Installing cert on Azure Application Gateway

Phydeauxman · April 8, 2019, 4:58pm

I am trying to follow the steps in the article below to create a cert for my Azure App Gateway and then setup automatic renewal:

When I run the command “sudo certbot certonly --email <my_email> -d drlshrnon.drlteam.net --agreetos -manual”, I get a completely different response than the author of that article. The command asks me how I would like to authenticate with the ACME CA and gives me the options of standalone or webroot. It does not matter which one I pick, the next step tries to complete the verification against the storage account I have setup. It always fails saying that it could not fetch a particular file from the storage account but it never told me to create the file like when the author ran that command in the article.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
drlshrnon.drlteam.net

I ran this command:
sudo certbot certonly --email <my_email> -d drlshrnon.drlteam.net --agreetos -manual

It produced this output:
How would you like to authenticate with the ACME CA?

Spin up a temporary webserver (standalone)
Place files in webroot directory (webroot)

Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for drlshrnon.drlteam.net
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. drlshrnon.drlteam.net (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://drlshrnon.drlteam.net/.well-known/acme-challenge/<random_string>: Timeout during connect (likely firewall problem)

My web server is (include version):
Azure App Gateway

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
Azure

I can login to a root shell on my machine (yes or no, or I don’t know):
No

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.23.0

JuergenAuer · April 8, 2019, 5:31pm

Hi @Phydeauxman

there are some problems.

First, your certbot looks too old:

Update Certbot. Perhaps you have used tls-sni-01 validation, that's not longer supported.

Second: Your domain is completely invisible ( https://check-your-website.server-daten.de/?q=drlshrnon.drlteam.net ):

Domainname	Http-Status	Sec.	G
• http://drlshrnon.drlteam.net/
13.90.156.253	-14	21.010	T
Timeout - The operation has timed out

• https://drlshrnon.drlteam.net/
13.90.156.253	-14	10.027	T
Timeout - The operation has timed out

• http://drlshrnon.drlteam.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
13.90.156.253	-14	10.027	T
Timeout - The operation has timed out
Visible Content:

If you use http-01 validation, Certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks that file - via port 80.

So an open port 80 is required.

Curious: There are no older certificates visible via CRT-logs with that subdomain name. So it's the first time you create a certificate. But there are a lot of other subdomains ( https://check-your-website.server-daten.de/?q=drlteam.net ) - 100 complete, 14 active, 2 from the last 7 days.

Phydeauxman · April 8, 2019, 5:45pm

Thanks for the reply. I have the latest version of certbot…at least that is what it tells me when I try to update it.

Not sure I understand what you mean when you say the domain is completely invisible.

I am confused by the part about Certbot creating the validation file. In the article I linked, the author set the Azure storage account to read-only so anything connecting to it anonymously would only be able to read and not write. When he ran certbot he was told to create a file containing the data needed for validation.

JuergenAuer · April 8, 2019, 5:52pm

That's because your certbot is too old. The article uses http-01 validation, so (2) is required.

Your domain doesn't answer.

Short checked the article. There is a rewrite rule to another object. And the warning:

Don’t continue until you have successfully setup the redirection rule.

Phydeauxman · April 8, 2019, 6:06pm

When I run “sudo apt-get install --only-upgrade certbot”, it returns “certbot is already the newest version (0.23.0-1~ubuntu10.04.1)”. If there is something newer…I am not sure how to get it. Full disclosure…I am not a Linux person.

I am still confused by your comment “your domain doesn’t answer”. Trying going to http://drlshrnon.drltem.net/.well-known/acme-challenge/test.html. That comes up fine for me.

Already have the redirection rule in place which is how I am able to get to the “test.html” url.

I figured out the initial problem I was having with not being presented with instructions to create the file. Since I am not familiar with Linux or Certbot, I did not initially that I had left out a needed second “-” before the manual parameter so it was being ignored. Now I am getting prompted to create the file but it still failed. Might be because I took too long to create the file.

JuergenAuer · April 8, 2019, 6:13pm

That's an expired ubuntu version.

https://wiki.ubuntu.com/Releases

April 30, 2015 (Server)

But if --webroot works, you may ignore that problem. Current certbot is 0.31 / 0.33.

That's the main problem you have to fix. Checking with my online tool -> no answer. Checking with my browser -> no answer. Perhaps there is a firewall or something else that blocks.

Using http-01 validation -> a validation file is required, Letsencrypt checks, if that file exists with the correct value. So if your domain is invisible, you can't use http-01 validation.

Phydeauxman · April 8, 2019, 6:22pm

Ok, I think you have me on the right track. The light bulb came on about being able to access the domain…we are white listing IPs on an NSG that sits in front of the storage account. I could see it because my IP was in the list but yours was not. Resolving that issue now.

Thanks for you help…much appreciated

schoen · April 8, 2019, 9:20pm

Note that this server hasn’t received any security updates for six years. That sounds like a significant security risk if the server is used to handle any sensitive data.

Phydeauxman · April 8, 2019, 9:25pm

He put the wrong number in…I am running 16. And…it is WSL that was using simply to get the certificate. I have since abandoned that method and switched to using PowerShell on a Windows machine as I am more comfortable with that.

schoen · April 8, 2019, 9:28pm

Phew, that sounds much better!

In terms of the software update question, we’ve been having a difficult time getting some operating systems to ship updates for the most recent versions of Certbot. This is an ongoing project, but you can always check

for our recommended installation instructions for different operating system environments. In some cases, these will involve using the OS-packaged version, and in some cases a different approach outside of the OS package manager. (I’m sorry for the inconvenience this can cause for you and other people who’ve already used an installation method that isn’t the one that we currently recommended.)

I hope @JuergenAuer’s suggestion continues to work well for you!

system · May 8, 2019, 9:28pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.