How to use --manual-auth-hook with Google DNS?

Ok, so we need to ensure the ISP is allowing port 80 to reach your VPN.

You hit the nail on the head. My ISP is blocking port 80. Mystery solved. Now, how the heck do I get certbot working with auto-renewal and without any port 80 permissions?

Well... there are only three challenge types:

• HTTP-01
• DNS-01
• TLS-ALPN-01

HTTP is the simplest but it's being blocked by your ISP
That leaves DNS and ALPN.
Automating DNS authentication is not simple and might not even be possible with your current DSP.
So...
That points us at TLS-ALPN-01 as our next choice.
Since you don't have a web server on the VPN [don't need one - don't get one], we will have to use an ACME client that supports TLS-ALPN-01 challenge type in a --standalone setting.

The first ACME client that comes to my mind [that fits that bill] is:
GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol

The idea is the same as:
certbot certonly --standalone -d your.domain
It will just be set to use TLS-ALPN-01 instead of HTTP-01 authentication.
[which uses port 443 instead of port 80]
acme.sh --issue --alpn -d your.domain

@rg305, thank you very much for the help. Getting past bedtime, so I will pick this up tomorrow and let you know how it goes.

As a side note, I connected the server to nordvpn and then was able to get a certificate without any problems. However, I tested cert renewal and that failed. Any idea why I might be able to get a cert but a dry run of renewal fails?

Thanks again.

What command did you run to get a cert?

sudo certbot certonly --standalone

You must have obtained a static IP through the VPN.
And you must have also modified the IP address in DNS to match.
OR
Something very unexpected has occurred.

You seem to have Cox as ISP. Perhaps Internet Ports Blocked or Restricted by Cox can shed some light on the situation. Unfortunately, Cox is blocking my request to that page, so I can't read it myself.......

I just tried the acme.sh script and received the output below. Any thoughts on why it failed?

scotth@FW6E: ./acme.sh --issue --alpn -d vpn.blackknightgroup.dev
[Tue Dec 27 12:16:24 AM MST 2022] Using CA: https://acme.zerossl.com/v2/DV90
[Tue Dec 27 12:16:24 AM MST 2022] Standalone alpn mode.
[Tue Dec 27 12:16:25 AM MST 2022] Create account key ok.
[Tue Dec 27 12:16:25 AM MST 2022] No EAB credentials found for ZeroSSL, let's get one
[Tue Dec 27 12:16:34 AM MST 2022] Registering account: https://acme.zerossl.com/v2/DV90
[Tue Dec 27 12:16:50 AM MST 2022] Registered
[Tue Dec 27 12:16:51 AM MST 2022] ACCOUNT_THUMBPRINT='6zaD4agG2PDaNMybI7AYTU_upnURJFreK96kR6NsbQw'
[Tue Dec 27 12:16:51 AM MST 2022] Creating domain key
[Tue Dec 27 12:16:51 AM MST 2022] The domain key is here: /home/scotth/.acme.sh/vpn.blackknightgroup.dev/vpn.blackknightgroup.dev.key
[Tue Dec 27 12:16:51 AM MST 2022] Single domain='vpn.blackknightgroup.dev'
[Tue Dec 27 12:16:51 AM MST 2022] Getting domain auth token for each domain
[Tue Dec 27 12:17:07 AM MST 2022] Getting webroot for domain='vpn.blackknightgroup.dev'
[Tue Dec 27 12:17:07 AM MST 2022] Error, can not get domain token entry vpn.blackknightgroup.dev for tls-alpn-01
[Tue Dec 27 12:17:07 AM MST 2022] The supported validation types are: http-01 dns-01 , but you specified: tls-alpn-01
[Tue Dec 27 12:17:07 AM MST 2022] Please add '--debug' or '--log' to check more details.
[Tue Dec 27 12:17:07 AM MST 2022] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub

Please do as suggested above. Currently there's too little info to say anything useful about it. Although:

I find this message very curious..? No idea why it would say that.

Maybe ZeroSSL does not support ALPN?

@scotharr Try adding --server letsencrypt to the acme.sh command

MkeMcQ & Company,

I followed your advice to use letsencrypt and it ALMOST COMPLETED!. Looks like the script almost completed with the error shown below.

Any ideas on why my server rejected it? my iptables output is shown below, but I think 443 is being allowed and has a few hits on the permit 443 line.

Thanks in advance.

