I got the connection error, but i can't figure out why

2jiwon · October 26, 2021, 2:40am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: fancytank.com

I ran this command:

sudo certbot --authenticator webroot --installer apache --webroot-path /home/pi/public_html/portfolio -d fancytank.com
https://check-your-website.server-daten.de/?q=fancytank.com

It produced this output:

Failed authorization procedure. fancytank.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain
V - ConnectFailure - Unable to connect to the remote server

My web server is (include version): Apache/2.4.38

The operating system my web server runs on is (include version): Raspbian GNU/Linux 10 (buster)

My hosting provider, if applicable, is: hosting.kr

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

I was trying to renew my SSL certificate but keep failing.
I can connect my site through just "http", but everytime I try to use certbot, it keep telling me the errors above. I don't understand why.
I checked my ufw status, the ports 80, 443, and the other ports for port forwarding are also opened.
What am I missing here?
Could anyone help me to find my mistakes here? Please..I am spending over a week to figure out

rg305 · October 26, 2021, 3:35am

I would suggest two things:

Maybe order matters [slim chance], try:
sudo certbot --installer apache --authenticator webroot --webroot-path /home/pi/public_html/portfolio -d fancytank.com
Maybe Apache is at it again... [high probability]
Apache is notorious for running at all cost.
Please confirm all is in order with:
sudo apachectl -t -D DUMP_VHOSTS
[if you are unsure, just post the output here]

2jiwon · October 26, 2021, 4:53am

Thank you for the reply.

I tried the second one and the output is below.

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message 
VirtualHost configuration:   
*:80                   127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)   
*:8080                 is a NameVirtualHost
         default server fancytank.com (/etc/apache2/sites-enabled/001-fancytank.com.conf:3) 
         port 8080 namevhost fancytank.com (/etc/apache2/sites-enabled/001-fancytank.com.conf:3)
         port 8080 namevhost thrive.fancytank.com (/etc/apache2/sites-enabled/002-thrive.fancytank.com.conf:3)
         port 8080 namevhost blog.fancytank.com (/etc/apache2/sites-enabled/003-blog.fancytank.com.conf:3)

Does it say like I should set the 'ServerName' in the configuration file?
I am confused because I set it already.

rg305 · October 26, 2021, 6:56am

Does http://fancytank.com reach this server on port 8080 or port 80 ?

And also, show file:
/etc/apache2/sites-enabled/001-fancytank.com.conf

Don't worry about that error message "Could not reliably determine the server's fully qualified domain name, using 127.0.1.1."

2jiwon · October 26, 2021, 7:15am

http use 8080 port becuase i port forwarded 80 to 8080 (also 443 to 8081)

and the conf file is below.

Listen 8080

<VirtualHost *:8080>
  DocumentRoot  /home/pi/public_html/portfolio
  ServerName    fancytank.com
  ErrorLog      /var/log/apache2/fancytank.com-error_log
  CustomLog     /var/log/apache2/fancytank.com-access_log combined
  ServerAdmin ljwjulian@gmail.com

  <Directory /home/pi/public_html/portfolio>
    DirectoryIndex index.html index.php
    Options FollowSymLinks
    AllowOverride All
    Require all granted
  </Directory>

</VirtualHost>

rg305 · October 26, 2021, 7:30am

Try:

sudo certbot certonly \
--webroot -w /home/pi/public_html/portfolio \
-d fancytank.com --dry-run

If that works, then try:

sudo certbot \
-i apache --http-01-port 8080 --https-port 8081 \
--webroot -w /home/pi/public_html/portfolio \
-d fancytank.com --dry-run

2jiwon · October 26, 2021, 7:33am

I tried this

sudo certbot certonly \
--webroot -w /home/pi/public_html/portfolio \
-d fancytank.com --dry-run

and

Failed authorization procedure. fancytan.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://sedo.com/search/details/?partnerid=324561&language=us&domain=fancytan.com&origin=sales_lander_1&utm_medium=Parking&utm_campaign=offerpage [2606:4700::6810:55b]: "<html lang=\"en-US\">\n<head><style>.async-hide { opacity: 0 !important} </style><script>(function(a,s,y,n,c,h,i,d,e){s.className+="

rg305 · October 26, 2021, 7:34am

How does that happen?

