Issue getting ssl on freenom .tk domain

I have port 80, 443, OpenSSH, and Nginx FULL via ufw

My domain is: ignacio.tk

I ran this command: sudo certbot --nginx -d ignacio.tk -d www.ignacio.tk

It produced this output: root@ignacio-VirtualBox:~# sudo certbot --nginx -d ignacio.tk -d www.ignacio.tk
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ignacio.tk
http-01 challenge for www.ignacio.tk
Waiting for verification…
Challenge failed for domain ignacio.tk
Challenge failed for domain www.ignacio.tk
http-01 challenge for ignacio.tk
http-01 challenge for www.ignacio.tk
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version):

The operating system my web server runs on is (include version): ubuntu 20.04 (nginx)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): ubuntu 20.04 terminal (nginx)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.40.0-1

1 Like

Hi @iscroggs

see your result, see your check - https://check-your-website.server-daten.de/?q=ignacio.tk

  • A wrong private ip address (that address is ignored)
  • the correct ip address doesn’t answer, only timeouts

Works http internal?

A working port 80 is required if you want to use http validation.

PS: That’s a not working webserver, so it’s not relevant that it is a freenom and .tk domain.

1 Like

I’m very new to domains. How do I find the correct ip to use from Ubuntu. I used the icanhazip for the public IP and I also linked the static IP to the domain

1 Like

You can check your IP from your command line by making requests to external checking websites, such as ifconfig.co or whatismyip.akamai.com.
Run curl -4 ifconfig.co or curl -4 whatismyip.akamai.com for your IPv4 address.
Run curl -6 ifconfig.co or curl -6 whatismyip.akamai.com for your IPv6 address.

P.S. You may not have a IPv6 or IPv4 address, it’s entirely possible. (coming from your ISP)

3 Likes

Would this be the IP I would use for dns on my domain?

1 Like

This would be the IP you use if your server only has 1 IPv4 address.

1 Like

Thank you, I linked that to the domain but still no connection. I’m not sure why I can’t connect. I keep hearing it’s port 80 but I have it open using ufw

image
This means you have more than 1 address on the same hostname.
You only need 174.24.20.243. Please remove the three other IPs as they are internal IP.

You also need to make sure you are allowing the IP on your local route (or ethernet gateway) since you are using CentryLink as your hosting and the IP looks like residential.

1 Like

Thank you so much, I will make those changes

1 Like

Your Internet DNS has the same problem for both “ignacio.tk” and “www.ignacio.tk”:

Name:    ignacio.tk
Addresses:  127.0.0.1
          127.0.1.1
          174.24.20.243
          10.2.0.15

Name:    www.ignacio.tk
Addresses:  127.0.1.1
          174.24.20.243
          10.2.0.15
          127.0.0.1

There should only be one IP:174.24.20.243

2 Likes

We should probably also advise you to use a dynamic dns service. @all What’s this community recommendation as to the best one? (edit: a quick search gave me this script that can update your ip address without an external service: https://github.com/mkorthof/freenom-script)

An then you should check port forwarding, make sure that ports 80 and 443 on your router’s external interface get forwarded to your server.

I’m not too certain about overall differences in DDNS services.
To me they are pretty much equal.
In the best case (most secure) scenario:
You use a real domain name, CNAME that to a DDNS name.
[The DDNS name merely functions to resolve the name to its’ current IP.]
You connect to the current IP and securely communicate with the real domain name.
[you also use methods to secure the use of certs from your real domain]

But in this particular case, the domain in use is a free domain from the TLD .TK
This step in and of itself is already insecure, so this setup will never be truly 100% secure (IMHO).

The difference goes down to the same difference DNS services have: who has the least buggy authoritative nameservers? (and, specific to ddns: who has the least painful ip update process?)

Well that leaves much to the user experience (Windows, Linux, MAC).

I can see that there may be global DNS performance/availability/reliability differences.
However, for those that are set on choosing only FREE services, such a difference may not be a deal breaker.

In the end we are talking about cases where the user can’t have, or afford, a static IP in the first place.

TLS on the cheap!

I cleared the extra DNS addresses from both ignacioi.tk and www.ignacio.tk, I am having trouble figuring out how to allow the IP on my local route. I am using ubuntu on a VirtualBox when using certbot for SSL certification. Any extra help would be greatly appreciated.

I think this strongly depends on your router, and it might be better to look up your router model on Google with “your_router_model port forwarding”.
You might just need port forwarding, you might have more things to do, it just depends on how exactly you’ve set up the services/webserver. There’s just too many ways to do this.

I realized how much of an issue this is when I bought a VPS that didn’t have a full ipv4 (it shared, 20 ports each) but had an /80 subnet in ipv6 (yeah, it’s small – but my machine also has 128MB of ram and costs $2/year).

ipv4s are freaking expensive, the biggest part in the price of a cheap vps.

1 Like

The worst part of not having an IPv4 address is that the Internet is not fully functional via IPv6 only.
It is mid 2020 and we are still reliant on IPv4 to do some of the simplest/most basic things on the Internet.
For example, by that I mean if you create a simple Windows 10 client PC system and only use IPv6, it won’t even be able to do Windows Updates.
If you tried to reach some large sites (like: IBM, FORD, GE) you would get redirected to BING.
And only if you added “www.” to them would you actually then reach a site.
And don’t get me started on why browsers still default to HTTP rather than HTTPS…

The world seems to turn soooo very slowly these days :frowning:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.