Failed to deploy cert standalone

hdoradu · March 24, 2018, 6:41pm

Hi,
I am trying to deploy a certificate standalone like this:

sudo certbot certonly --standalone --preferred-challenges http -d www.mydomain.com

And It keeps failing:
Failed authorization procedure. www.mydomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.mydomain.com/.well-known/acme-challenge/Y86KLdlwaXZDdVTOKcYyaScOkUODPbLhSDi1ed7VhW8: Connection refused

This is a AWS Ubuntu instance that has http and https ports opened.
The domain points to the correct IP, if I spin off a http server I can access it, I don’t know what else to try.

sahsanu · March 24, 2018, 6:50pm

Your domain has an AAAA record?

hdoradu · March 24, 2018, 7:07pm

It has an A type record.

sahsanu · March 24, 2018, 8:04pm

@hdoradu, use this command:

sudo certbot certonly --standalone --preferred-challenges http -d www.mydomain.com --debug-challenges

With the --debug-challenges switch certbot will stop and allow you to try to connect to your site to reach the file created for the http challenge, also, you could check whether it is listening on port 80 on all your interfaces, etc. Checking the log /var/log/letsencrypt/letsencrypt.log or posting it here will help to debug the problem too.

Cheers,
sahsanu

hdoradu · March 24, 2018, 8:34pm

Looks like it fails to bind to IPv4 port 80:
2018-03-24 20:21:14,025:DEBUG:acme.standalone:Failed to bind to :80 using IPv4

So it binds using IPv6.

netstat -l
tcp6       0      0 [::]:http               [::]:*                  LISTEN

And I don’t have a public IPv6 address.
How can I fix the bind issue?

sahsanu · March 24, 2018, 10:23pm

I don't think there is any bind issue, the "error" message Failed to bind to :80 using IPv4 is ok if it can bind to IPv6... because it is actually binding for both protocols (IPv4 and IPv6) so I wouldn't be worried about it.

Anyway, just in case, check there isn't any other process listening on port 80:

netstat -ptnl | grep :80

or

ss -ptnl | grep :80

or

lsof -P -n -i :80

Also, I forgot to add -v to the --debug-challenges parameter so you can view the output and be able to check the url with the challenge:

sudo certbot certonly --standalone --preferred-challenges http -d www.mydomain.com --debug-challenges -v

Please try it, you will see a lot of info, but just at the end you will get the url with the challenge:

  [...]
  "type": "http-01",
  "status": "valid",
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/6w46B4TIW7fwfom6oo_9ZtgPvvT2jaKT6KnK4akqsl0/3597534182",
  "token": "afuUrgz-3KVvnt2wz1kgSXDFzA1vFjIrvmziDAsP06i",
  "keyAuthorization": "afuUrgz-3KVvnt2wz1kgSXDFzA1vFjIrvmziDAsP06i.69uimIZULxv79Q5YFv30p7-ts2WIHucCFA6c1BowiT3",
  "validationRecord": [
    {
      "url": "http://www.mydomain.com/.well-known/acme-challenge/afuUrgz-3KVvnt2wz1kgSXDFzA1vFjIrvmziDAsP06i",
      "hostname": "www.mydomain.com",
      "port": "80",
      "addressesResolved": [
        "203.0.113.152"
      ],
      "addressUsed": "203.0.113.152"
    }
  ]
}
  ],
  "combinations": [
[
  2
],
[
  1
],
[
  0
]
  ]
}
Storing nonce: rMOso9mRTJ_H2Q-PrtAG8J-LKwKF_3M1Lei_u1b-jeo
Performing the following challenges:
http-01 challenge for www.mydomain.com
Failed to bind to :80 using IPv4
Waiting for verification...

