificate.

I use ports 5321 (https) and 5123 (http) on the nas and have port forwarding on my USG Pro as follows:

image
image.png710×300 5.58 KB

I have however tried pointing 80 & 443 to all permutations and combinations of 5123/5321/80/443 on the NAS but to no avail.

In addition, I am seeing loads of traffic (circa 1TB) going to lets encrypt from the NAS which I don’t quite understand as there are no lets encrypt certificates installed on the NAS…

2

Hi @jjanderson

there are some checks of your domain - https://check-your-website.server-daten.de/?q=anderville.co.uk

The problem is always the same: Your extern port 80 doesn't work, there is a timeout. So your intern port 5123 isn't available.

But your http://anderville.co.uk:5123/ answers. Is there a firewall blocking port 80?

Allows your ISP port 80? Some ISPs block port 80.

Letsencrypt must be able to check your extern port 80. If not, you can't use http validation.

If there is no additional firewall: First step - ask your ISP if port 80 is blocked.

3

Hi,

Thanks for getting back to me so fast!

I work for my ISP, port 80 is not blocked at ISP, I have just switched the port forwarding back to point external 80 to internal 80 on my internal NAS IP…

Is it possible to get a list of lets encrypt IP addresses so I can whitelist to make sure there are no blocks?

I did run the check you mentioned https://check-your-website.server-daten.de/?q=anderville.co.uk before but could not see/understand where the problem lies…

port 80 is not blocked as you can hit this from your browser: anderville.co.uk:80

4

That's wrong, I can't open it.

If you use your browser, you see the cached redirect. That's the reason you can't check that with a browser - too much caching.

Use online tools or

curl http://anderville.co.uk:80

Timeout.

5

I am so sorry to have wasted your time… you are correct… let me do some more digging and I will revert… thanks for your help…

1 Like
6

Hi,

Just to update you, I found the error.

I had a rogue IoT device that had UPnP enabled and was locking up port 80 on my gateway…

All sorted now… thanks again for your help…

3 Likes
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.