I can reach my website, certbot cant

Tristan · February 15, 2022, 11:24pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
portal.darghigh.school.nz
I ran this command:
sudo certbot --apache -v
It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which name would you like to activate HTTPS for?

portal.darghigh.school.nz

Select the appropriate numbers separated by commas and/or spaces, or leave imput
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for portal.darghigh.school.nz
Performing the following challenges:
http-01 challenge for portal.darghigh.school.nz
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain portal.darghigh.school.nz
http-01 challenge for portal.darghigh.school.nz

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: portal.darghigh.school.nz
Type: connection
Detail: Fetching http://portal.darghigh.school.nz/.well-known/acme-challenge/J-sK7XS_GR4Gj6t3gnoBYUEVEi44o3qDKyp0tV88Mzo:
time out during connect (likely firewall problem)

Hint: The Certificate Authority failed to verity the temporary Apache configuration changes made by Certbot. Ensure that the listed
domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log
or re-run Certbot with -v for more details.

My web server is (include version):
Apache/2.4.52 (Debian)
The operating system my web server runs on is (include version):
Debian 11.2
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.23.0

Hello, I'm having trouble getting a certificate with Certbot. Feedback is that it is a firewall problem.
Firewall is off.
I can access the page at work and from home (http, port 80).
I have had a third party say they can reach the page.
I thought the problem may be my ISP is geofencing but they say they are not geofencing.
Any help would be appreciated.

Thank you
Tristan

_az · February 16, 2022, 12:11am

I can't reach it from Australia.

Port 80 is open, but I don't get any response to an HTTP request.

MikeMcQ · February 16, 2022, 12:13am

Welcome to the community @Tristan

Very nice initial report. I cannot reach your site from my test server and, more importantly, neither can this Let's Debug test site.

I believe you when you say people outside your network can reach it and your ISP is not GEO fencing.

So, I can't think of many other options. Are you hosting this at your home? If so, have you checked if your router has any GEO fencing or other similar firewall feature? I know you said your firewall was off but that means many things to many people. Just clarifying.

I see your DNS IP is related to Spark Digital. Is that your ISP? If not, could they have an added firewall blocking some connections?

Just so you know, Let's Encrypt right now will check from as many as 4 different Amazon AWS regions - 3 in the US and one in Germany. I am also trying from an AWS region in the US.

lmacri72 · February 16, 2022, 12:15am

I can see it from NZ. I'm also struggling to get certbot to complete on my server. Same problem as @Tristan. I'm trying from a .school.nz domain as well. @Tristan, is your network managed by N4L? I'm wondering if that's got anything to do with it?

lmacri72 · February 16, 2022, 12:21am

Also, our set up is to automatically deny attempts to connect from outside NZ. Check on that too.

danb35 · February 16, 2022, 12:27am

That will prevent Let's Encrypt from validating your domain. You need to accept connections globally.

MikeMcQ · February 16, 2022, 12:30am

If you can't change that have you considered using a DNS challenge instead of HTTP? Not sure it would work - ask your provider about API access to DNS.

Best to start a new topic if you want assistance with that.

Tristan · February 16, 2022, 12:55am

Thank you for your responses, people.

@MikeMcQ No, not hosting at home - this is a school website, N4L is our ISP who is a part of Spark Digital. My firewall is UWF on the Linux machine.
N4L is an ISP specifically for schools in New Zealand, they certainly have firewalls and filters in place for schools and they do a great job of keeping the nasty stuff out.

@Imacri77- Yes, school with N4L.

I have asked them twice about blocking and geofencing and they say there is none in place.

automatically deny attempts to connect from outside NZ - is this not geofencing?
I am I asking the wrong questions (to N4L ISP) ?

@MikeMcQ I will pursue the DNS challenge if this fails - thanks for the pointer
Thanks all, I will go back to N4L with this conversation and see what they say.

Tristan

webprofusion · February 16, 2022, 1:53am

I can confirm that your website is not connecting (http on tcp port 80) from Australia, maybe it does work from NZ though. So despite what you've been told there is indeed some blocking of IP ranges (or whitelisting of ranges) going on. That seems fair enough for schools though.

The DNS validation method is probably the way to go, this requires that you can edit your DNS records to include either a challenge response TXT record (which changes every time you validate your domain for a certificate renewal) or you can use a CNAME for _acme-challenge.portal.darghigh.school.nz to point to a TXT record in a DNS zone that you do have edit access to, ideally one in which DNS updates can be automated.

You could also consider using things like acme-dns (challenge response delegation dedicated services) but if you would still be hosting that on the school ISP then you'd have the same problem. My company offers a cloud hosted implementation of the same idea, which would work around that (you'd still need to create that initial CNAME record though): Certify DNS | Certify The Web Docs

Rip · February 16, 2022, 2:07am

Well It times out from west coast us too. FYI.It gets as far as

That's it.

lmacri72 · February 16, 2022, 4:56am

@Tristan Try the DNS Challenge. Worked like a charm for me. Challenge Types - Let's Encrypt

schoen · February 18, 2022, 4:53am

This is a great solution for firewalls, but it's harder to integrate automatically with Certbot. You'll need a supported DNS provider API for that; you can no longer just use --apache!

lmacri72 · February 18, 2022, 6:12am

Looks like I can access it!

webprofusion · February 18, 2022, 8:25am

Me too, and they have a Let's Encrypt cert. Problem solved?

MikeMcQ · February 18, 2022, 10:45am

And now so can Let's Debug !

Must have relaxed firewall

Tristan · February 21, 2022, 7:35pm

Yes! Website is up and running. After sending N4L your info saying it is not accessible outside of New Zealand they replied with "Try it now". No mention of previous requests for access...

Was getting through the DNS Challenge when I got the message so just ran:
sudo certbot --apache -v
again and success!

Thanks all for your help.

system · March 23, 2022, 7:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.