-------------------------------------------------------------------------------
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
-------------------------------------------------------------------------------

In the above example, the challenge url is http://www.mydomain.com/.well-known/acme-challenge/afuUrgz-3KVvnt2wz1kgSXDFzA1vFjIrvmziDAsP06i so as the certbot command is paused you can try to reach it with your browser. If you can't reach the url then you should re-check the ubuntu firewall, allowing TCP and TCP6 connections to port 80.

Cheers,
sahsanu

hdoradu · March 25, 2018, 9:05am

I checked, nothing is bound to port 80 and I can bind my own server and access it from outside (POST and GET).
I also tried with netcat (nc -l 80), but for some reason I could not receive data from outside, but it could bind ok.

Regarding the -v debug option, I do not get the verification url. This is how it looks for me:

b'{\n  "identifier": {
    \n    "type": "dns",
    \n    "value": "www.mydomain.com"
    \n  },
    \n  "status": "pending",
    \n  "expires": "2018-04-01T08:41:39.88867382Z",
    \n  "challenges": [
        \n    
{\n      "type": "http-01",
\n      "status": "pending",
\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/7s6WTRRgcKBxiLgQErnm0pCcEqMC5OoYXHIMsXH_8KY/3954380104",
\n      "token": "clH5pRH6u1CpCyNmeG5U2iTAbgfN50vN0lVM27FqdWc"
\n    },
\n    {
    \n      "type": "dns-01",
    \n      "status": "pending",
    \n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/7s6WTRRgcKBxiLgQErnm0pCcEqMC5OoYXHIMsXH_8KY/3954380105",
    \n      "token": "Ml4JBy7uMg7n9DNarg1LB7oWmPT2yw__ruw9JpVqPTs"
    \n    }
    \n  ],
    \n  "combinations": [\n    [\n      1\n    ],\n    [\n      0\n    ]\n  ]
\n}'
Storing nonce: AdWsCfoP1Q8hWny6UqdBe3L-0nPYR16gWlfJggJ3hhA
Performing the following challenges:
http-01 challenge for www.mydomain.com
Failed to bind to :80 using IPv4
Waiting for verification...

_az · March 25, 2018, 9:14am

What address(es) does your Node.js server bind to, when it is running?

ss -tlnp

Are you definitely stopping your Node.js server before you run Certbot in --standalone ?

You can also try pass --http-01-address 0.0.0.0 to Certbot to force the bind to occur for all IPv4 interfaces, or to whatever address your Node server binds to when it is working.

sahsanu · March 25, 2018, 10:07am

Hi @hdoradu,

As @_az has said you have a node.js server listening on port 80 and it is redirecting requests to https but of course it fails to connect.

$ curl -IkL -m10  www.mydomain.com
HTTP/1.1 302 Found
X-Powered-By: Express
Location: https://www.mydomain.com/
Vary: Accept
Content-Type: text/plain; charset=utf-8
Content-Length: 45
Date: Sun, 25 Mar 2018 10:04:26 GMT
Connection: keep-alive

curl: (28) Connection timed out after 10748 milliseconds

And that is the right reason to provide real domain names, it is easier to debug a problem.

Cheers,
sahsanu

hdoradu · March 25, 2018, 4:38pm

Hi,

The nodejs server was not running. I was just bringing it up as I needed, to test if it manages to bind to 80 as I said above.
And I left it running after the last test, but I was stopping it when I was using certbot.
Also tried with netcat to listen and it managed to bind to port 80.
Also checked with netstat with and without certbot in debug mode (when it’s waiting) and only if certbot is up I can see http port on IPv6 being used, otherwise nothing

netstat -lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 *:ssh                   *:*                     LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN

Something else is wrong.
The domain is www.woliem.com if it helps.

P.S.
What about that verification url that for me it’s not being printed/generated in debug mode.
Any idea?
I do get it eventually, but as part of the error message after I leave it complete, so I am not able to test it.

The following errors were reported by the server:

   Domain: www.woliem.com
   Type:   connection
   Detail: Fetching
   http://www.woliem.com/.well-known/acme-challenge/peR_JbTWPmYnhQyhXboVgFGyWJGoMQfOleQxVtkSIgQ:
   Connection refused

sahsanu · March 25, 2018, 5:09pm

Hi @hdoradu,

Really strange.

