Having trouble getting LetsEncrypt certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bentopdf.duckdns.org

I ran this command (in the container): certbot certonly --config /etc/letsencrypt.ini --work-dir /tmp/letsencrypt-lib --logs-dir /data/logs --cert-name npm-5 --agree-tos --authenticator webroot -m jrdurham9@gmail.com --preferred-challenges http --domains bentopdf.duckdns.org

It produced this output: Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

Identifier: bentopdf.duckdns.org

Type: connection

Detail: 172.127.133.86: Fetching http://bentopdf.duckdns.org/.well-known/acme-challenge/5nzcNujS0wkzq14FdQv2jNUn2S-yoQwTtFPVqwRx8to: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /data/logs/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): QNAP TS-464

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 5.3.1

I use an Asus RT-AC86U router. I've installed pihole on a Raspberry PI 3 and I'm also using tailscale. I have disabled both pihole and tailscale and still get the same output results. I've opened up ports 80 & 443 on the router and can see the ports are open via the global ip address, but still closed on the local network. I'm trying to get Nginx Proxy Manager up and running for the last week with no success and don't know what to do going forward. Any help would be much appreciated.

That error's pretty self-explanatory, isn't it? Let's Encrypt needs to be able to connect to your server from the public Internet on port 80. It isn't able to do so. Neither am I. Neither is letsdebug.net. The most likely reason for this, as the message tells you, is some kind of firewall is blocking access to port 80 from the outside.

This isn't your problem, but I'd really recommend using just about anything else as your reverse proxy (I personally favor Caddy).

Ok, I'm trying to get Caddy installed. I've gotten port 80 & 443 open and letsdebug.net sees them open as well. Port 80 is already in use by apache and so i've changed to port 86 (86:80). Port 80 is being used inside the container. I can see caddy is running, but I'm not able access it using my domain name (bentopdf.duckdns.org). What am I doing wrong?

You might have mixed up the local and external port as I can access caddy using http://bentopdf.duckdns.org:86/

I somehow did something that I now can't access caddy anymore... any ideas on why?

Will caddy work with the external ports not being 80 & 443? My main purpose in using a reverse proxy is TLS http to https.

It will work, but it won't be able to get certificates the way it would ordinarily try to do.

as thats from ddns: your router may bet hold of port 80/443: can you move out of it?

You've lost me! I'm not sure what you're saying.

The question is: Over which port(s) do you manage the router?
[if it is using 80/443, then it may conflict with the required forwarding]

The statement implies that perhaps the router is the one doing the DDNS registration and that is why its' use of ports 80/443 is presumed.

i believe my router uses the default ports. i haven't changed them. when i try to use ports 80 & 443 for caddy i get a message indicating port 80 is already in use and I've determined that apache uses port 80. what are the options for making port 80 available for caddy?

Someone suggested i kill apache, but when i did it restarted. I can't be the only one having this issue, but can't seem to find a way to resolve it. When the instructions for caddy indicate ports 80 & 443 are necessary, is that internal or external ports, or both?