Help! Challege failed for domain oleum.net

My domain is:
oleum.net
I ran this command:
sudo certbot certonly --webroot
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): oleum.net
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for oleum.net
Input the webroot for oleum.net: (Enter ‘c’ to cancel): /var/www/oleum.net/
Waiting for verification…
Challenge failed for domain oleum.net
http-01 challenge for oleum.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: oleum.net
    Type: connection
    Detail: Fetching
    http://oleum.net/.well-known/acme-challenge/9uvWJo0yrZRBhA9mNGnxLMSsFJDxW-keXHvTnF21wZQ:
    Connection refused

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

Note A record updated at 1and1 this afternoon, several hours ago. I can ssh in with key from a machine on a different fixed IP using sshusername@oleum.net so it looks like domain name is resolving to the ip address

My web server is (include version):
apache2
The operating system my web server runs on is (include version):
ubuntu 20.0.4 LTS
My hosting provider, if applicable, is:
hosted on fixed ip on network behind a linksys router
DMZ enabled and running ufw (ebabled but disabled when tested)
I can login to a root shell on my machine (yes or no, or I don’t know):
user elevated (sudo)
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.7.0

Also … https://letsdebug.net/oleum.net/267437
which is green!
oleum.net in my browser (firefox) fine
any ideas?

2 Likes

GeoLocation blocking.

curl -Iki http://oleum.net/
curl: (7) Failed to connect to oleum.net port 80: Connection refused
2 Likes

Well, looks like not listening to me.

3 Likes

Must be something else.

A few minutes earlier - I could fetch a result:

D:\temp>download http://oleum.net/.well-known/acme-challenge/9uvWJo0yrZRBhA9mNGnxLMSsFJDxW-keXHvTnF21wZQ -h
SystemDefault
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 271
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 23 Aug 2020 18:36:26 GMT
Server: Apache/2.4.41 (Ubuntu)

Status: 404 NotFound

133,14 milliseconds
0,13 seconds

Now:

D:\temp>download http://oleum.net/.well-known/acme-challenge/9uvWJo0yrZRBhA9mNGnxLMSsFJDxW-keXHvTnF21wZQ -h
SystemDefault
ConnectFailure
3
Es konnte keine Verbindung hergestellt werden, da der Zielcomputer die Verbindung verweigerte 78.143.193.253:80

2324,57 milliseconds
2,32 seconds

Looks like a spam filter.

3 Likes

Yes something has definitely changed
I got a green on the lets debug page initially. I took firewall down for a while. Previously I’d only opened apache and ssh on a different port with key login only, now I get a bunch of red

2 Likes

lets go see if I have something set at ionos
brb

3 Likes

I had a spam filter set up on an email username@oleum.net in my ionos control panel. The server is not with ionos btw.

1 Like

So are you running any kind of IPS or WebFilter (or such)?

2 Likes

Well I took down firewall and STARTED apache. Connected and…
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): oleum.net
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for oleum.net
Input the webroot for oleum.net: (Enter ‘c’ to cancel): /var/www/oleum.net/html
Waiting for verification…
Cleaning up challenges
Subscribe to the EFF mailing list (email: oleum@oleum.net).

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/oleum.net/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/oleum.net/privkey.pem
    Your cert will expire on 2020-11-21. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

So looks solved?
I guess I better test it works now

3 Likes

Not if you have to bring down the firewall every time you need to renew your cert.
[well at least not in my book]

That’s called a “work-around” - which merely sidesteps the problem.

2 Likes

firewall made no difference, it was because I had apache2 down, I think.
UFW is up now, get a green on the lets debug page.
I’ll be back in a few months if it wont renew :slight_smile:
Now how do I test if it works?

2 Likes

Much better now… but there are still some issue(s):

curl -Iki http://www.oleum.net/
HTTP/1.1 403 Forbidden
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'self'
Content-Type: text/html; charset="utf-8"
Content-Length: 2931
Connection: Close

curl -Iki http://oleum.net/.well-known/acme-challenge/9uvWJo0yrZRBhA9mNGnxLMSsFJDxW-keXHvTnF21wZQ:
HTTP/1.1 403 Forbidden
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'self'
Content-Type: text/html; charset="utf-8"
Content-Length: 2998
Connection: Close
2 Likes

If your Apache is down, a timeout is expected. There is no need to think about firewalls or something else.

Using webroot -> the webserver has to run.

3 Likes

@JuergenAuer runs a very nice public tool that can tell you much about your site.

You can also simulate a renewal with the --dry-run option.

3 Likes

So all is good I believe, except I’m not sure where these files have to go and what I need in my /etc/apache2/sites-available/my.site.conf file to enable them to be discovered.
Ive looked round a while , though someone might know and save me a lot of time/
TIA

2 Likes

I am not exactly sure of all of the idiosyncrasies of your configuration. Am I correct in assuming that you used certonly because you didn’t want certbot to try to enable https and install your cert for you? If not, you could use certbot install.

1 Like

have a look at a2ensite and a2dissite commands; they come with an Apache install and enable/disable sites.
The idea is that you can have multiple sites in conf/sites-available and enable them by symlinking to conf/sites-enabled.
I tend to use this quite often nowadays, even after thinking that I am a one-site-per-person type of guy :slight_smile:

The certificates+keys go in the letsencrypt-installed directories and your Apache conf (my-site.conf or whatever you call it) references them.

I also find it a bit annoying that letsencrypt needs http (for cert-renewal) in order to enable https (someone correct me if I am wrong) - I use a cronjob to remap 80 to my apache for cert-renewal and to another server during daytime.
Anyway, my ionos firewall has port 80 open all the time.

1 Like

Thanks, I finally gave up before, restarting on a fresh install. I do have port 80 open right now anyway

1 Like