2jiwon · October 26, 2021, 7:36am

Ooops, sorry!!
It was a typo mistake!!

rg305 · October 26, 2021, 7:37am

Please just copy and paste what I posted (if possible).

2jiwon · October 26, 2021, 7:39am

Sorry. I just ran the second one. This time, I copy and paste it.
And this is the result.

usage: certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ... Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the certificate. certbot: error: unrecognized arguments: --https-port 8081

rg305 · October 26, 2021, 8:09am

Can you update the version?
If not, then try:

sudo certbot \
-i apache --http-01-port 8080 \
--webroot -w /home/pi/public_html/portfolio \
-d fancytank.com --dry-run

And you haven't told me if any of the other commands were successful OR if all failed.

2jiwon · October 27, 2021, 12:59am

I tried to update the version but it says it's already the newest version.

and I also tried the command and the results says

--dry-run currently only works with the 'certonly' or 'renew' subcommands ('run')

2jiwon · October 27, 2021, 1:03am

Oh and yes, I ran this command

sudo certbot certonly \
--webroot -w /home/pi/public_html/portfolio \
-d fancytank.com --dry-run

then it said "the dry run was successful", so I ran this command after

sudo certbot \
-i apache --http-01-port 8080 --https-port 8081 \
--webroot -w /home/pi/public_html/portfolio \
-d fancytank.com --dry-run

Then, the result was below. (I already posted it)

usage: certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ... Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the certificate. certbot: error: unrecognized arguments: --https-port 8081

rg305 · October 27, 2021, 2:33am

Progress!

I would try:

sudo certbot \
-i apache --http-01-port 8080 \
--webroot -w /home/pi/public_html/portfolio \
-d fancytank.com

2jiwon · October 27, 2021, 2:37am

The result said "congratulations!"
But when I try to open the site, it doesn't connect and the test site
https://www.ssllabs.com/ssltest/analyze.html?d=fancytank.com
also says this
Assessment failed: Unable to connect to the server

rg305 · October 27, 2021, 2:41am

Please follow my instructions more closely.
I did not ask for you to try to connect to the site securely - that is not yet possible.
We've only taken some small steps.
You must learn to walk before you can run.

Please show the outputs of:
certbot certificates
sudo apachectl -t -D DUMP_VHOSTS

2jiwon · October 27, 2021, 2:48am

sudo certbot certificates

Found the following certs:
Certificate Name: blog.fancytank.com
Domains: blog.fancytank.com
Expiry Date: 2021-12-11 15:13:54+00:00 (VALID: 45 days)
Certificate Path: /etc/letsencrypt/live/blog.fancytank.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/blog.fancytank.com/privkey.pem
Certificate Name: fancytank.com
Domains: fancytank.com
Expiry Date: 2022-01-25 01:34:51+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/fancytank.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/fancytank.com/privkey.pem

sudo apachectl -t -D DUMP_VHOSTS

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80       127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
*:443      fancytank.com (/etc/apache2/sites-enabled/001-fancytank.com-le-ssl.conf:2)
*:8080     is a NameVirtualHost
default server fancytank.com (/etc/apache2/sites-enabled/001-fancytank.com.conf:3)
port 8080 namevhost fancytank.com (/etc/apache2/sites-enabled/001-fancytank.com.conf:3)
port 8080 namevhost thrive.fancytank.com (/etc/apache2/sites-enabled/002-thrive.fancytank.com.conf:3)
port 8080 namevhost blog.fancytank.com (/etc/apache2/sites-enabled/003-blog.fancytank.com.conf:3)

rg305 · October 27, 2021, 3:07am

Now all we need to do is to modify the Listen on port 443 to Listen on port 8081 in the file:
/etc/apache2/sites-enabled/001-fancytank.com-le-ssl.conf

[and restart Apache]

2jiwon · October 27, 2021, 4:56am

Oh my god. It works
Thank you, thank you so much.