IRC client encrypt relay ERROR


#1

My domain is:
ideletemyself.mooo.com

I ran this command:
certbot certonly --standalone -d ideletemyself.mooo.com -m bmckimmons@me.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for ideletemyself.mooo.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. ideletemyself.mooo.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 45.55.161.183:443 for TLS-SNI-01 challenge

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: ideletemyself.mooo.com
    Type: connection
    Detail: Failed to connect to 45.55.161.183:443 for TLS-SNI-01
    challenge

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My operating system is (include version):
Manjaro Linux

My web server is (include version):
It’s a free subdomain from http://freedns.afraid.org

My hosting provider, if applicable, is:
http://freedns.afraid.org

I can login to a root shell on my machine (yes or no, or I don’t know):
No, I can’t.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Nope.


I’m trying to follow this guide at: https://latest.glowing-bear.org/ to setup a simple encrypt relay for my weechat IRC Client… can’t get past the certbot portion. I’m suspicious it could be Suddenlink my ISP provider blocking ports. I can’t run a web or email server from my home, they block the ports. So, perhaps the same thing is happening here?


#2

Hi @ideletemyself, do you mean to say that the ISP that you’re hosting this server on is your home ISP and that they block inbound connections to port 80? In that case it seems likely that they also block port 443 and that that’s the reason for this problem.

For you know if your DNS provider offers an easy way to update arbitrary DNS records underneath your domain? There is also a DNS challenge method where you can prove control of the domain by updating a requested DNS entry, instead of receiving an incoming web request from the CA.


#3

No, I’m not hosting any server I’m simply trying to run an encrypt relay for my Weechat IRC client as this guide for the Glowing Bear extension spells out like this:

To start using Glowing Bear, follow the instructions below to set up an encrypted relay. All communication goes directly between your browser and your WeeChat relay! This means that your server must be accessible. We never see any of your data or your password, and you don’t need to trust a “cloud”. All settings, including your password, are saved locally in your own browser between sessions.

When using encryption, all communication between your browser and WeeChat will be securely encrypted with TLS. This means that you have to set up a certificate. While it’s possible to use a self-signed cert, we recommend against it, because it’s handled poorly in browsers, and may not work at all on mobile devices. If you don’t already have a certificate for your domain (or you don’t have a domain), we strongly encourage you to get a certificate from Let’s Encrypt—it’s free and easy. We’ll walk you through it.

If you don’t have a domain you can get a free subdomain from providers such as afraid. You’ll want to set up an ‘A’ record to your server’s IP address, and quite possibly an AAAA record to its IPv6 address. These might take a few hours to propagate, if the steps below don’t work right away, try again in a few hours.

Getting a certificate is easy. You’ll need certbot—just follow the encryptions at https://certbot.eff.org. If you’re not serving webpages on the same server or are unsure, select “none of the above” (if you are, you can probably use that webserver to proxy your relay, and skip this—check out the instructions in our Wiki). Next, get the certificate with certbot certonly --standalone -d localhost and follow the instructions.


This is where my laptop gives me the error… Is this process for servers only? That seems to be the case but then this and other walkthroughs I’ve seen use the term “IRC client” not server so that’s why I’m going through this laborious process.

Oh, and I just used a free subdomain from that afraid.org, again, as the walkthrough above states to go ahead and do if one doesn’t own a domain. Thanks for your reply!


#4

In this case, your laptop needs to be able to operate as a web server (that’s publicly visible from the Internet) at least temporarily in order to complete the validation process and prove control over your domain to the certificate authority. When the documentation you quoted refers to “your server”, they mean any computer that is online all of the time that you’re planning to use for your IRC relay. But for Let’s Encrypt verification, it needs to at least temporarily also run web server software and be able to accept inbound web requests, unless you want to use the DNS verification method that I alluded to above.


#5

Okay, then my suspicions have been verified. My ISP, Suddenlink doesn’t allow home users to run any kind of web or mail server or actually just blocks the ports needed. So both 80 and 443 are most likely blocked and this is why the error is occuring. That really sucks since I’m just going to have to fly naked out there on IRC I guess. Thanks for your prompt response…


#6

You can still get a Let’s Encrypt certificate using the DNS challenge type if you can create the appropriate DNS records.

Or, if you can get access to a server outside of your home network, you can get the certificate issued there and then copy the files onto your home computer (maybe renting a VPS account for a short period of time). This solution might not be as useful because you would need to be able to repeat the process when the certificate expires and you need to renew it.

I’m not sure about your reference to “fly[ing] naked out there on IRC”; if you were going to install an IRC proxy on your home computer, it doesn’t provide any additional protection for your IRC use (since there’s no additional encryption between the proxy and the IRC network that you couldn’t get from a regular IRC client, and the IP address of the proxy doesn’t conceal your home IP address either because it’s on the same computer).


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.