./acme.sh --issue --server letsencrypt --alpn -d vpn.blackknightgroup.dev --debug

[Tue Dec 27 07:51:17 AM MST 2022] ok, let's start to verify
[Tue Dec 27 07:51:17 AM MST 2022] Verifying: vpn.blackknightgroup.dev
[Tue Dec 27 07:51:17 AM MST 2022] d='vpn.blackknightgroup.dev'
[Tue Dec 27 07:51:17 AM MST 2022] keyauthorization='3KHdLm1Vf47uXVON1BnvWj93vP1tYbrKPU3CzuM8gsY.j5EIiUb_-Y5TRJXeei7bxIkqU7D5G8uuItA-xLQMCI0'
[Tue Dec 27 07:51:17 AM MST 2022] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/190385605687/pVeABA'
[Tue Dec 27 07:51:17 AM MST 2022] _currentRoot='alpn'
[Tue Dec 27 07:51:17 AM MST 2022] acmevalidationv1='eb5861167e32dcd5ee942c4ae18adff752a268199c6cd5580fa7c91daa2bff9b'
[Tue Dec 27 07:51:17 AM MST 2022] Starting tls server.
[Tue Dec 27 07:51:17 AM MST 2022] san_a='vpn.blackknightgroup.dev'
[Tue Dec 27 07:51:17 AM MST 2022] san_b
[Tue Dec 27 07:51:17 AM MST 2022] port='443'
[Tue Dec 27 07:51:17 AM MST 2022] acmeValidationv1='eb5861167e32dcd5ee942c4ae18adff752a268199c6cd5580fa7c91daa2bff9b'
[Tue Dec 27 07:51:17 AM MST 2022] Use length 2048
[Tue Dec 27 07:51:17 AM MST 2022] Using RSA: 2048
[Tue Dec 27 07:51:17 AM MST 2022] _createcsr
[Tue Dec 27 07:51:17 AM MST 2022] _signcsr
[Tue Dec 27 07:51:17 AM MST 2022] Certificate request self-signature ok
subject=CN = tls.acme.sh
[Tue Dec 27 07:51:17 AM MST 2022] Le_Listen_V4
[Tue Dec 27 07:51:17 AM MST 2022] Le_Listen_V6
[Tue Dec 27 07:51:17 AM MST 2022] openssl s_server -www -cert /home/scotth/.acme.sh/vpn.blackknightgroup.dev/tls.validation.cert -key /home/scotth/.acme.sh/vpn.blackknightgroup.dev/tls.validation.key -accept 443 -alpn acme-tls/1
[Tue Dec 27 07:51:18 AM MST 2022] serverproc='3058316'
[Tue Dec 27 07:51:18 AM MST 2022] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/190385605687/pVeABA'
[Tue Dec 27 07:51:18 AM MST 2022] payload='{}'
[Tue Dec 27 07:51:18 AM MST 2022] POST
[Tue Dec 27 07:51:18 AM MST 2022] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/190385605687/pVeABA'
[Tue Dec 27 07:51:18 AM MST 2022] _CURL='curl --silent --dump-header /home/scotth/.acme.sh/http.header -L '
[Tue Dec 27 07:51:18 AM MST 2022] _ret='0'
[Tue Dec 27 07:51:18 AM MST 2022] code='200'
[Tue Dec 27 07:51:18 AM MST 2022] trigger validation code: 200
[Tue Dec 27 07:51:18 AM MST 2022] Pending, The CA is processing your order, please just wait. (1/30)
[Tue Dec 27 07:51:18 AM MST 2022] sleep 2 secs to verify again
[Tue Dec 27 07:51:21 AM MST 2022] checking
[Tue Dec 27 07:51:21 AM MST 2022] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/190385605687/pVeABA'
[Tue Dec 27 07:51:21 AM MST 2022] payload
[Tue Dec 27 07:51:21 AM MST 2022] POST
[Tue Dec 27 07:51:21 AM MST 2022] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/190385605687/pVeABA'
[Tue Dec 27 07:51:21 AM MST 2022] _CURL='curl --silent --dump-header /home/scotth/.acme.sh/http.header -L '
[Tue Dec 27 07:51:21 AM MST 2022] _ret='0'
[Tue Dec 27 07:51:21 AM MST 2022] code='200'
[Tue Dec 27 07:51:22 AM MST 2022] vpn.blackknightgroup.dev:Verify error:72.210.45.143: Connection refused
[Tue Dec 27 07:51:22 AM MST 2022] Skip for removelevel:
[Tue Dec 27 07:51:22 AM MST 2022] pid='3058316'
./acme.sh: line 2476: kill: (3058316) - No such process
[Tue Dec 27 07:51:22 AM MST 2022] No need to restore nginx, skip.
[Tue Dec 27 07:51:22 AM MST 2022] _clearupdns
[Tue Dec 27 07:51:22 AM MST 2022] dns_entries
[Tue Dec 27 07:51:22 AM MST 2022] skip dns.
[Tue Dec 27 07:51:22 AM MST 2022] _on_issue_err
[Tue Dec 27 07:51:22 AM MST 2022] Please add '--debug' or '--log' to check more details.
[Tue Dec 27 07:51:22 AM MST 2022] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub
[Tue Dec 27 07:51:22 AM MST 2022] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/190385605687/pVeABA'
[Tue Dec 27 07:51:22 AM MST 2022] payload='{}'
[Tue Dec 27 07:51:22 AM MST 2022] POST
[Tue Dec 27 07:51:22 AM MST 2022] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/190385605687/pVeABA'
[Tue Dec 27 07:51:22 AM MST 2022] _CURL='curl --silent --dump-header /home/scotth/.acme.sh/http.header -L '
[Tue Dec 27 07:51:22 AM MST 2022] _ret='0'
[Tue Dec 27 07:51:22 AM MST 2022] code='400'
[Tue Dec 27 07:51:22 AM MST 2022] Diagnosis versions:
openssl:openssl
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
apache:
apache doesn't exist.
nginx:
nginx doesn't exist.
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.7.4.1 on Mar 25 2022 09:51:32
running on Linux version #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022, release 5.15.0-56-generic, machine x86_64
features:
#define WITH_STDIO 1
#define WITH_FDNUM 1
#define WITH_FILE 1
#define WITH_CREAT 1
#define WITH_GOPEN 1
#define WITH_TERMIOS 1
#define WITH_PIPE 1
#define WITH_UNIX 1
#define WITH_ABSTRACT_UNIXSOCKET 1
#define WITH_IP4 1
#define WITH_IP6 1
#define WITH_RAWIP 1
#define WITH_GENERICSOCKET 1
#define WITH_INTERFACE 1
#define WITH_TCP 1
#define WITH_UDP 1
#define WITH_SCTP 1
#define WITH_LISTEN 1
#define WITH_SOCKS4 1
#define WITH_SOCKS4A 1
#define WITH_VSOCK 1
#define WITH_PROXY 1
#define WITH_SYSTEM 1
#define WITH_EXEC 1
#undef WITH_READLINE
#define WITH_TUN 1
#define WITH_PTY 1
#define WITH_OPENSSL 1
#undef WITH_FIPS
#define WITH_LIBWRAP 1
#define WITH_SYCLS 1
#define WITH_FILAN 1
#define WITH_RETRY 1
#define WITH_MSGLEVEL 0 /debug/

