HTTD - Certbot fails to obtain a certificate

My domain is: admin.comunicazioneperpersonaltrainer.it

I ran this command: /usr/local/bin/certbot-auto --apache

It produced this output:

  • The following errors were reported by the server:

    Domain: admin.comunicazioneperpersonaltrainer.it
    Type: connection
    Detail: During secondary validation: Fetching
    http://admin.comunicazioneperpersonaltrainer.it/.well-known/acme-challenge/3Rwv8dkK4Eq01w5wn_QFgMoFhlslcot1_Vpr3uax5hM:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): Httpd

The operating system my web server runs on is (include version): Centos 7

My hosting provider, if applicable, is: register.it

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.4.0

I attach also my config files

<VirtualHost *:80>
        ServerAdmin developers@comunicazioneperpersonaltrainer.it
        ServerName admin.comunicazioneperpersonaltrainer.it
		
		RewriteEngine on
		RewriteCond %{SERVER_NAME} =admin.comunicazioneperpersonaltrainer.it
		RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

        ProxyPreserveHost On
        ProxyRequests On

		ProxyPass /.well-known/acme-challenge !
        ProxyPass / http://localhost:5002/
        ProxyPassReverse / http://localhost:5002/

		Alias "/.well-known/acme-challenge/" "/var/www/html/letsencrypt/.well-known/acme-challenge/"
	
        ErrorLog /var/log/httpd/apache/admin.error.log
        LogLevel warn
        CustomLog /var/log/httpd/apache/admin.access.log combined
		
</VirtualHost>

<VirtualHost *:443>
        ServerAdmin developers@comunicazioneperpersonaltrainer.it
        ServerName admin.comunicazioneperpersonaltrainer.it

        ProxyPreserveHost On
        ProxyRequests On
		
		ProxyPass /.well-known/acme-challenge !  
		ProxyPass / http://localhost:5002/
        ProxyPassReverse / http://localhost:5002/

		Alias "/.well-known/acme-challenge/" "/var/www/html/letsencrypt/.well-known/acme-challenge/"

		DocumentRoot /var/www/html
  
        ErrorLog /var/log/httpd/apache/admin-ssl.error.log
        LogLevel warn
        CustomLog /var/log/httpd/apache/admin-ssl.access.log combined
SSLCertificateFile /etc/letsencrypt/live/admin.comunicazioneperpersonaltrainer.it/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/admin.comunicazioneperpersonaltrainer.it/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/admin.comunicazioneperpersonaltrainer.it/chain.pem
</VirtualHost>

Hi @lory1990

if you have that

During secondary validation

error, read

The Letsencrypt servers can check your domain. The secondary servers can't.

Looks like a regional blocking firewall.

it seems strange: i have two other domains (app.comunicazioneperpersonaltrainer.it and api.comunicazioneperpersonaltrainer.it) that works well

Checking your first domain via https://check-your-website.server-daten.de/?q=admin.comunicazioneperpersonaltrainer.it - from Berlin, that doesn't work.

Domainname Http-Status redirect Sec. G
http://admin.comunicazioneperpersonaltrainer.it/ 37.187.16.11 -14 10.026 T
Timeout - The operation has timed out
https://admin.comunicazioneperpersonaltrainer.it/ 37.187.16.11 No GZip used - 1454 / 2482 - 58,58 % possible Inline-JavaScript (∑/total): 3/1449 Inline-CSS (∑/total): 0/0 200 Html is minified: 244,29 % 4.000 N
Certificate error: RemoteCertificateChainErrors
small visible content (num chars: 46)
You need to enable JavaScript to run this app.
http://admin.comunicazioneperpersonaltrainer.it/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 37.187.16.11 -14 10.030 T
Timeout - The operation has timed out
Visible Content:

https works, http not.

So the result is expected.

A working port 80 is required if you want to use http validation.

it’s really strange since i added <VirtualHost *:80> … what could be?

Firewall, wrong http configuration, wrong .htaccess - a lot of blocking options.

I am doing some tests

[root@server ~]# netstat -tulpn | grep LISTEN
tcp        0      0 0.0.0.0:1597            0.0.0.0:*               LISTEN      1011/sshd
tcp        0      0 127.0.0.1:9100          0.0.0.0:*               LISTEN      1025/noderig
tcp6       0      0 :::443                  :::*                    LISTEN      26512/httpd
tcp6     129      0 :::80                   :::*                    LISTEN      26512/httpd

[root@server ~]# grep -w '80/tcp' /etc/services
http            80/tcp          www www-http    # WorldWideWeb HTTP
[root@server ~]# grep -w '443/tcp' /etc/services
https           443/tcp                         # http protocol over TLS/SSL

And seems to be all ok… maybe… can i do some other test?

Works your port 80 internal?

curl http://admin.comunicazioneperpersonaltrainer.it/

from that machine?

If online tools can’t see your http and if it works internal, you have a blocking instance.

Or it is a home server and your ISP blocks port 80. Then you have to use dns validation.

Wow it’s incredible: does not work from the host machine :frowning: :frowning:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.