Http-01 timeout for new NextCloudPi install


#1

Question:
How can I get a letsencrypt certificate installed on my new NextCloudPi installation, running on a Raspberry Pi in my home?

Brief Details:
My NextCloudPi instance is working well. I can access it from outside my home network via freedns using my subdomain name hazybluesky.mooo.com. However, of course I get the browser warnings about a self-signed certificate. I have tried installing letsencrypt certs both from the command line (see below) and using a script/wizard from the NextCloudPi admin panel. However, I consistently get the same error about http-01
challenge timeout. The error message suggests a firewall problem. However, my firewall does not block ports 80 or 443.

More Details:

My domain is:
hazybluesky.mooo.com

I ran this command:
sudo certbot --rsa-key-size 4096 --authenticator standalone --installer apache --pre-hook "apachectl -k stop" --post-hook "apachectl -k start"

I also tried using the built-in letsencrypt script which runs from the GUI interface for NextCloudPi.

Both result in the same error messages. Here is the output from those commands:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: hazybluesky.mooo.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Running pre-hook command: apachectl -k stop
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for hazybluesky.mooo.com
Waiting for verification...
Cleaning up challenges
Running post-hook command: apachectl -k start
Failed authorization procedure. hazybluesky.mooo.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://hazybluesky.mooo.com/.well-known/acme-challenge/n7J79E4olNUsmLIBTtdnbHmQ9XteUsk4y-cuxRiQEPg: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: hazybluesky.mooo.com
   Type:   connection
   Detail: Fetching
   http://hazybluesky.mooo.com/.well-known/acme-challenge/n7J79E4olNUsmLIBTtdnbHmQ9XteUsk4y-cuxRiQEPg:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.`

My web server is (include version):
NextCloud 14.4.0.2

The operating system my web server runs on is (include version):
NextCloudPi v0.67.8 [based on Rasbpian 9]

My hosting provider, if applicable, is:
n/a
I am hosting this on a Raspberry Pi in my home.

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
yes, I am using the built in NextCloudPi control panel.


#2

Hi @Admin-a-Strator

checking your domain (via https://check-your-website.server-daten.de/?q=hazybluesky.mooo.com ) there is a timeout:


Domainname Http-Status redirect Sec. G
http://hazybluesky.mooo.com/
24.121.204.164 -14 10.023 T
Timeout - The operation has timed out
https://hazybluesky.mooo.com/
24.121.204.164 302 https://hazybluesky.mooo.com/index.php/login 7.603 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
https://hazybluesky.mooo.com/index.php/login 200 4.363 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
http://hazybluesky.mooo.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
24.121.204.164 -14 10.030 T
Timeout - The operation has timed out

Your https works (with the invalid certificate). But your http (required to validate your request) has a timeout.

Is your webserver running port 80? And if this is a home server: Does your ISP block port 80?


#3

Thanks for your help.

What do you mean by “is your webserver running port 80”?

This is a home server. My ISP does not block port 80, since I can access my server with hazybluesky.mooo.com:80. It redirects to https, but it does not block it.


#4

But I can’t. Not with my browser, not with my online tool. If I use another tool (sample: https://securityheaders.com/?q=http%3A%2F%2Fhazybluesky.mooo.com%2F ), there is the same:

Sorry about that…

The target site took too long to respond and the connection timed out. Try again later.


#5

Can you really access it from outside your local network? Like by using a cellular connection?

Let’s Encrypt can’t access port 80, https://check-your-website.server-daten.de/ can’t, and I can’t.


#6

No, I can’t. I used my phone to connect, but my phone was on my local wifi. I guess my server is not accessible from port 80.

My router is set to port forward incoming traffic on port 80 to my server port 80. Why does this not work? My router is an Arris Surfboard SBG6700-AC.


#7

As you see, my online tool can see your port 443. Same with my browser. So your port 443 redirect looks good, so your port 80 redirect should be good.

It doesn’t work -> ask your ISP if port 80 is blocked.

Or check, if you can use dns-01 - validation to create a certificate.

But then a new dns txt entry is required. If your dns provider doesn’t support an API, you have to do that manual every 60 - 85 days to get a new certificate.


#8

PS: Oh, you use afraid.org as nameserver:

Afraid.org allows users to create subdomains with existing domain names.

So there are 3292 active Letsencrypt certificates:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:true;domain:mooo.com;issuer_uid:4428624498008853827&lu=cert_search

with mooo.com as domain name.

That may be a problem, there is a limit of max. 50 new subdomains per week per domain.


#9

My ISP does block port 80. :disappointed:

I will have to try the dns-01 validation method, I guess. I am not an IT person, so this stuff is complicated!

Thank you for your help @JuergenAuer.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.