First certificates via webroot method - need guidance


#1

Hello all,
i dabble in smart home protocols etc, but i’m not that well versed in web servers/networking/encription etc, so please consider me a newbie.:baby:

My domain is:brandolin1.homepc.it

I ran this command:sudo certbot certonly --webroot -w /var/www/mydomain -d brandolin1.homepc.it

It produced this output:

Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for brandolin1.homepc.it
Using the webroot path /var/www/mydomain for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. brandolin1.homepc.it (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://brandolin1.homepc.it/.well-known/acme-challenge/H5A34cxBdBwqmU73iQ94LKHLfhgLe-7GpCzjsYUhEhY: Connection refused
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: brandolin1.homepc.it
   Type:   connection
   Detail: Fetching
   http://brandolin1.homepc.it/.well-known/acme-challenge/H5A34cxBdBwqmU73iQ94LKHLfhgLe-7GpCzjsYUhEhY:
   Connection refused

It also produced this debug log:

2018-11-25 18:08:27,405:DEBUG:certbot.main:certbot version: 0.28.0
2018-11-25 18:08:27,411:DEBUG:certbot.main:Arguments: ['--webroot', '-w', '/var$
2018-11-25 18:08:27,416:DEBUG:certbot.main:Discovered plugins: PluginsRegistry($
2018-11-25 18:08:27,473:DEBUG:certbot.log:Root logging level set at 20
2018-11-25 18:08:27,480:INFO:certbot.log:Saving debug log to /var/log/letsencry$
2018-11-25 18:08:27,484:DEBUG:certbot.plugins.selection:Requested authenticator$
2018-11-25 18:08:27,485:DEBUG:certbot.plugins.selection:Single candidate plugin$
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x75a129b0>
Prep: True
2018-11-25 18:08:27,492:DEBUG:certbot.plugins.selection:Selected authenticator $
2018-11-25 18:08:27,492:INFO:certbot.plugins.selection:Plugins selected: Authen$
2018-11-25 18:08:48,195:DEBUG:acme.client:Sending GET request to https://acme-v$
2018-11-25 18:08:48,235:DEBUG:requests.packages.urllib3.connectionpool:Starting$
2018-11-25 18:08:48,647:DEBUG:requests.packages.urllib3.connectionpool:https://$
2018-11-25 18:08:48,650:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 25 Nov 2018 18:08:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 25 Nov 2018 18:08:48 GMT
Connection: keep-alive

{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15$
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "q6wlZGS9HJI": "https://community.letsencrypt.org/t/adding-random-entries-to-$
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2018-11-25 18:09:02,180:DEBUG:acme.client:Requesting fresh nonce
2018-11-25 18:09:02,181:DEBUG:acme.client:Sending HEAD request to https://acme-$
2018-11-25 18:09:02,372:DEBUG:requests.packages.urllib3.connectionpool:https://$
2018-11-25 18:09:02,376:DEBUG:acme.client:Received response:
HTTP 204

My web server is (include version): nginx 1.10.3

The operating system my web server runs on is (include version): raspbian 9 stretch , the dyndns is handled by the router, port forwarding 80>80 of the rpi

My hosting provider, if applicable, is: dynDNS.it

I can login to a root shell on my machine: YES

I’m using a control panel to manage my site: NO

i found this i.e. https://github.com/Neilpang/acme.sh
and this https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html#rfc.section.6.5.1
and a number of posts with similar issues to mine…
I NEED some direction :crazy_face:

My intent is to use nginx as reverse proxy to be able to access remotely to a smart home system in ssl with let’s encrypt…

thank you:pray:


#2

When a webroot is used:

then this external access

would need to map to this internal folder
/var/www/mydomain/.well-known/acme-challenge/

Are you using anything to specifically handle the acme-challenge requests?
What is the document root for that vhost?


#3

Are you sure that this works for the general public from outside of your network? For example, the dynamic DNS is updated regularly, and your ISP doesn’t have a firewall blocking incoming port 80 requests from the world or anything?


#4

Connections to http://brandolin1.homepc.it/ immediately return Connection refused.
The IP seen is: 151.49.220.132.
Please confirm the IP and inbound port 80 access.


