Http-01 challenge fails

Help
1

Hi, i got a problem by try to switch from “TLS-SNI-01” to “HTTP-01” challenge. certbot says that it cannot access: “http://jupiter.cocq.de/.well-known/acme-challenge/caC8YqHsj0dpEXXhortW5u3qhOT9zdXJFntGMQlTUxo”, but i have made a copy of those file during a test/debug runs and it is publicly accessible from web!

My domain is:
jupiter.cocq.de

I ran this command:
certbot run -a webroot -i apache -w /var/www/html -d jupiter.cocq.de --debug-challenges

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jupiter.cocq.de
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…

Challenges loaded. Press continue to submit to CA. Pass “-v” for more info about
challenges.

Press Enter to Continue
Cleaning up challenges
Failed authorization procedure. jupiter.cocq.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://jupiter.cocq.de/.well-known/acme-challenge/caC8YqHsj0dpEXXhortW5u3qhOT9zdXJFntGMQlTUxo: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: jupiter.cocq.de
    Type: connection
    Detail: Fetching
    http://jupiter.cocq.de/.well-known/acme-challenge/caC8YqHsj0dpEXXhortW5u3qhOT9zdXJFntGMQlTUxo:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version):
Server version: Apache/2.4.25 (Debian)

The operating system my web server runs on is (include version):
Debian GNU/Linux 9 (stretch)

My hosting provider, if applicable, is:
I don’t know

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0

2

Hi @s-trooper

there is a check-result of your domain, 40 minutes old ( https://check-your-website.server-daten.de/?q=jupiter.cocq.de ):

Domainname Http-Status redirect Sec. G
http://jupiter.cocq.de/
212.60.194.24 -14 10.026 T
Timeout - The operation has timed out
https://jupiter.cocq.de/
212.60.194.24 302 https://jupiter.cocq.de/Login.aspx?ReturnUrl=%2F 0.246 B
https://jupiter.cocq.de/Login.aspx?ReturnUrl=%2F 200 0.383 I
http://jupiter.cocq.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
212.60.194.24 -14 10.040 T
Timeout - The operation has timed out
Visible Content:

If you want to use http-01 validation, an open port 80 is required.

Your port 80 doesn't answer, so that can't work.

Open port 80 and configure your webserver, so Letsencrypt can fetch the validation file (in /.well-known/acme-challenge).

1 Like
3

thank you for response, but port 80 is open you can access to “http://jupiter.cocq.de/.well-known/acme-challenge/”.
curl -IkL -m20 http://jupiter.cocq.de:80/.well-known/acme-challenge/
give me:
HTTP/1.1 200 OK
Date: Tue, 09 Apr 2019 11:41:03 GMT
Server: Apache/2.4.25 (Debian)
Content-Type: text/html;charset=UTF-8

is the problem that apache web server listen to port 80?

4

:wave: Hi @s-trooper,

How did you test this? When I try it seems as though I get the same result as @JuergenAuer - the website is not accessible and times out.

5

omg, my admin has tell me that port 80 is blocked! but not for my pc. really sorry guys

1 Like
6

D’oh! :sweat_smile:

Unfortunately that means you won’t be able to use HTTP-01 to authorize your domain name.

Have you looked at the option of using a DNS-01 challenges? Who provides the authoritative DNS for jupiter.cocq.de and do they provide some kind of API for changing TXT records? Certbot has a selection of DNS plugins for this.

7

now we know what the issue is i just got port 80 open from my admin, thank you for help.

2 Likes
8

Even better! Glad to hear you were able to find a solution that worked :tada:

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.