I don't have a live directory in my letencrypt installation folder

image

You have Apache using port 80. The certbot standalone needs port 80 so that is why it fails with the bind error.

2 Likes

the problem has evolved after deactivating the apache server:

We can try to debug the standalone failure. But, is there a reason you need to use that rather than webroot? Or, even use the Apache plug-in?

Usually people don't want to keep their server running. Using webroot, or even the Apache plug-in, uses Apache to authenticate and get a cert.

Standalone is more difficult to debug. If you could explain more of what you are trying we can proceed on the best path.

2 Likes

I am at my first installation of letsencrypt. the context is as follows:
I have a debian server and an application running on tomcat that I want to secure. I don't even need apche2 on this server, it's by watching tutorials that I installed apache. I just want to secure a tomcat server listening on port 80 with letsencrypt. Nothing else

Thank you for your prompt reaction.
I use iptables to redirect incoming streams on port 80 to another port.

In addition, I deleted all iptables rules, and stopped the application that was running on the redirect port. I then ran the command sudo certbot certonly --standalone -d b2i-dev.tech again with no success.

image

And yes, I read the answers in English very well. it's the expression and the writing that is problematic for me

The same problem appear in logs.
2022-07-22 13:38:33,088:DEBUG:acme.client:Storing nonce: 01018FF2koZUecwxRgp4yRHheaW64RcH3_Xy6bD3FnJ7dcA
2022-07-22 13:38:33,088:INFO:certbot.auth_handler:Performing the following challenges:
2022-07-22 13:38:33,088:INFO:certbot.auth_handler:http-01 challenge for b2i-dev.tech
2022-07-22 13:38:33,089:DEBUG:acme.standalone:Failed to bind to :80 using IPv6
2022-07-22 13:38:33,089:DEBUG:acme.standalone:Failed to bind to :80 using IPv4
2022-07-22 13:38:33,090:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 76, in run
address, self.http_01_resources)
File "/usr/lib/python3/dist-packages/acme/standalone.py", line 189, in init
BaseDualNetworkedServers.init(self, HTTP01Server, *args, **kwargs)
File "/usr/lib/python3/dist-packages/acme/standalone.py", line 108, in init
raise socket.error("Could not bind to IPv4 or IPv6.")
OSError: Could not bind to IPv4 or IPv6.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 139, in _solve_challenges
resp = self.auth.perform(all_achalls)
File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 234, in perform
return [self._try_perform_single(achall) for achall in achalls]
File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 234, in
return [self._try_perform_single(achall) for achall in achalls]
File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 241, in _try_perform_single
_handle_perform_error(error)
File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 239, in _try_perform_single
return self._perform_single(achall)
File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 245, in _perform_single
servers, response = self._perform_http_01(achall)
File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 254, in _perform_http_01
servers = self.servers.run(port, challenges.HTTP01, listenaddr=addr)
File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 78, in run
raise errors.StandaloneBindError(error, port)
certbot.errors.StandaloneBindError: Problem binding to port 80: Could not bind to IPv4 or IPv6.

2022-07-22 13:38:33,090:DEBUG:certbot.error_handler:Calling registered functions
2022-07-22 13:38:33,090:INFO:certbot.auth_handler:Cleaning up challenges
2022-07-22 13:38:33,090:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 76, in run
address, self.http_01_resources)
File "/usr/lib/python3/dist-packages/acme/standalone.py", line 189, in init
BaseDualNetworkedServers.init(self, HTTP01Server, *args, **kwargs)
File "/usr/lib/python3/dist-packages/acme/standalone.py", line 108, in init
raise socket.error("Could not bind to IPv4 or IPv6.")
OSError: Could not bind to IPv4 or IPv6.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1250, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 139, in _solve_challenges
resp = self.auth.perform(all_achalls)
File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 234, in perform
return [self._try_perform_single(achall) for achall in achalls]
File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 234, in
return [self._try_perform_single(achall) for achall in achalls]
File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 241, in _try_perform_single
_handle_perform_error(error)
File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 239, in _try_perform_single
return self._perform_single(achall)
File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 245, in _perform_single
servers, response = self._perform_http_01(achall)
File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 254, in _perform_http_01
servers = self.servers.run(port, challenges.HTTP01, listenaddr=addr)
File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 78, in run
raise errors.StandaloneBindError(error, port)
certbot.errors.StandaloneBindError: Problem binding to port 80: Could not bind to IPv4 or IPv6.

