Failing to issue certificates

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: etherealplayground.com

I ran this command: sudo certbot --apache --agree-tos --preferred-challenges http -d etherealplayground.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for etherealplayground.com
Waiting for verification...
Challenge failed for domain etherealplayground.com
http-01 challenge for etherealplayground.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: etherealplayground.com
    Type: connection
    Detail: 2601:701:c200:c9b0:1195:7743:3b67:f432: Fetching
    http://etherealplayground.com/.well-known/acme-challenge/mAMnYnklJVoYRG5zgmJQklx7sxK4hOGOOMadCCoD6iI:
    Network unreachable

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): ehcp (newest version)

The operating system my web server runs on is (include version): ubuntu 20.4'ish

My hosting provider, if applicable, is: comcast

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): ehcp

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

I did some searches and seen that the best way to use openssl for ehcp was to do some kind of all in one domain ssl certificates for all at once. So I decided to try to do it myself with lets encrypt not finding much data and went for doing them individually myself. I'm looking for some guidance on this topic directly or for ehcp with openssl.

2

Hi @layz1307,

It looks like your Comcast IP address can't receive incoming connection from the rest of the Internet. The ability to receive connections from the outside world is a requirement for the method that you're using to try to get the certificate.

It could be blocked by a firewall run by Comcast, or a firewall policy on your own router, or maybe Comcast requires customers to opt-in to receiving connections from the public Internet, or maybe it was a dynamic IP address that you were allocated in the past but that doesn't match your current IP address?

These are all just guesses, but the problem you're encountering relates to the ability of others to connect to your service on your IPv6 address.

5 Likes
3 
Name:      etherealplayground.com
Addresses: 2601:701:c200:c9b0:1195:7743:3b67:f432
           10.0.0.228

You should ensure you provide only Internet routable IPs.
The 10 dot network is not routable over the Internet.

3 Likes
4

do you have a way to test the first reply?
I have etherealplayground.com running, and it should be able to be hit by the outside world all that is there now is a text telling you its ran by ehcp and gives ips.

5

I'm not familiar with "ehcp".
Does it support IPv6?

2 Likes
6

That was a mistake im using apache

EHCP is the control panel im using.

7

This is not likely to be a problem with the server software. We get an ICMPv6 message back from a Comcast router indicating that the IPv6 address is unroutable.

17:38:23.897869 IP6 2001:558:2d2:ffff::2 > demorgan: ICMP6, destination unreachable, unreachable route 2601:701:c200:c9b0:1195:7743:3b67:f432, length 88

8

OK, since you are using Apache.
I would start with the output of:
sudo apachectl -t -D DUMP_VHOSTS

3 Likes
9

There are strong indications here it's a network problem, not an Apache configuration problem.

5 Likes
10

OR
Both - LOL

4 Likes
11

@layz1307, from the server, please also show the outputs of:
curl -4 ifconfig.io
curl -6 ifconfig.io

3 Likes
12

root@73:~# sudo apachectl -t -D DUMP_VHOSTS
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/ports.conf:10
VirtualHost configuration:
: is a NameVirtualHost
default server default (/etc/apache2/sites-enabled/default:3)
port * namevhost default (/etc/apache2/sites-enabled/default:3)
port * namevhost webmail.etherealplayground.com (/var/www/new/ehcp/webserver_ehcp.conf:7)
alias mail.etherealplayground.com
alias email.etherealplayground.com
port * namevhost webmail2.etherealplayground.com (/var/www/new/ehcp/webserver_ehcp.conf:25)
alias mail2.etherealplayground.com
alias email2.etherealplayground.com
port * namevhost cpanel.etherealplayground.com (/var/www/new/ehcp/webserver_ehcp.conf:40)
alias panel.etherealplayground.com
alias ehcp.etherealplayground.com
alias cp.etherealplayground.com
port * namevhost etherealplayground.com (/var/www/new/ehcp/webserver_ehcp.conf:55)
alias www.etherealplayground.com
port * namevhost webmail.thronesoftime.net (/var/www/new/ehcp/webserver_ehcp.conf:93)
alias mail.thronesoftime.net
alias email.thronesoftime.net
port * namevhost webmail2.thronesoftime.net (/var/www/new/ehcp/webserver_ehcp.conf:111)
alias mail2.thronesoftime.net
alias email2.thronesoftime.net
port * namevhost cpanel.thronesoftime.net (/var/www/new/ehcp/webserver_ehcp.conf:126)
alias panel.thronesoftime.net
alias ehcp.thronesoftime.net
alias cp.thronesoftime.net
port * namevhost thronesoftime.net (/var/www/new/ehcp/webserver_ehcp.conf:141)
alias www.thronesoftime.net

root@73:~# curl -4 ifconfig.io
73.27.126.62
root@73:~# curl -6 ifconfig.io
2601:701:c200:d680::9c56

13

i did not have my ipv6 set on ehcp and im going to test it while set with the outside ip that i just got from apache

14

This is different from your address in DNS:

2601:701:c200:c9b0:1195:7743:3b67:f432

They're only the same as far as 2601:701:c200 which is, I guess, Comcast in Florida.

It might be that your Comcast account, or your home router, currently does not allow incoming IPv6 connections. (Also, where did you get the address 2601:701:c200:c9b0:1195:7743:3b67:f432 that you have listed in DNS?)

In theory with IPv6 you can have multiple devices on a home connection accept connections directly from the Internet, but your router or ISP might not allow this by default because many people are no longer accustomed to actually being reachable by the whole public Internet.

2 Likes
15

im having some other problems after rebooting atm, im going to have to sort through before i can continue

17

I'm unfamiliar with the use of "*" there.
Are there any listen statements within the file?:

3 Likes
18

I have reinstalled my ehcp (cpanel equivalent) and this is what im getting now after redoing some of the ip configurations.

I stopped the firewall this way before running it a second time.

root@micromedia:~/ehcp# sudo ufw disable
Firewall stopped and disabled on system startup

root@micromedia:~/ehcp# sudo certbot --apache --agree-tos --preferred-challenges http -d etherealplayground.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for etherealplayground.com
Waiting for verification...
Challenge failed for domain etherealplayground.com
http-01 challenge for etherealplayground.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: etherealplayground.com
    Type: connection
    Detail: 73.27.126.62: Fetching
    http://etherealplayground.com/.well-known/acme-challenge/OVO7Nt88gdlHmDQQUKyK-jFNUl7d5tIJJjxcBVu7cEA:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    root@micromedia:~/ehcp#

19

what's that servers ip?
curl ifconfig.me
ip addr

4 Likes
20

root@micromedia:~# curl ifconfig.me
73.27.126.62

21

Previously you didn't have your IPv4 address in DNS (only IPv6); now you have both.

They give different errors when trying to connect to them from outside. The IPv6 address still has Comcast (apparently) actively giving an error and not agreeing to route to it, while the IPv4 address has a timeout which is indeed suggestive of a firewall.

Have you ever been able to connect to either of these addresses successfully from a device that wasn't on your home network?

4 Likes