#5

Thank you both for your replies!! :slight_smile:

I am afraid i might not be knowledgeable enough to answer any of these 2 questions to the best of my current knowledge, and most likely that is where my issue lies.
I would reply- “certbot” and “/var/www/mydomain” but you’ve seen these and i guess these aren’t the correct answers.
What should i look into?

In regards to “mapping” /var/www/mydomain/.well-known/acme-challenge/` - how do i do that? i’m patching together fragments of guides over guides to work my way through - just knowing where to look for the right info would help.

The ip is correct indeed, the router shows that the port forwardingis up and running…
I’ve tried pinging myself with no avail, tho i ascribed that to the “lovely” custom firmware of the VDSL router supplied by the ISP, that doesn’t allow me to enable ping response. Would that be an issue? I haven’t spotted any ping in the logs above tho.

Have googled around this moring - there shouldln’t be any isp port filtering at work. Is there any way i can test this instead of relying on random infos on the web? (i’m sure the isp’s call center isn’t the answer)

:face_with_monocle:


#6

Hi @lagging

tested it with my own tool: https://check-your-website.server-daten.de/?q=brandolin1.homepc.it

http://brandolin1.homepc.it/ -2 1.357 V
ConnectFailure - Unable to connect to the remote server
http://www.brandolin1.homepc.it/ -1 0.010 U
NameResolutionFailure - The remote name could not be resolved: ‘www.brandolin1.homepc.it’
https://brandolin1.homepc.it/ -14 10.100 T
Timeout - The operation has timed out
http://brandolin1.homepc.it/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -2 1.237 V
ConnectFailure - Unable to connect to the remote server

The http connect has an error after 1.3 or 1,2 seconds. Checking your https -> timeout after 10 seconds.

So the http connections are blocked - active. Your https is passive - no answer after 10 seconds.

So:

  • it’s your own firewall / router configuration
  • it’s your ISP -> send them a mail.

But it’s an active block, not only “Timeout”.


#7

i’ve fiddled with the router and restarted it few times.

now using your tool ( :star_struck: ) i get this

the comments underneath have changed but still everything timed out :neutral_face::tired_face:


#8

But this is good, you have removed the “ConnectFailure” - error port 80.

Now you may have a wrong port forwarding

Your Router port -> your webserver port.


#9

i’ve rerun

sudo certbot certonly --webroot -w /var/www/mydomain -d brandolin1.homepc.it

i now got this output

Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for brandolin1.homepc.it
Using the webroot path /var/www/mydomain for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. brandolin1.homepc.it (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://brandolin1.homepc.it/.well-known/acme-challenge/lmP-P85wiAupdG7ot4oaJQnXqf2xKesN9m3PEK5JkME: Error getting validation data

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: brandolin1.homepc.it
   Type:   connection
   Detail: Fetching
   http://brandolin1.homepc.it/.well-known/acme-challenge/lmP-P85wiAupdG7ot4oaJQnXqf2xKesN9m3PEK5JkME:
   Error getting validation data

and this log

2018-11-26 11:59:07,766:DEBUG:certbot.main:certbot version: 0.28.0
2018-11-26 11:59:07,773:DEBUG:certbot.main:Arguments: ['--webroot', '-w', '/var/www/$
2018-11-26 11:59:07,778:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(Plugi$
2018-11-26 11:59:07,835:DEBUG:certbot.log:Root logging level set at 20
2018-11-26 11:59:07,841:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/le$
2018-11-26 11:59:07,845:DEBUG:certbot.plugins.selection:Requested authenticator webr$
2018-11-26 11:59:07,846:DEBUG:certbot.plugins.selection:Single candidate plugin: * w$
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x75a0c990>
Prep: True
2018-11-26 11:59:07,853:DEBUG:certbot.plugins.selection:Selected authenticator <cert$
2018-11-26 11:59:07,853:INFO:certbot.plugins.selection:Plugins selected: Authenticat$
2018-11-26 11:59:07,874:DEBUG:certbot.main:Picked account: <Account(RegistrationReso$
2018-11-26 11:59:07,883:DEBUG:acme.client:Sending GET request to https://acme-v02.ap$
2018-11-26 11:59:07,910:DEBUG:requests.packages.urllib3.connectionpool:Starting new $
2018-11-26 11:59:08,259:DEBUG:requests.packages.urllib3.connectionpool:https://acme-$
2018-11-26 11:59:08,262:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 26 Nov 2018 11:59:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 26 Nov 2018 11:59:08 GMT
Connection: keep-alive

