Hey folks, I’m trying to get a certificate but I get this error:
bitnami@ubuntu:/tmp/certbot$ ./certbot-auto certonly --webroot -w /opt/bitnami/apps/moodle/htdocs/ -d techacademy.dynu.net -d www.techacademy.dynu.net
…
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for techacademy.dynu.net
http-01 challenge for www.techacademy.dynu.net
Using the webroot path /opt/bitnami/apps/moodle/htdocs for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. techacademy.dynu.net (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: techacademy.dynu.net
Type: connection
Detail: Fetching
Error getting validation data
To fix these errors, please make sure that your domain name was
…
Firewall shouldn’t be dropping the challenges since I see a TCP FINs passing through the firewall (sourced from an outside address). One thing to notice is I’m using a DDNS that redirects the URI to my public IP on port 8080.
I don’t think that’s the problem in this case because the IPv4 and IPv6 versions of that site both answer and both show the same redirect (to a different IPv4 server). I think the problem is something about the DNS, but I haven’t figured out what yet.
I took a look at the logs and it seems like there are a few things going on.
Some requests had started to fail because you were hitting the “Too many invalid authorizations recently” rate limit (you may want to change to using the staging environment to avoid this while you debug).
Some requests had timed-out waiting for headers from your server. I can reproduce this trying to run curl -I http://www.techacademy.dynu.net/.well-known/acme-challenge/1 from my own network.
Some requests failed after what looks like a redirect from techacademy.dynu.net:80 to 186.15.161.169:8080. I suspect this is the DDNS redirect that you mentioned. These redirects are failing because of a bug in Boulder that we’ve been discussing among the developers just this week. Redirects to ports other than 80/443 do not work. We will be updating the API to return a clearer error message in this case over the coming weeks.
Can you change the redirect to be to port 80 or 443? Alternatively you may have to look into using the DNS-01 challenge type.
Yikes, I feel like this is going to cause trouble for quite a few people who are dealing with support for multiple machines behind firewalls. We must have had a couple dozen people on this forum alone who needed to do a non-80/443 redirect because of firewalls. Are you sure that support for this really needs to be removed?
It was news to me but I learned this week that all non-80/443 redirects already fail because of our egress firewall rules. Unless I'm mistaken nobody could be relying on this working right now because it doesn't The status quo will remain the same but Boulder will tell you the reason it fails more accurately.
As I explain above I don't think "remove" is the right verb here since it doesn't work now, but I understand the sentiment We talked about it fairly extensively and @jsha was firmly in favour of continuing to not allow non-80/443 redirects. I think it better matches the climate of things in the CABF w.r.t redirects for domain validation.
Thanks for the comments and explanation, getting a clear error message will definitely improve the user experience. I'll give DNS-01 a try in a couple of days.
The status quo will remain the same but Boulder will tell you the reason it fails more accurately.