Issue certificate for new server

Hi,

I am trying to create certificate for a new server. I am facing some problem with certificate creation for sometime. Domain name is correct and I am able to connect to the server using the IP and domain name. Port 80 is open.

My domain is: cloud2.cs.ux.uis.no

I ran this command:
certbot certonly --standalone --cert-name cloud2.cs.ux.uis.no -n -d cloud2.cs.ux.uis.no --non-interactive --agree-tos --email ccp-ops@live.uis.no --http-01-port=65530

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cloud2.cs.ux.uis.no
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. cloud2.cs.ux.uis.no (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://cloud2.cs.ux.uis.no/.well-known/acme-challenge/NALhA6k6GurcAHmBNASb1PiG2lhaCC4yFRJlb5EVjOQ: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: cloud2.cs.ux.uis.no
    Type: connection
    Detail: Fetching
    http://cloud2.cs.ux.uis.no/.well-known/acme-challenge/NALhA6k6GurcAHmBNASb1PiG2lhaCC4yFRJlb5EVjOQ:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version):
$ /usr/sbin/apache2 -v
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2020-08-12T21:33:25

The operating system my web server runs on is (include version):
Ubuntu 18.04.5 LTS

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
$ certbot --version
certbot 0.27.0

I don't believe this is correct:

dan@Dan-Hack-Mini  ~  curl http://cloud2.cs.ux.uis.no/.well-known/acme-challenge/NALhA6k6GurcAHmBNASb1PiG2lhaCC4yFRJlb5EVjOQ:
curl: (7) Failed to connect to cloud2.cs.ux.uis.no port 80: Operation timed out

Something, either on your server or elsewhere, is blocking port 80.

1 Like

@danb35, that what , I am not able to understand. I am able to access the my server using the public ip and url. But when I am trying to create the certificate, it fails with the operation timed out and I have searched on google and people have suggested to check whether port 80 is open or not.

I am pretty sure port 80 open, because I am able to access it.

Bit of info regarding the location of this server. This server is behind the two firewalls. I can only access this server inside my network (behind the first firewall) with public IPs. Behind the second firewall, we have this server with private IP, but second firewall does the NAT from private to public IP.

But I'm not, and the Let's Encrypt servers aren't. I don't know where they're testing from (it could be anywhere); I'm testing from Southeast US, but I get the same result from Germany. So I doubt this is any sort of geo-blocking thing, but a more simple blocked port.

When you're able to access it, from what network are you able to do so? Are you able to reach your server from the public Internet? A good way to test that is to turn off WiFi/WLAN on your phone and try to connect.

1 Like

I am able to connect to server from our network behind firewall. This was not accessible from outside, because firewall is blocking the access from outside.

To access if from public internet also works provided , I am using ssh port forwarding with publicly accessible server or by using VPN connection to our network.

Well, there's your problem--Let's Encrypt needs to be able to connect from the outside on port 80 in order to validate your control over the domain. If this isn't possible, you won't be able to obtain a cert using HTTP validation (which is what's used in standalone mode). You may want to look into using DNS validation instead.

1 Like

@danb35, thanks for the info and clarification. But I still con't figure out the problem because:

  1. I have one more server in the same scenario with Ubuntu 16.04, where standalone certificate is working fine without being able to access it from outside my firewall. I had some problem with renewal on that server, once I have used the force-renewal it was successful. (Revoke and Renew lets encrypt certificate issues with acmev01 to acmev02)

  2. If is working with renewal of certificate on one machine, why I would not be able to create a certificate without the server being accessible from outside the firewall.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.