Hello,
I am using a SSH tunneling service like ngrok to expose my sites to the internet rather than directly opening up ports 80 and 443 from my server’s internet gateway router.
However, cerbot now fails to complete the re-certification.
sudo certbot renew --dry-run
Attempting to renew cert (algominier.com ) from /etc/letsencrypt/renewal/algomini er.com.conf produced an unexpected error: Failed authorization procedure. algomi nier.com (http-01): urn:ietf:params:acme:error:connection :: The server could no t connect to the client to verify the domain :: Fetching http://algominier.com/ . well-known/acme-challenge/U_6JbPkihWAEkXnqJCRjxuuZzSscqWlEW7TV61j76xs: Timeout d uring connect (likely firewall problem). Skipping.
What is the solution for this?
Thank you!
1 Like
Hi @AlgoSignals
AlgoSignals:
urn:ietf:params:acme:error:connection :: The server could no t connect to the client to verify the domain :: Fetching http://algominier.com/ . well-known/acme-challenge/U_6JbPkihWAEkXnqJCRjxuuZzSscqWlEW7TV61j76xs: Timeout d uring connect (likely firewall problem). Skipping.
What is the solution for this?
you have two options:
Open your port 80 (or)
switch to dns validation.
But (2) may be manual.
Read
When you get a certificate from Let’s Encrypt, our servers validate that you control the domain names in that certificate using “challenges,” as defined by the ACME standard. Most of the time, this validation is handled automatically by your ACME...
PS: What's that? There is a check of your domain, 30 minutes old - https://check-your-website.server-daten.de/?q=algominier.com
That's a different problem. You have different ip adresses non-www / www. Non-www doesn't work, www has ipv4 and ipv6, both are ok.
So you should change your non-www ip address. Or create a certificate only with the www domain name.
1 Like
Hello,
Thank you, would you kindly point me to the instructions / method for how the dns validation route?
Thank you!
1 Like
_az
May 22, 2020, 11:27am
4
If you are using ngrok (I’m a fan as well), shouldn’t your domain point to the ngrok CNAME, rather than your home IP address?
(Or whatever the equivalent is for the reverse tunneling solution you use, if not ngrok).
1 Like
Hello, yes, the CNAME does point to the ngrok servers, which is why I am wondering how to do this.
I also added a A record with the server’s ip address in addition to the CNAME (which points to ngrok), to see if that will work …
1 Like
_az
May 22, 2020, 11:38am
6
Right now, your domain only points to your Verizon address. There is no CNAME.
You can’t have an A record and a CNAME at the same time.
1 Like
There you can't install the certificate.
1 Like
9peppe
May 22, 2020, 11:52am
8
They don’t need to, they’re probably just forwarding port 443 entirely.
So you’re telling me if I use a service like ngrok, then I can’t install let’s encrypt SSL?
See your configuration - https://check-your-website.server-daten.de/?q=algominier.com
If you have a CNAME yourdomain -> another domain, you have to install the certificate on the destination machine.
So you must install the certificate there - X.X.X.X. Is that possible?
That's how certificates work. It's not ngrok-specific.
So typically: If customers of a service use CNAME to point domain names to that service, that service creates the required certificates.
1 Like
JuergenAuer:
X.X.X.X
Hello, thank you for your response. May I request that you kindly remove your last post listing the ip address of my domain, I don't want it published. I'll be removing the A record as well and just keep the ngrok cname.
1 Like
Hello, requesting that you please remove this post … thank you.
1 Like
Hi @AlgoSignals , I’ve edited @JuergenAuer post and yours to remove IPs.
1 Like
system
June 22, 2020, 1:36pm
14
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.