This is a AWS Ubuntu instance that has http and https ports opened.
The domain points to the correct IP, if I spin off a http server I can access it, I don’t know what else to try.
With the --debug-challenges switch certbot will stop and allow you to try to connect to your site to reach the file created for the http challenge, also, you could check whether it is listening on port 80 on all your interfaces, etc. Checking the log /var/log/letsencrypt/letsencrypt.log or posting it here will help to debug the problem too.
I don't think there is any bind issue, the "error" message Failed to bind to :80 using IPv4 is ok if it can bind to IPv6... because it is actually binding for both protocols (IPv4 and IPv6) so I wouldn't be worried about it.
Anyway, just in case, check there isn't any other process listening on port 80:
netstat -ptnl | grep :80
or
ss -ptnl | grep :80
or
lsof -P -n -i :80
Also, I forgot to add -v to the --debug-challenges parameter so you can view the output and be able to check the url with the challenge:
Please try it, you will see a lot of info, but just at the end you will get the url with the challenge:
[...]
"type": "http-01",
"status": "valid",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/6w46B4TIW7fwfom6oo_9ZtgPvvT2jaKT6KnK4akqsl0/3597534182",
"token": "afuUrgz-3KVvnt2wz1kgSXDFzA1vFjIrvmziDAsP06i",
"keyAuthorization": "afuUrgz-3KVvnt2wz1kgSXDFzA1vFjIrvmziDAsP06i.69uimIZULxv79Q5YFv30p7-ts2WIHucCFA6c1BowiT3",
"validationRecord": [
{
"url": "http://www.mydomain.com/.well-known/acme-challenge/afuUrgz-3KVvnt2wz1kgSXDFzA1vFjIrvmziDAsP06i",
"hostname": "www.mydomain.com",
"port": "80",
"addressesResolved": [
"203.0.113.152"
],
"addressUsed": "203.0.113.152"
}
]
}
],
"combinations": [
[
2
],
[
1
],
[
0
]
]
}
Storing nonce: rMOso9mRTJ_H2Q-PrtAG8J-LKwKF_3M1Lei_u1b-jeo
Performing the following challenges:
http-01 challenge for www.mydomain.com
Failed to bind to :80 using IPv4
Waiting for verification...
-------------------------------------------------------------------------------
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
-------------------------------------------------------------------------------
In the above example, the challenge url is http://www.mydomain.com/.well-known/acme-challenge/afuUrgz-3KVvnt2wz1kgSXDFzA1vFjIrvmziDAsP06i so as the certbot command is paused you can try to reach it with your browser. If you can't reach the url then you should re-check the ubuntu firewall, allowing TCP and TCP6 connections to port 80.
I checked, nothing is bound to port 80 and I can bind my own server and access it from outside (POST and GET).
I also tried with netcat (nc -l 80), but for some reason I could not receive data from outside, but it could bind ok.
Regarding the -v debug option, I do not get the verification url. This is how it looks for me:
What address(es) does your Node.js server bind to, when it is running?
ss -tlnp
Are you definitely stopping your Node.js server before you run Certbot in --standalone ?
You can also try pass --http-01-address 0.0.0.0 to Certbot to force the bind to occur for all IPv4 interfaces, or to whatever address your Node server binds to when it is working.
The nodejs server was not running. I was just bringing it up as I needed, to test if it manages to bind to 80 as I said above.
And I left it running after the last test, but I was stopping it when I was using certbot.
Also tried with netcat to listen and it managed to bind to port 80.
Also checked with netstat with and without certbot in debug mode (when it’s waiting) and only if certbot is up I can see http port on IPv6 being used, otherwise nothing
netstat -lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:ssh *:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
Something else is wrong.
The domain is www.woliem.com if it helps.
P.S.
What about that verification url that for me it’s not being printed/generated in debug mode.
Any idea?
I do get it eventually, but as part of the error message after I leave it complete, so I am not able to test it.
The following errors were reported by the server:
Domain: www.woliem.com
Type: connection
Detail: Fetching
http://www.woliem.com/.well-known/acme-challenge/peR_JbTWPmYnhQyhXboVgFGyWJGoMQfOleQxVtkSIgQ:
Connection refused
Then I run out of ideas :(, on your Ubuntu, certbot listening on IPv6 should listen on all interfaces (IPv6 & IPv4) so maybe one of the community’s buddies has another tip or clue to solve the issue or maybe @bmw (certbot developer) could take a look to help you to debug the issue.
Thank you very much for all your help.
I found the problem.
I added an iptables rule some time ago to forward port 80 to 8080 so I can start my server without sudo and I have completely forgotten about it.