{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017$
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert",
  "zNs0zDm675c": "https://community.letsencrypt.org/t/adding-random-entries-to-the-d$
}
2018-11-26 11:59:08,265:INFO:certbot.main:Obtaining a new certificate
2018-11-26 11:59:14,177:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/l$
2018-11-26 11:59:14,212:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr$
2018-11-26 11:59:14,216:DEBUG:acme.client:Requesting fresh nonce
2018-11-26 11:59:14,217:DEBUG:acme.client:Sending HEAD request to https://acme-v02.a$
2018-11-26 11:59:14,407:DEBUG:requests.packages.urllib3.connectionpool:https://acme-$
2018-11-26 11:59:14,410:DEBUG:acme.client:Received response:
HTTP 204
Server: nginx
Replay-Nonce: u2clhIWbj17_5lWOR_ks-Y3nK9LVwlRVQyGcm7OdjyE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 26 Nov 2018 11:59:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 26 Nov 2018 11:59:14 GMT
Connection: keep-alive


2018-11-26 11:59:14,410:DEBUG:acme.client:Storing nonce: u2clhIWbj17_5lWOR_ks-Y3nK9L$
2018-11-26 11:59:14,412:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "value": "brandolin1.homepc.it",\n      "type"$
2018-11-26 11:59:14,450:DEBUG:acme.client:Sending POST request to https://acme-v02.a$
{
  "signature": "bM4AU2iQk5Qke2JVx0CWb5M3hzLZdeQmgmYk5DoewJl_5SspwPSKpKpe8UYpLtGVivBi$
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInZhbHVlIjogImJyYW5kb2xpbj$
  "protected": "eyJhbGciOiAiUlMyNTYiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNl$
}
2018-11-26 11:59:14,689:DEBUG:requests.packages.urllib3.connectionpool:https://acme-$
2018-11-26 11:59:14,692:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 379
Boulder-Requester: 46476295
Location: https://acme-v02.api.letsencrypt.org/acme/order/46476295/192740227
Replay-Nonce: bdt_AnVMZKY2kkjUSr_tBEOu3Ic_D1DKvl-YvRvLGtQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 26 Nov 2018 11:59:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 26 Nov 2018 11:59:14 GMT
Connection: keep-alive

{
  "status": "pending",
  "expires": "2018-12-03T11:59:14.597785905Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "brandolin1.homepc.it"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz/7u5ViBrCGVsqAfTfDjV72uMyTsd1oBs$
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/46476295/192740227"
}
2018-11-26 11:59:14,693:DEBUG:acme.client:Storing nonce: bdt_AnVMZKY2kkjUSr_tBEOu3Ic$
2018-11-26 11:59:14,694:DEBUG:acme.client:Sending GET request to https://acme-v02.ap$
2018-11-26 11:59:14,886:DEBUG:requests.packages.urllib3.connectionpool:https://acme-$
2018-11-26 11:59:14,889:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 912
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 26 Nov 2018 11:59:14 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 26 Nov 2018 11:59:14 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "brandolin1.homepc.it"
  },
  "status": "pending",
  "expires": "2018-12-03T11:59:14Z",
  "challenges": [
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/7u5ViBrCGVsqAfTfDj$
      "token": "r9uBgqJ9eevxnrH1SP7dMiVNB4Pp4PDM6J9ZIC91XAk"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/7u5ViBrCGVsqAfTfDj$
      "token": "lmP-P85wiAupdG7ot4oaJQnXqf2xKesN9m3PEK5JkME"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/7u5ViBrCGVsqAfTfDj$
      "token": "MLm0x6nRRVD3rNkEEt6V6hFVbU1NWU6RdOxSLq8H0jk"
    }
  ]
}
2018-11-26 11:59:14,892:INFO:certbot.auth_handler:Performing the following challenge$
2018-11-26 11:59:14,893:INFO:certbot.auth_handler:http-01 challenge for brandolin1.h$
2018-11-26 11:59:14,894:INFO:certbot.plugins.webroot:Using the webroot path /var/www$
2018-11-26 11:59:14,895:DEBUG:certbot.plugins.webroot:Creating root challenges valid$
2018-11-26 11:59:14,916:DEBUG:certbot.plugins.webroot:Attempting to save validation $
2018-11-26 11:59:14,918:INFO:certbot.auth_handler:Waiting for verification...
2018-11-26 11:59:14,919:DEBUG:acme.client:JWS payload:
b'{\n  "resource": "challenge",\n  "type": "http-01",\n  "keyAuthorization": "lmP-P8$
2018-11-26 11:59:14,951:DEBUG:acme.client:Sending POST request to https://acme-v02.a$
{
  "signature": "OoyvqlRqaSwLYlRtUfm6pdAMwGLCW37qYDt2WGlo_CU4pzntIaPDwWaiQpFDG59x_s8y$
  "payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiLAogIC$
  "protected": "eyJhbGciOiAiUlMyNTYiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNl$
}
2018-11-26 11:59:15,163:DEBUG:requests.packages.urllib3.connectionpool:https://acme-$
2018-11-26 11:59:15,165:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 223
Boulder-Requester: 46476295
Link: <https://acme-v02.api.letsencrypt.org/acme/authz/7u5ViBrCGVsqAfTfDjV72uMyTsd1o$
Location: https://acme-v02.api.letsencrypt.org/acme/challenge/7u5ViBrCGVsqAfTfDjV72u$
Replay-Nonce: 96CdQcxeeeRuH5rSRiQImkbuFgeTjpqZiA5v49hal2s
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 26 Nov 2018 11:59:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 26 Nov 2018 11:59:15 GMT
Connection: keep-alive