IPTABLES OUTPUT
Chain INPUT (policy DROP 4106 packets, 237K bytes)
num pkts bytes target prot opt in out source destination
1 8483 12M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 15 1606 ACCEPT all -- OPT1 * 0.0.0.0/0 0.0.0.0/0 /* allow incoming from OPT1/DMZ /
3 12 800 ACCEPT all -- LAN * 0.0.0.0/0 0.0.0.0/0 / allow incoming from LAN /
4 7 511 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 / allow loopback traffic /
5 0 0 ACCEPT icmp -- LAN * 0.0.0.0/0 0.0.0.0/0 icmptype 8 / allow ICMP in LAN /
6 5 280 ACCEPT tcp -- WAN * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 / allow certbot/acme.sh traffic /
7 0 0 ACCEPT tcp -- WAN * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 / allow certbot/acme.sh traffic */
8 0 0 LOG tcp -- WAN * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 LOG flags 0 level 4
9 0 0 LOG tcp -- WAN * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 LOG flags 0 level 4

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 5013K 3127M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 19270 7804K ACCEPT all -- LAN * 0.0.0.0/0 0.0.0.0/0 /* forward traffic from LAN /
3 20833 1258K ACCEPT all -- OPT1 * 0.0.0.0/0 0.0.0.0/0 / forward traffic from OPT1/DMZ */

Chain OUTPUT (policy DROP 476 packets, 28768 bytes)
num pkts bytes target prot opt in out source destination
1 5130 615K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 7 511 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 /* allow loopback traffic /
3 697 68731 ACCEPT all -- * WAN 0.0.0.0/0 0.0.0.0/0 / allow outbound to WAN /
4 0 0 ACCEPT all -- * nordlynx 0.0.0.0/0 0.0.0.0/0 / allow outbound to nordlynx */

It seems that something is also blocking port 443.
OR
It's an outbound check on that IP.
[I don't know `acme.sh` well enough to say]

I'd setup another packet capture and check that port 443 can reach your VPN.

I guess OP has fixed the issue earlier, as there's currently a Let's Encrypt certificate served on port 443 which was issued on Dec 27th at 15:31:31 UTC, which is fairly recent.

Not really. I got a certificate manually, but have no way to update the certificate automatically. I made sure port 443 is open still having issues.

How exactly?

Why are you using the production environment for a third certificate using a method that didn't work to begin with?

Because they have a short memory...
Who needs more than 640K of ram?

[30 posts ago was too long to remember]

Gents, thank you very much for the help, but this was a bit too hard for me. After two days of trying certbot and acme.sh, I decided to purchase SSL certs from namecheap. $97 for three certs for 5 years. Just installed them and good to go.

Best regards and out here,
Scott Harris