Failed to generate certbot certificates

My domain is: lilaum.com
I ran this command: #certbot --apache
It produced this output:Domain: www.lilaum.com
Type: connection
Detail: Fetching
http://www.lilaum.com/.well-known/acme-challenge/KrCC3ZHpQK4QvvMsWtjpd_sf5_d_Eu-Iw0lAIUhByXI:
Timeout during connect (likely firewall problem)

My web server is (include version): ubuntu server 20.04 apache Server version: Apache/2.4.41 (Ubuntu)
Server built: 2020-04-13T17:19:17

The operating system my web server runs on is (include version): Linux ubuntu server 20.04
My hosting provider, if applicable, is: my home server
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot --version
certbot 0.40.0
Do I need to add Listen 80, 443 to every /etc/apache/sites…/*.conf file? Or could it be just a problem in this. Most unlikely, but?

1 Like

Hello @leskgr
Port 80 should be listening globally in most cases. It allows Certbot to convince the CA that you are requesting a certificate for a domain under your control…
Hope this Helps.
Rip

1 Like

I believe I have port 80 and 443 open all times (clean install ubuntu server 20.04).

netstat -tulpn | grep --color :80

tcp6 0 0 :::80 :::* LISTEN 1368/apache2
root@lilaum-server:/etc/apache2/sites-available# netstat -tulpn | grep --color :443
tcp6 0 0 :::443 :::* LISTEN 1368/apache2
What must I do to successful certbot?
Is this an apache error? Please guide me through this issue. I will be very thankful.

Please help me, thanks in advance, sincerely, Grega

Hello @leskgr…

You have a certificate that is valid until September 13, 2020. And a configuraton test at ssllabs is givng your site a good rating! Congrads to you.

There are still a few issues that can be tweaked to make your configuration more secure. “Headers and redirects”, for example.

I’m pinging @JuergenAuer as his testing site is showing a redirect from https => http that I did not notice.

And your server doesn’t appear to be sending headers that prevent XSS (cross site scripting) attacks, etc.

https://securityheaders.com/?q=lilaum.com&followRedirects=on

IMHO “Strict-Transport-Security” and “Content-Security-Policy” headers, among others, could be added to your configuration to compliment the security of your certificate and website.

You’re off to a good start!
Hope this helps!

Rip

1 Like

@leskgr

I almost forgot!
Another great site to analyze your configuration is https://www.hardenize.com.
It confirms @JuergenAuer s finding of the redirect issue that should be corrected.

HTTPS server redirects to plaintext HTTP
This HTTPS server redirects to plaintext HTTP, defeating encryption and exposing its users to content sniffing and active network attacks.

From: https://www.lilaum.com/
To: http://lilaum.com

Rip

1 Like

Hi @leskgr

there are some critical errors.

http://www.lilaum.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

is redirected to https, that’s redirected to http - but with an error:

http://lilaum.com.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

So the / after the domain name is missing, result: The unknown domain

http://lilaum.com.well-known

So if you have fixed your firewall problem, you have to fix these things.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.