Issues generating a Let's Encrypt certificate

Help
1

My domain is: xxx.servepics.com

I ran this command: sudo certbot certonly --standalone -d xxx.servepics.com

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for xxx.servepics.com

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: xxx.servepics.com
Type: connection
Detail: 0.0.0.0 : Fetching http://xxx.servepics.com/.well-known/acme-challenge/HRrDKuNVZNLqh0ujkRmzLPyAL5kGH1iShiKuIcP2m5s: Error getting validation data

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Ubuntu 22.04.5

The operating system my web server runs on is (include version): Ubuntu 22.04.5

My hosting provider, if applicable, is: Oracle cloud

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

2

That's not my real domain because I've opened quite a few ports for testing, which is risky if I expose it to the public. I'm using a subdomain.

3

The --standalone method is difficult to debug because you need to keep Certbot running to test connection from the public internet.

A way to test this easier is to use these command options

certbot certonly --standalone --dry-run --debug-challenges -v -d (domain)

This command will show you the challenge URL to try from the public internet and the proper response. After showing you this it will say "Press Enter to Continue". DO NOT PRESS ENTER.

Leave it paused like that and use a different device to test connection. You can use a mobile phone with wifi disabled so use your carrier's network.

You do not have to use the full URL. Just try http://(yourdomain)

If the connection works this shorter URL should see a response like below. I am pretty sure you will initially get a similar failure message like Let's Encrypt reported. But, use this technique to modify your comms setup until it works.

ACME client standalone challenge solver
3 Likes
4

It does everything you described, but when I go to the domain name, it doesn't work—it can't find anything, even though the domain name correctly redirects to the IP of my VPS server. This domain is hosted by No-IP.com. I had the same issue on another server before, and I managed to fix it by running the command sudo certbot certonly --standalone -d xxx.servepics.com, but this time it's not working.

Thank you for your help!

5

The results of the command are as follows:

sudo certbot certonly --standalone --dry-run --debug-challenges -v -d xxx.servepics.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Account registered.
Simulating a certificate request for xxx.servepics.com
Performing the following challenges:
http-01 challenge for xxx.servepics.com

Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.

Press Enter to Continue

I canceled the command after I saw that it wasn't working because you said not to press Enter.

6

Wasn't working? What did it show on the other device when you connected to your domain from the public internet?

I see you got a cert today with a subdomain starting with "zen....". Is that the domain you are having problems with?

Each domain name in a cert is published in public transparency logs. Thinking you are hidden will not help you from security holes.

4 Likes
8

When I went to the link, it showed me this:

Capture d’écran 2024-10-19 160521
Capture d’écran 2024-10-19 160521843×516 13 KB

And for the domain name, no, there isn't a "zen....." in it; it ends with servepics.com.

The webpage is in French because I am French; it says the site is inaccessible.

9

Somebody got a cert for a subdomain of that today: crt.sh | 15000612071
Just thought it might have been you

The screen you showed was a "Timeout" error. You need to find out why you cannot connect to that domain from the public internet

Leave the --standalone command running until you figure out what config problem you have and when you can connect successfully

5 Likes
10

I think the error is coming from the VPS. I've opened all the ports, but when I try to ping port 80 on my VPS, it doesn't work.

11

That's a good starting test too. Just know that ping uses UDP connection but HTTP will use TCP

So, it is possible one will work but the other still fail

4 Likes
12

I'm unable to find the problem, and no ports are open even though I've opened them all:

root@pterodactyl:~# curl -I http://0.0.0.0:80
curl: (7) Failed to connect to 0.0.0.0 port 80 after 0 ms: No route to host
root@pterodactyl:~#
13

That was a test from your local machine.

Was there anything listening on port 80 when you tried that? Does this show anything

sudo ss -pant | grep :80 | grep -i listen

I see your command prompt says "pterodactyl". Are you planning on running an nginx server once it is setup? Because --standalone is a poor choice if that is your plan

4 Likes
14

Yes, I want to run an Nginx server, but I had to use that because Nginx crashes since it doesn't have a certificate, so I can't generate it through Nginx. I had already set up a site using standalone, and it worked, which is why I'm using it again.

The result of the command is as follows:

root@pterodactyl:~# sudo ss -pant | grep :80 | grep -i listen 
root@pterodactyl:~#
15

If nothing is listening on port 80 your curl to that port will always fail.
If you keep --standalone running at least something will be listening

nginx can run without a cert. You just set up a server block with only HTTP support (for port 80). You could also create a self-signed cert and setup nginx server block for HTTPS with that. You might even have some in your Ubuntu system already in /etc/ssl (look for snakeoil and see Ubuntu docs). These are just basic nginx config techniques. How you do that in pterodactyl is probably better asked at their support forum.

4 Likes
16

That's not really a good reason. Once you've managed to get a certificate issued, that cert will be submitted to a few certificate transparancy logs and these logs are monitored by all kinds of people: benign people doing good stuff and malign people trying to abuse newly installed instances. E.g., some webapps got free certs during their onboarding process while a default password was still configured. Thus, script kiddies monitoring CT logs could easily "hack" these newly onboarded webapps using these default passwords.

Thus, once your cert is issued, expect portscans, scripted "hack" attempts and what not so. Therefore, you should NOT rely on this "security by obscurity" as it's dubious at best and plainly unsafe to begin with at worst.

4 Likes
17

Yes, it's just in case, but it's true I can say it.

I managed to generate the certificate—the problem was that I had opened the ports in iptables using -A INPUT instead of -I INPUT.

Thank you for your help!

1 Like
18

The only difference between -A and -I is the position of the added rule.. "A" for "append" at the bottom of the chain and "I" for "insert" where you can specify a rule number, which defaults to "1", which is the top of the chain.

Please make sure you read up on how iptables works and make sure you've got your chain(s) in order. Figuratively and literally.

2 Likes
19

example.com is the proper domain name to use if you redacted the actual domain name.

As https://example.com/ shows the intended usages

Example Domain
This domain is for use in illustrative examples in documents. You may use this domain in literature without prior coordination or asking for permission.

Also see:

3 Likes
20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.