The info I posted was just an example, to get the url, in your case you got this:

{\n      "type": "http-01",
\n      "status": "pending",
\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/7s6WTRRgcKBxiLgQErnm0pCcEqMC5OoYXHIMsXH_8KY/3954380104",
\n      "token": "clH5pRH6u1CpCyNmeG5U2iTAbgfN50vN0lVM27FqdWc"

Then you need to use the token to test the url, with the above token, the url to try to connect to your server would be:

http://www.woliem.com/.well-known/acme-challenge/clH5pRH6u1CpCyNmeG5U2iTAbgfN50vN0lVM27FqdWc

hdoradu · March 25, 2018, 5:40pm

Ok, I tries to access it manually and I get also connection refused.
By the way, this is how it looks while certbot is running:

sudo netstat -ltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 *:ssh                   *:*                     LISTEN      1164/sshd       
tcp6       0      0 [::]:http               [::]:*                  LISTEN      14592/python3   
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      1164/sshd

sahsanu · March 25, 2018, 5:41pm

Do you have the url so I can test it?

hdoradu · March 25, 2018, 5:43pm

Here

b'{\n  "identifier": {\n    "type": "dns",\n    "value": "www.woliem.com"\n  },\n  "status": "pending",\n  "expires": "2018-04-01T17:42:22.734980147Z",\n  "challenges": [\n    {\n      "type": "http-01",\n      "status": "pending",\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/CEhknTzC4wfiyPxX9icCJI1GbnfUcEv1mlas0uJloO0/3958915966",\n      "token": "7QYZXGwKhzvhFdAPmX4_Sor2eoPK9VkYBrFGcRm7f3w"\n    },\n    {\n      "type": "dns-01",\n      "status": "pending",\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/CEhknTzC4wfiyPxX9icCJI1GbnfUcEv1mlas0uJloO0/3958915967",\n      "token": "WIuX-d-yzPLjPCxJrMrQbKpOSIFJhG_0vgRZXayFU-Y"\n    }\n  ],\n  "combinations": [\n    [\n      1\n    ],\n    [\n      0\n    ]\n  ]\n}'
Storing nonce: 5XUa6AzPbufcUC4XwfuDaWACX5sqSbuJT9UGts2P78A
Performing the following challenges:
http-01 challenge for www.woliem.com
Failed to bind to :80 using IPv4
Waiting for verification...

I will leave certbot running.

sahsanu · March 25, 2018, 5:48pm

Hi @hdoradu,

I tested it and get the same error, connection refused, could you please show your iptables rules?.

iptables --list-rules
ip6tables --list-rules

sahsanu · March 25, 2018, 5:50pm

Also, just to test it, could you please disable the firewall?

sudo ufw disable

After the test you can enable it again:

sudo ufw enable

hdoradu · March 25, 2018, 5:59pm

The firewall is disabled

$ sudo ufw status                                                                                                                                       1 ↵
Status: inactive

sahsanu · March 25, 2018, 6:08pm

Then I run out of ideas :(, on your Ubuntu, certbot listening on IPv6 should listen on all interfaces (IPv6 & IPv4) so maybe one of the community’s buddies has another tip or clue to solve the issue or maybe @bmw (certbot developer) could take a look to help you to debug the issue.

hdoradu · March 25, 2018, 6:58pm

Thank you very much for all your help.
I found the problem.
I added an iptables rule some time ago to forward port 80 to 8080 so I can start my server without sudo and I have completely forgotten about it.

sudo iptables --table nat --list                                                                                                                      3 ↵
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http redir ports 8080

I kept the forwarding rule, and I just specified a different port to certbot with --http-01-port and it worked.

sahsanu · March 25, 2018, 8:09pm

Great, I’m glad you solved the issue.