Thanks for explanation. Many people have problems setting up tomcat. What version of tomcat are you using? And, what version of certbot (certbot --version). Newer versions of both are easier to work with.

4 Likes

Apache Tomcat Version 9.0.65

certbot 0.31.0

Oh, that certbot is very old. I am not sure this will work. But, try

sudo certbot certonly --standalone -d b2i-dev.tech --debug-challenges -v

Current certbots will pause so you can send test requests at the standalone. I am not sure what will happen for version 0.31 but try it anyway.

If it does pause, leave it that way and show anything it displays

3 Likes

debian@vps-bf6e1476:~$ sudo certbot certonly --standalone -d b2i-dev.tech --debug-challenges -v
Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator standalone and installer None
Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f90d1f792b0>
Prep: True
Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f90d1f792b0> and installer None
Plugins selected: Authenticator standalone, Installer None
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/641230146', new_authzr_uri=None, terms_of_service=None), 84c960d659736812ae3b1a9756577893, Meta(creation_dt=datetime.datetime(2022, 7, 21, 15, 56, 51, tzinfo=), creation_host='debian.example.com'))>
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
Received response:
HTTP 200
Server: nginx
Date: Fri, 22 Jul 2022 15:48:53 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"lP4cKDeL2ww": "Adding random entries to the directory",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
Obtaining a new certificate
Generating key (2048 bits): /etc/letsencrypt/keys/0006_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0006_csr-certbot.pem
Requesting fresh nonce
Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
Received response:
HTTP 200
Server: nginx
Date: Fri, 22 Jul 2022 15:48:53 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0101i8imp_9eCHC2DdVwboLB0DMZKTHg_8r3GHGnCKHPzKo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

Storing nonce: 0101i8imp_9eCHC2DdVwboLB0DMZKTHg_8r3GHGnCKHPzKo
JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "b2i-dev.tech"\n }\n ]\n}'
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNjQxMjMwMTQ2IiwgIm5vbmNlIjogIjAxMDFpOGltcF85ZUNIQzJEZFZ3Ym9MQjBETVpLVEhnXzhyM0dIR25DS0hQektvIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
"signature": "a-ctXIPUDWhgq3SgTQ1H5Q8ZckGKhDOLhoVykzKKpVbEifOtosQpnsWeuCwydmLDs1KmZYJFJFtpQ2cgiPeVJrLXu4IJtso_u_B6G3WFn7OHHJW4qhbwb2yQaaAp8pp4aAwa9imeSfPiC7qSkIhqH7ouCLx-ASqKJeB12yqVTfPqb7D38oLXi0l3VnLVpqXoiZ1EEWd_Quayng4Lss3a29SlC5bMNSOS2-1Rs3FY3VZxZYF-9-zMtciRo_-oKrobBC41R07uJbvji7gJVZQ5J4RIBOy_HjujTVQpJuW0raE6xFrPGnSyHaNn8h4FxqHrLptgas9bO416E4P5RKTNEw",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImIyaS1kZXYudGVjaCIKICAgIH0KICBdCn0"
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 337
Received response:
HTTP 201
Server: nginx
Date: Fri, 22 Jul 2022 15:48:54 GMT
Content-Type: application/json
Content-Length: 337
Connection: keep-alive
Boulder-Requester: 641230146
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/641230146/109127996536
Replay-Nonce: 0101mqFyjvo-PDApv1kGXgwIVWmCMmjT-Ki7JlakfsRLifk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"status": "pending",
"expires": "2022-07-29T15:48:54Z",
"identifiers": [
{
"type": "dns",
"value": "b2i-dev.tech"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/133465247976"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/641230146/109127996536"
}
Storing nonce: 0101mqFyjvo-PDApv1kGXgwIVWmCMmjT-Ki7JlakfsRLifk
JWS payload:
b''
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/133465247976:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNjQxMjMwMTQ2IiwgIm5vbmNlIjogIjAxMDFtcUZ5anZvLVBEQXB2MWtHWGd3SVZXbUNNbWpULUtpN0psYWtmc1JMaWZrIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xMzM0NjUyNDc5NzYifQ",
"signature": "Q4jkqqBSfxTHeL-AjNUJk_0SmKEr7xKtxdqDu0qyIhbR--XslCEaTUoi99J84GAbuipne9pp52aZGtansgFdsmQbw-t2CpJfWv68TerKycdTFhqA51bitLAvntQOt1qVudoq6EDZRGk3d3CbCYL51oZCg3TL2pib1khgxJPilzCt0lL7yY9D__H_8gDdF75d-A9mQuQ5-QXESMkWkg-RbM0U716-CL66tamiVKNXdPy7SGWqhYiYjxZHXYTuIb7Q1pfX-TsUed1bd3f2D9Xs0r2D0ZyPgIuVrXRtyDSw6IgT2HUjiVzHdhSSjAfRyPYSq3J9F8n7UsKVBTCYIlU0pg",
"payload": ""
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/133465247976 HTTP/1.1" 200 796
Received response:
HTTP 200
Server: nginx
Date: Fri, 22 Jul 2022 15:48:54 GMT
Content-Type: application/json
Content-Length: 796
Connection: keep-alive
Boulder-Requester: 641230146
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 01015q9hwirbihUuEcioXJadrA2EZKMuhvPmwm8KqGUt6Y0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "b2i-dev.tech"
},
"status": "pending",
"expires": "2022-07-29T15:48:54Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/133465247976/W8mhLA",
"token": "6xQv3WdaqiiRlS3LSYSE4Sdw_hNwBBEtYcAHojTofDg"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/133465247976/TmAa0w",
"token": "6xQv3WdaqiiRlS3LSYSE4Sdw_hNwBBEtYcAHojTofDg"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/133465247976/nQNgmQ",
"token": "6xQv3WdaqiiRlS3LSYSE4Sdw_hNwBBEtYcAHojTofDg"
}
]
}
Storing nonce: 01015q9hwirbihUuEcioXJadrA2EZKMuhvPmwm8KqGUt6Y0
Performing the following challenges:
http-01 challenge for b2i-dev.tech
Successfully bound to :80 using IPv6
Certbot wasn't able to bind to :80 using IPv4, this is often expected due to the dual stack nature of IPv6 socket implementations.
Waiting for verification...


Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.


Press Enter to Continue

Why not update and rerun the installation?

It looks like you did not stop Apache before trying certbot standalone. The bind port 80 happened again. You did not have that error the previous time.

It would be better if you could update certbot. Instructions are here:

3 Likes

I completly remove apache and update cerbot to version 1.29.0
After run sudo certbot certonly --standalone -d b2i-dev.tech again, I have the following result:

The log file display:

2022-07-22 16:24:16,162:DEBUG:acme.client:Storing nonce: 0102F_FJFR62hUO39Ch9J0vG8_K8dCqORqhDUkMjSIhGbbE
2022-07-22 16:24:16,163:INFO:certbot._internal.auth_handler:Challenge failed for domain b2i-dev.tech
2022-07-22 16:24:16,163:INFO:certbot._internal.auth_handler:http-01 challenge for b2i-dev.tech
2022-07-22 16:24:16,163:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: b2i-dev.tech
Type: connection
Detail: 141.94.27.217: Fetching Gest-micro-fin - Login Connection refused

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

2022-07-22 16:24:16,165:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-07-22 16:24:16,165:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-07-22 16:24:16,165:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-07-22 16:24:16,165:DEBUG:certbot._internal.plugins.standalone:Stopping server at :::80...
2022-07-22 16:24:16,349:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/snap/certbot/2192/bin/certbot", line 8, in
sys.exit(main())
File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/main.py", line 1744, in main
return config.func(config, plugins)
File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/main.py", line 1591, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/client.py", line 530, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/client.py", line 442, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/client.py", line 510, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2022-07-22 16:24:16,359:ERROR:certbot._internal.log:Some challenges have failed.

Try

sudo certbot certonly --standalone -d b2i-dev.tech --debug-challenges -v

Current certbots will pause so you can send test requests at the standalone.

Show what it says but do not press enter to continue - leave it paused

5 Likes

OK. I cannot reach that URL. I get the same "Connection Refused" which means something is not allowing that request to reach the certbot standalone server.

If you try that URL, does it work for you?

5 Likes

And, what does this show while the standalone is paused:

sudo netstat -pant | grep -i listen | grep 80
5 Likes