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/7u5ViBrCGVsqAfTfDjV72u$
  "token": "lmP-P85wiAupdG7ot4oaJQnXqf2xKesN9m3PEK5JkME"
}
2018-11-26 11:59:15,166:DEBUG:acme.client:Storing nonce: 96CdQcxeeeRuH5rSRiQImkbuFge$
2018-11-26 11:59:18,172:DEBUG:acme.client:Sending GET request to https://acme-v02.ap$
2018-11-26 11:59:18,372:DEBUG:requests.packages.urllib3.connectionpool:https://acme-$
2018-11-26 11:59:18,377:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1540
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 26 Nov 2018 11:59:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 26 Nov 2018 11:59:18 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "brandolin1.homepc.it"
  },
  "status": "invalid",
  "expires": "2018-12-03T11:59:14Z",
  "challenges": [
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/7u5ViBrCGVsqAfTfDj$
      "token": "r9uBgqJ9eevxnrH1SP7dMiVNB4Pp4PDM6J9ZIC91XAk"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching http://brandolin1.homepc.it/.well-known/acme-challenge/l$
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/7u5ViBrCGVsqAfTfDj$
      "token": "lmP-P85wiAupdG7ot4oaJQnXqf2xKesN9m3PEK5JkME",
      "validationRecord": [
        {
          "url": "http://brandolin1.homepc.it/.well-known/acme-challenge/lmP-P85wiAu$
          "hostname": "brandolin1.homepc.it",
          "port": "80",
          "addressesResolved": [
            "151.49.220.132"
          ],
          "addressUsed": "151.49.220.132"
        }
      ]
    },
    {
      "type": "dns-01",
      "status": "invalid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/7u5ViBrCGVsqAfTfDj$
      "token": "MLm0x6nRRVD3rNkEEt6V6hFVbU1NWU6RdOxSLq8H0jk"
    }
  ]
}
2018-11-26 11:59:18,384:DEBUG:certbot.reporter:Reporting to user: The following erro$

Domain: brandolin1.homepc.it
Type:   connection
Detail: Fetching http://brandolin1.homepc.it/.well-known/acme-challenge/lmP-P85wiAup$

To fix these errors, please make sure that your domain name was entered correctly an$
2018-11-26 11:59:18,389:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_$
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 161, in _respo$
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 232, in _poll_$
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. brandolin1.homepc.i$

2018-11-26 11:59:18,390:DEBUG:certbot.error_handler:Calling registered functions
2018-11-26 11:59:18,391:INFO:certbot.auth_handler:Cleaning up challenges
2018-11-26 11:59:18,392:DEBUG:certbot.plugins.webroot:Removing /var/www/mydomain/.we$
2018-11-26 11:59:18,394:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2018-11-26 11:59:18,396:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.28.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1340, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1225, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_$
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 392, in obtain_and_e$
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 335, in obtain_certi$
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_o$
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 371, in _get_order_a$
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_$
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 161, in _respo$
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 232, in _poll_$
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. brandolin1.homepc.i$

