How to configure a port as filtered on server

Hi ! im having trouble installing an ssl certificate with my server . It appears to be a firewall issue. I’ve looked through other discussions on similar problems, but I don’t quite understand them and am unsure how to proceed.I tried running my domain in https://letsdebug.net/ but it fails. This is exactly what i get :

Domain: dev.helpdesk2.dilc.info
Type: connection
Detail: 202.92.129.253: Fetching http://dev.helpdesk2.dilc.info/.well-known/acme-challenge/bcWYQVvp7zxMtwnD8-ryG4OkeWfSA-KtPyjgpin1bJE: Timeout during connect (likely firewall problem)

Domain: www.dev.helpdesk2.dilc.info
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for www.dev.helpdesk2.dilc.info - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for www.dev.helpdesk2.dilc.info - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My domain is: X

I ran this command: certbot --nginx

My web server is (include version): nginx/1.26.2

The operating system my web server runs on is (include version): Ubuntu 22.04.4

My hosting provider, if applicable, is: X

I can login to a root shell on my machine (yes or no, or I don't know): idk

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

Thank you !

Running a dig for A and AAAA records for www.dev.helpdesk2.dilc.info produces no results.

Sorry i changed it . dev.helpdesk2.dilc.info is the correct one .

What are the exact (sub)domain names for which you are trying to acquire a certificate?

dev.helpdesk2.dilc.info

Is that the only one?

Not www.dev.helpdesk2.dilc.info too?

yes it is

No, not www.dev.helpdesk.dilc.info. The correct one is dev.helpdesk.dilc.info.

What is the output of this command?

sudo certbot certificates

i get this:

The following error was encountered:

[Errno 13] Permission denied: '/var/log/letsencrypt/.certbot.lock'

Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/tmpgh9lols9/log or re-run Certbot with -v for more details.

sorry, i ran the command without sudo . this is what i get

image1176×148 8.03 KB

I adjusted the command. Try it with sudo.

With commands, please copy and paste the outputs rather than posting screenshots. No worries for the screenshot you've already posted.

What is the output of this command?

sudo certbot certonly --nginx -d dev.helpdesk2.dilc.info --dry-run

i get the same result:

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: dev.helpdesk2.dilc.info
Type: connection
Detail: 202.92.129.253: Fetching http://dev.helpdesk2.dilc.info/.well-known/acme-challenge/cHqDxuKn0yPMBW5xjGhoafVWcVWzQE-g4yAO0WKUcdA: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

That problem report usually indicates exactly what it says: your server is unreachable for that domain name over port 80. Correcting that is usually a matter of adjusting your firewall using the documentation available online for your firewall. Others here might have more specific knowledge given your configuration.

Is your server at the university? If so, can you contact your university network support? They will probably be able to help you.

Yes, it is. However, I'd like to resolve this issue as much as possible without needing to coordinate with them. I've previously installed an SSL certificate on the same server without any problems, so I’m curious as to why it’s not working now haha

Recently? And by using an HTTP Challenge? (like you are with --nginx option)

Because HTTP requests to your domain using port 80 are being blocked by something. This is usually a firewall and could be anywhere on your premises or your server. On your server itself it could be something like ufw or fail2ban. In fact, I see all your ports blocked from my own test server in the USA

The Let's Debug site is very helpful to test communications problems like this. Keep clicking Rerun Test after you make config changes until it says OK. Then try getting a cert again. Let's Debug

You could also try making an HTTP request to that domain from the public internet on your own. Like a mobile phone with wifi disabled so using your carrier's public network. Try doing http://(domain) in a browser (explicitly with http://). If that works but Let's Debug fails it might be a geographic based firewall.

What was the domain you got a cert for successfully? If that was also with Certbot what does sudo certbot renew --dry-run say? That is just a test it will not modify any existing production certs.

Unfortunately, the domain for which I successfully obtained the certificate no longer exists. The IP address associated with the domain or my virtual machine was either damaged or destroyed, so I had to switch to a different one. The previous domain was helpdesk.dilc.info. I've encountered a similar issue before and raised it here as well; the problem at that time was that I was using a private address to connect, which prevented the SSL certificate from being obtained. However, it worked after switching to a public address. And the command i ran before i think was certbot --nginx?

Anyway, Thank you for your help. I’ll look into this further and maybe coordinate with our administrator