I cannot generate an SSL certificate using certbot

I cannot generate an SSL certificate using certbot, I do not understand why.

My domain is:
http://paytibiamacros.duckdns.org/

I ran this command:
sudo certbot --nginx

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): paytibiamacros.duckdns.org
Requesting a certificate for paytibiamacros.duckdns.org

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: paytibiamacros.duckdns.org
  Type:   connection
  Detail: Fetching http://paytibiamacros.duckdns.org/.well-known/acme-challenge/7eFphe4cCe7IoiYpsq3Lm_jwUD2or-jdZVhrbMaR1rw: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx

The operating system my web server runs on is (include version): debian 10

My hosting provider, if applicable, is: I do not understand

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.19.0

1 Like

Your site is not reachable on port 80 from the internet. For the http challenge you requested, this is required. Try this site for info:
https://letsdebug.net/

I got a timeout trying to reach your site from my own server as well as Lets Debug result:

https://letsdebug.net/paytibiamacros.duckdns.org/679002
3 Likes

ok,I opened port 80 on my router, but now the site reports another error. what can I do?
can you try again for me?

I ran this command:
sudo certbot --nginx
and i had the same error

DebugLog:

1 Like

I get the same error as Lets Debug and the same I had before. I cannot reach your website at http://paytibiamacros.duckdns.org - all I get is a timeout waiting for a response.

Your DNS entry points to 187.36.230.228
Is that the correct IP for you?

There is not much info for me to work with. I do not have any specific ideas. Perhaps someone else may have some things to try.

Some other commands to check some basic things are running:

Check nginx conf file is ok:
sudo nginx -t

Look at ports (make sure nginx is listening on correct port):
sudo netstat -pant | grep -Ei '80|443|nginx'
You may need to adjust this command for your os version. And, it is ok if nginx is not yet listening on port 443 until you have gotten certs.

You mentioned a router so make sure your port is forwarding correctly to your nginx server.

These are just some ideas - hope it helps.

3 Likes

Hi @GabrielRCL, welcome to the LE community forum :slight_smile:

You can check the Internet IP in use with the output of:
curl -4 ifconfig.co

You have to have a working HTTP site before you can begin to secure it (via HTTP authentication).

3 Likes

Here's a result from Network Tools: DNS,IP,Email

It seems your IP and/or domain is on 4 block lists.

Checking paytibiamacros.duckdns.org which resolves to 187.36.230.228 against 91 known blacklists...
Listed 4 times with 3 timeouts

Blacklist Reason TTL ResponseTime
LISTED BARRACUDA 187.36.230.228 was listed
469 3 Ignore
LISTED RATS Dyna 187.36.230.228 was listed
1669 2 Ignore
LISTED SORBS SPAM 187.36.230.228 was listed
3600 3 Ignore
LISTED Spamhaus ZEN 187.36.230.228 was listed

300 3 Ignore

Have you recently made changes or updates to your DNS records? The serial numbers for the SOA (Start Of Authority) for your domain name do not match up with the Name Servers. Actually, there's no DNS record found for your domain name.

And then this comes up:

WHOIS Lookup ( 187.36.230.228 )
% 2021-09-11T03:15:52-03:00 - IP: 2604:a880:800:10:0:0:7ce:1001

% Permission denied. For more information, contact abuse@registro.br

% Security and mail abuse issues should also be addressed to
% cert.br, http://www.cert.br/ , respectivelly to cert@cert.br
% and mail-abuse@cert.br

It seems you're going to have to get your domain name/IP address off those block lists shown above.

2 Likes

to remove my address from the black list do I need to send a message to "cert.br, http://www.cert.br/ , respectivelly to cert@cert.br"?

1 Like

Checking again using the MX tool, that still shows the same result. However, I went directly to Spanhaus ZEN's website and they indicate no problems now.

Here's the link for the SpamRATS results. It gives more detail to the why your IP is on their list and the procedure for removal from their blacklist. Spam Rats! - SpamRATS Lookup Tool!

SORBS Spam indicates 2 entries

2 Likes

OK thank you! it's the first time I've tried to create an SSL certificate for my website

1 Like

Okay Gabriel, you replied as I was beginning to edit my reply. :slightly_smiling_face: It may be easiest to begin by contacting abuse@registro.br and see what they say. Be sure to inform them your IP address look up is denied by WHOIS Lookup.
Do you have another email address you can use to contact them? :crossed_fingers:

2 Likes

Yes. :slight_smile:
I will get contact with them, thank you

2 Likes

I'll edit and remove your email address and change that to a simple "Yes." :wink:
Good luck!

2 Likes