I see a number of http 200, 204s and 205s which make me think the connection went through to the rpi, but i’m missing some data ni the folders. is that a correct assessment?

edit
just now i was getting a weird error by nginx when accessing it internally.
I’ve checked the relevant sites-enabled file , and realised i was missing a " } ". now internally the reverse proxying works.
however now the test by Juergen responds with

restarting the router. i can’t find anything further to edit in it’s interface. -.-


#10

Hi,

Could you please check if the port-forwarding is correctly configtured?

e.g. Port 80/443 on your router are forwarded onto rpi port, and nginx is listening on that port too?
Because currently, the port is “not listening” instead of filtered, which means the port might be forwarded to the rpi but rpi is not listening to the port.

Thank you


#11

so… nginx on the rpi isn’tlistening to 443, only 80. Do i need to change that in order for the certificate to be issued?

In my NGINX configuration i have (filtering only the relevant location)

server {
          listen                                    80;
          server_name                               mydomain_or_myip;
    location /.well-known/acme-challenge/ {
                         /var/www/mydomain;
              }
        }

That shoudl direct the well known/acme challenge to the var/www/mydomain/ subfolder when a request comes to 80.

The other location i have in the same file correctly listens to 80 from the LAN, executes user authentication and works a as reverse proxy pointing to my smarthome system, so i’d say the rpi is listening to 80.

However if i try to access from outside my lan (say in lte) - nothing. so my guess is that some thing in the router doesn’t work as described … also the fact that the behaviour changed without changing any setting doesn’t comfort me.


#12

If you have such a result with

ConnectFailure - Unable to connect to the remote server

Certbot can’t work. The normal answer fetching the /.well-known/acme-challenge - directory is a http status 404 - not found.

You have a router and a rpi. Has your rpi an own firewall, iptables or something else?

PS: What’s that?

Why do you want to redirect /.well-known/acme-challenge?


#15

I have not installed or configured explicitly iptables on the rpi.
I don’t think it comes preinstalled.

The best i can do to explain what i am doing is point you to what i’ve followed so far. I am hoping it’s not aginast forum rules to post any of the follwoing, if so, just say it and i’ll remove it, or mods can do it with no ill feelings.
This is what i am trying to accomplish:

for certbot i follwed

and

https://backports.debian.org/Instructions/

And thats where i am at.


#16

Hi @rg305

the bookza-thread is there:


#17

…so was the bookiza thing a mistake or somethign i have to study?

I’ve read yesterday about someone having issues with ipv6 in the issuing of certificates, ipv6 just happens to be a compeltely unknown field to me…

//no need to answer. i see you have copypasted them over.
Thank you for your efforts so far peeps :slight_smile:


#18

Disregard. I posted it in the wrong thread.


#19

Ipv6 isn’t your problem, you don’t have an ipv6 - address.

You have two things:

  • Your server answers with a ConnectFailure - Unable to connect to the remote server, so Letsencrypt can’t check your file
  • webroot is normally very simple: The webroot is defined in the configuration file (sample /var/www/domain), so Certbot creates the two subdirectories /var/www/domain/.well-known/acme-challenge and creates there the validation file.

But if you have such a location definition, it may be more complicated.

But first you have to find a solution to the ConnectFailure - problem.


#20

actual finding:
my router does not update the ip to the dyndns service on reboot. In fact i have no way to schedule it’s refreshes. What a brilliant firmware! :no_good_man:

Hence the behaviour change without a change in settings.
I’ll install the client on my rpi to solve this and gain control on refresh timing.

AND
I can finally access my smarthome’s dashboard (after authentication, tho still in http, no ssl) from outside my lan

so…

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/brandolin1.homepc.it/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/brandolin1.homepc.it/privkey.pem

The issue was the router indeed: first it wasn’t applying the changes to firewall ports and nat forwarding and had to rebbot it few times to get it to work, only to then not have the dns forwarding refreshed…
SO many hours for something so simple.

Thank you guys :smiley:


#21

Happy to read that.

Yep, if your server sends a 404 checking

http://brandolin1.homepc.it/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

the ConnectFailure - problem is solved.

If the site is private, you can ignore the 401 - error (root).