I made and error sudo certbot certonly --standalone -d example.com -d jtreg.duckdns.org

jtreg · May 22, 2024, 11:42am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: jtreg.duckdns.org

I ran this command: sudo certbot certonly --standalone -d example.com -d jtreg.duckdns.org
I get error:

It produced this output:
"Could not bind TCP port 80 because it is already in use by another process on
this system (such as a web server). Please stop the program in question and then
try again."

My web server is (include version): nginx version: nginx/1.22.1

The operating system my web server runs on is (include version): raspbian v. 12.5

My hosting provider, if applicable, is: duckdns

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

Update:

I stopped ngnix and ran the command:
sudo certbot certonly --standalone -d example.com -d jtreg.duckdns.org

james@torrentbox:~ $ sudo certbot certonly --standalone -d jtreg.duckdns.org -d jtreg.duckdns.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for jtreg.duckdns.org

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: jtreg.duckdns.org
Type: connection
Detail: 140.228.51.50: Fetching http://jtreg.duckdns.org/.well-known/acme-challenge/kZDuWnJ05cWno8GQmh2fF3HRLV2GqNfvezBthJckJmg: Connection refused

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Bruce5051 · May 22, 2024, 4:11pm

Hello @jtreg, welcome to the Let's Encrypt community.

Using the online tool Let's Debug yields this result
https://letsdebug.net/jtreg.duckdns.org/1972221

DNSLookupFailed
FATAL
A fatal issue occurred during the DNS lookup process for jtreg.duckdns.org/CAA.
DNS response for jtreg.duckdns.org/CAA did not have an acceptable response code: SERVFAIL

I suggest checking your DNS configuration and that the Name Servers are functioning properly to serve the CAA DNS Record.

Edit: also see the ERRORs here jtreg.duckdns.org | DNSViz

Bruce5051 · May 23, 2024, 6:43pm

Hi @jtreg,

Looks like there has been some improvement in the DNS;
however using --standalone we will still see "ERRORs"

See this for more advise Certbot stand-alone return error Timeout during connect (likely firewall problem) - #4 by MikeMcQ

https://letsdebug.net/jtreg.duckdns.org/1975336

ANotWorking
ERROR
jtreg.duckdns.org has an A (IPv4) record (140.228.51.50) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
Get "http://jtreg.duckdns.org/.well-known/acme-challenge/letsdebug-test": dial tcp 140.228.51.50:80: connect: connection refused

Trace:
@0ms: Making a request to http://jtreg.duckdns.org/.well-known/acme-challenge/letsdebug-test (using initial IP 140.228.51.50)
@0ms: Dialing 140.228.51.50
@5830ms: Experienced error: dial tcp 140.228.51.50:80: connect: connection refused

IssueFromLetsEncrypt
ERROR
A test authorization for jtreg.duckdns.org to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
140.228.51.50: Fetching http://jtreg.duckdns.org/.well-known/acme-challenge/pcm9l1q-PBtH-JBgZo766OC7rIeSotEpU0Rp2TqMMI4: Connection refused

Using nmap shows Port 80 & 443 are filtered (i.e. blocked)

$ nmap -Pn -p80,443 jtreg.duckdns.org
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-23 11:39 PDT
Nmap scan report for jtreg.duckdns.org (140.228.51.50)
Host is up.
rDNS record for 140.228.51.50: 51.228.140.50.bcube.co.uk

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.52 seconds

Seeing the above indicates the use of HTTP-01 challenge the most common; and states
"The HTTP-01 challenge can only be done on port 80."

Best Practice - Keep Port 80 Open

schoen · May 23, 2024, 10:58pm

Hi @jtreg,

Consider using certbot --nginx instead of certbot certonly --standalone, since you already have a running web server (nginx). The --standalone method is usually intended for cases where you don't have a web server running on your server.

Considering the connection failures, please also make sure that your DuckDNS software is correctly updating your server IP address, and that you don't have a firewall or router set to prevent incoming connections from the Internet on port 80 (or a residential ISP that prohibits them).

Osiris · May 24, 2024, 7:25am

Or --webroot if you don't want Certbot to make changes to your webserver.

I agree that using --standalone doesn't make much sense when there already is a webserver running.

system · June 23, 2024, 7:26am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Some challenges have failed Help	29	646	February 10, 2024
Certbot certonly failure. Just started Help	6	128	October 10, 2024
Certbot renew fails challenge, timeout. But can access port 80 Help	10	1156	September 29, 2022
Can't create cert behind an HG633 Help	4	859	March 13, 2019
No module named 'dns' Help	4	2526	February 11, 2022

I made and error sudo certbot certonly --standalone -d example.com -d jtreg.duckdns.org

Related topics