Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: darkshado.ca
I ran this command:
certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d server1.homenet.darkshado.ca
It produced this output:
My web server is (include version):
apache2 -V
[Mon Jul 11 05:37:04.250641 2022] [core:warn] [pid 3868370] AH00111: Config variable ${APACHE_RUN_DIR} is not defined
apache2: Syntax error on line 80 of /etc/apache2/apache2.conf: DefaultRuntimeDir must be a valid directory, absolute or relative to ServerRoot
Server version: Apache/2.4.53 (Debian)
Server built: 2022-03-14T16:28:35
Server's Module Magic Number: 20120211:124
Server loaded: APR 1.7.0, APR-UTIL 1.6.1, PCRE 8.39 2016-06-14
Compiled using: APR 1.7.0, APR-UTIL 1.6.1, PCRE 8.39 2016-06-14
Architecture: 64-bit
Server MPM:
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_PROC_PTHREAD_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/etc/apache2"
-D SUEXEC_BIN="/usr/lib/apache2/suexec"
-D DEFAULT_PIDLOG="/var/run/apache2.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="mime.types"
-D SERVER_CONFIG_FILE="apache2.conf"
The operating system my web server runs on is (include version):
Debian 11
uname -a
Linux server1 5.10.0-14-amd64 #1 SMP Debian 5.10.113-1 (2022-04-29) x86_64 GNU/Linux
My hosting provider, if applicable, is: shaw.ca
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot):
certbot --version
certbot 1.12.0
Ok I think I know what the issue is this is a firewall issue when I run the certbot when my
firewall is up it just sits there and hangs but if I flush my IP tables using
iptables -F and destroy my IPSETS with ipset destroy then it works.
I think I know what the issue is I have a pretty aggressive firewall which blocks all traffic
from digitalocean.com due to their wide spread abuse that seems to come from their
IPs and their lack of caring about abuse.
I whitelisted the IP block 172.64.0.0/13 which is cloudflare.com but the server is not hosted
on cloudflare I know that and you are using another hosting provider to host the actual
server to get a response from to do the challenge to get and renew certificates. You are just
using cloudflare.com as an anti-ddos protection service.
I believe that you may be using a droplet on digitalocean.com and my server isn't getting
a response from https://acme-v02.api.letsencrypt.org
So I need to be able to whitelist the IP block for the actual server for acme-v02.api.letsencrypt.org
I really don't want to have to drop my firewall every time to renew the certificate.
What I would like to do is be able to white list say the /24 where your server is.
What is the IP block for which the renewals are done please. This way I can
just white list that IP block where server is located. I need the actual IP block
where the server is though not cloudflare.com
If you could give me this information for the IP block where https://acme-v02.api.letsencrypt.org
resides I can white list it and fix the issue.
Thank you,
Jamie (she / her)