Issue with renewing cert with bitwarden

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: pandanet.mynetgear.com

I ran this command: sudo ./bitwarden.sh updatecert

It produced this output:

 _     _ _                         _            
| |__ (_) |___      ____ _ _ __ __| | ___ _ __  
| '_ \| | __\ \ /\ / / _` | '__/ _` |/ _ \ '_ \ 
| |_) | | |_ \ V  V / (_| | | | (_| |  __/ | | |
|_.__/|_|\__| \_/\_/ \__,_|_|  \__,_|\___|_| |_|

Open source password management solutions
Copyright 2015-2021, 8bit Solutions LLC
https://bitwarden.com, https://github.com/bitwarden

===================================================

bitwarden.sh version 1.39.4
Docker version 20.10.7, build f0df350
docker-compose version 1.28.5, build c4eb3a1f

Pulling mssql         ... done
Pulling web           ... done
Pulling attachments   ... done
Pulling api           ... done
Pulling identity      ... done
Pulling sso           ... done
Pulling admin         ... done
Pulling portal        ... done
Pulling icons         ... done
Pulling notifications ... done
Pulling events        ... done
Pulling nginx         ... done
Using default tag: latest
latest: Pulling from certbot/certbot
Digest: (not sure if this should be private but im going to snip it just in case)
Status: Image is up to date for certbot/certbot:latest
docker.io/certbot/certbot:latest

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/pandanet.mynetgear.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for pandanet.mynetgear.com

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: pandanet.mynetgear.com
  Type:   connection
  Detail: Fetching http://pandanet.mynetgear.com/.well-known/acme-challenge/rql-rpfrcURjQvdbrBgVOSCj_3EuUiiWbOX9cPBnEJI: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority couldn't exterally verify that the standalone plugin completed the required http-01 challenges. Ensure the plugin is configured correctly and that the changes it makes are accessible from the internet.

Saving debug log to /etc/letsencrypt/logs/letsencrypt.log
Failed to renew certificate pandanet.mynetgear.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/pandanet.mynetgear.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /etc/letsencrypt/logs/letsencrypt.log or re-run Certbot with -v for more details.
vowals@PandaServer:~$ 


The operating system my web server runs on is (include version):Ubuntu 20.04.2

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): whatever bitwarden is using but it claims to be latest

For some context, I noticed that I was getting SSL errors when trying to use bitwarden and so I tried to renew the cert, and I'm getting an error. Any help is much appreciated. I can put the logs in here too I was just worried sensitive info might be in it. Let me know if it's safe to post here. I censored the Digest because it looked like something that was sensitive info but I can post it back if it is important. Also, I already have port 80 allowed on UFW so I don't think it's a firewall issue.

1 Like

Well, maybe it's bigger than just port 80, because while I can ping your IP address 72.219.177.131, I can't connect to port 80, nor port 443. Or any other regular port for that matter.

Perhaps a home NAT router needs some portmaps?

3 Likes

I have port 80 and 443 already open so i don't think that is the issue unless i misunderstood what portmapping is.

1 Like

Maybe...
Ports 80 and 443 remain closed:

curl -Iki http://pandanet.mynetgear.com
curl: (56) Recv failure: Connection reset by peer

curl -Iki https://pandanet.mynetgear.com
curl: (7) Failed to connect to pandanet.mynetgear.com port 443: Connection timed out
2 Likes


Port mapping is just port forwarding, right? If so I have them set to open so idk why they would be closed. Could the reason why it's closed be because nothing is using the port rn? Whenever I try to start bitwarden it hangs:

_     _ _                         _            
| |__ (_) |___      ____ _ _ __ __| | ___ _ __  
| '_ \| | __\ \ /\ / / _` | '__/ _` |/ _ \ '_ \ 
| |_) | | |_ \ V  V / (_| | | | (_| |  __/ | | |
|_.__/|_|\__| \_/\_/ \__,_|_|  \__,_|\___|_| |_|

Open source password management solutions
Copyright 2015-2021, 8bit Solutions LLC
https://bitwarden.com, https://github.com/bitwarden

===================================================

bitwarden.sh version 1.39.4
Docker version 20.10.7, build f0df350
docker-compose version 1.28.5, build c4eb3a1f

Pulling mssql         ... done
Pulling web           ... done
Pulling attachments   ... done
Pulling api           ... done
Pulling identity      ... done
Pulling sso           ... done
Pulling admin         ... done
Pulling portal        ... done
Pulling icons         ... done
Pulling notifications ... done
Pulling events        ... done
Pulling nginx         ... done
Using default tag: latest
latest: Pulling from certbot/certbot
Digest: -snip-
Status: Image is up to date for certbot/certbot:latest
docker.io/certbot/certbot:latest

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/pandanet.mynetgear.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


and then gives the same error that I showed above.

1 Like

Also after attempting to reinstall bitwarden this happend:

vowals@PandaServer:~$ sudo ./bitwarden.sh install
 _     _ _                         _            
| |__ (_) |___      ____ _ _ __ __| | ___ _ __  
| '_ \| | __\ \ /\ / / _` | '__/ _` |/ _ \ '_ \ 
| |_) | | |_ \ V  V / (_| | | | (_| |  __/ | | |
|_.__/|_|\__| \_/\_/ \__,_|_|  \__,_|\___|_| |_|

Open source password management solutions
Copyright 2015-2021, 8bit Solutions LLC
https://bitwarden.com, https://github.com/bitwarden

===================================================

bitwarden.sh version 1.39.4
Docker version 20.10.7, build f0df350
docker-compose version 1.28.5, build c4eb3a1f

(!) Enter the domain name for your Bitwarden instance (ex. bitwarden.example.com): pandanet.mynetgear.com

(!) Do you want to use Let's Encrypt to generate a free SSL certificate? (y/n): y

(!) Enter your email address (Let's Encrypt will send you certificate expiration reminders): -snip-

Using default tag: latest
latest: Pulling from certbot/certbot
Digest: sha256:1de29b86aa08f09b944b89dc74f1b3a4789b53eb7addeb2b29c276ec730a402f
Status: Image is up to date for certbot/certbot:latest
docker.io/certbot/certbot:latest
Saving debug log to /etc/letsencrypt/logs/letsencrypt.log
Account registered.
Requesting a certificate for pandanet.mynetgear.com

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: pandanet.mynetgear.com
  Type:   connection
  Detail: Fetching http://pandanet.mynetgear.com/.well-known/acme-challenge/deXdOUuJ7m-tOzFtrgYKpznOgKskA28u3SK2kGChmlY: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority couldn't exterally verify that the standalone plugin completed the required http-01 challenges. Ensure the plugin is configured correctly and that the changes it makes are accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /etc/letsencrypt/logs/letsencrypt.log or re-run Certbot with -v for more details.


1 Like

Is there any other device that could be blocking HTTP or hasn't been configured to NAT/port forward HTTP correctly?

1 Like

Not that i know of, I had not changed anything before this all happend.

Something is keeping inbound HTTP requests from being heard/responded.

Is there a good way to find out what is? I've been messing around with Nmap, looking at my docker containers, and looking through all the applications open, and can't seem to find anything. Are there any programs or something that may help with the search?

tcpdump or wireshark might be useful.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.