Issues getting certificate

Domain: cloud.ihasamoose.ca

Context: I had an apache server running, but I accidentally blew it up, so I wiped and reformatted. Everything is peachy, except I can’t run let’s encrypt. Here is the error I’m getting:

Summary

Running letsencrypt
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cloud.ihasamoose.ca
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. cloud.ihasamoose.ca (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://cloud.ihasamoose.ca/.well-known/acme-challenge/TmTb-Chp1U-06y07E211zxmas80W25ed8hGsIypNUZY: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: cloud.ihasamoose.ca
    Type: connection
    Detail: Fetching
    http://cloud.ihasamoose.ca/.well-known/acme-challenge/TmTb-Chp1U-06y07E211zxmas80W25ed8hGsIypNUZY:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    Done. Press any key…

Here’s lets encrypt error log:

Summary

sudo tail -n 50 /var/log/letsencrypt/letsencrypt.log
}
]
}
]
}
2020-02-03 21:24:00,671:DEBUG:acme.client:Storing nonce: 0102CZ3PfWEFZs2BPTBlrd2z96N7nyg8pew1SODk8SUFLzQ
2020-02-03 21:24:00,674:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: cloud.ihasamoose.ca
Type: connection
Detail: Fetching http://cloud.ihasamoose.ca/.well-known/acme-challenge/TmTb-Chp1U-06y07E211zxmas80W25ed8hGsIypNUZY: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2020-02-03 21:24:00,677:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 239, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. cloud.ihasamoose.ca (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://cloud.ihasamoose.ca/.well-known/acme-challenge/TmTb-Chp1U-06y07E211zxmas80W25ed8hGsIypNUZY: Timeout during connect (likely firewall problem)

2020-02-03 21:24:00,677:DEBUG:certbot.error_handler:Calling registered functions
2020-02-03 21:24:00,678:INFO:certbot.auth_handler:Cleaning up challenges
2020-02-03 21:24:00,678:DEBUG:certbot.plugins.webroot:Removing /var/www/nextcloud/.well-known/acme-challenge/TmTb-Chp1U-06y07E211zxmas80W25ed8hGsIypNUZY
2020-02-03 21:24:00,680:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2020-02-03 21:24:00,681:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/letsencrypt”, line 11, in
load_entry_point(‘certbot==0.31.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1365, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1250, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 410, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 353, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 389, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 239, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. cloud.ihasamoose.ca (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://cloud.ihasamoose.ca/.well-known/acme-challenge/TmTb-Chp1U-06y07E211zxmas80W25ed8hGsIypNUZY: Timeout during connect (likely firewall problem)

My ports are open, as you can see, you can access cloud.ihasamoose.ca
Any ideas how to get this guy certified?

1 Like

Hello @ihasamoose

curl http://cloud.ihasamoose.ca
curl: (7) Failed to connect to cloud.ihasamoose.ca port 80: Connection timed out

curl https://cloud.ihasamoose.ca
curl: (7) Failed to connect to cloud.ihasamoose.ca port 443: Connection timed out
Anf my browser says “The server at cloud.ihasamoose.ca is taking too long to respond.”

But cloud.ihasamoose.ca is answering my ping request.

Hope this helps
Rip

1 Like

@Rip
Interesting…
hostname -I
192.168.0.69

Hi,

Your port 443 and 80 from the IP your website resolve to are still filtered.

There’s a possibility that your ISP does not allow websites on personal accounts. (Suggested by one user in Reddit) https://www.reddit.com/r/AskTechnology/comments/b5jtor/shaws_blocked_all_inbound_connections/

You might need to directly reach out to them asking for this information.

portqry -e 80 -n cloud.ihasamoose.ca

Querying target system called:

 cloud.ihasamoose.ca

Attempting to resolve name to IP address...


Name resolved to 68.151.22.113

querying...

TCP port 80 (http service): FILTERED

portqry -e 443 -n cloud.ihasamoose.ca

Querying target system called:

 cloud.ihasamoose.ca

Attempting to resolve name to IP address...


Name resolved to 68.151.22.113

querying...

TCP port 443 (https service): FILTERED

‘’’

Thank you

3 Likes

As mentioned in OP, it was working earlier today. Maybe it’s just because it was down for a few hours and the DNS needs to refresh?

OK so there’s lots of third party tools here to help you out, but little can be done until your “port forwarding” is resolved.

I don’t recognize the interface you are using so I doubt I can be much more than an interested observer here…

External DNS seems to be resolving your domain correctly.
Don’t give up.
Rip

1 Like

Hi @ihasamoose

really? From outside? There is a check of your domain, three hours old - https://check-your-website.server-daten.de/?q=cloud.ihasamoose.ca#url-checks

Only timeouts, no answer.

1 Like

@ihasamoose, @stevenzhu’s point about your provider is a real consideration. I was poking around in shaw.ca Terms of Use and read the following:

You may not run a server in connection with the Shaw Services nor may you provide network services to others via the Shaw Services. Examples of prohibited servers and services include but are not limited to mail, http, ftp, irc, dhcp servers, and multi-user interactive forums. Some business services may be exempt from these limitations…

This posture is all too common these days, and quite unfortunate.

So from my perspective your provider (if it is actually shaw.ca) is holding you hostage for a “business account” . Even then, their TOU is vague about your rights to serve content on their system(s).

If it’s about freedom, your not getting it there.
FWIW: I recommend you find an ISP that supports your goals without draconian restrictions.

Rip

PS: @JuergenAuer It was I who used your site to test @ihasamoose’s connection. :wink:

1 Like

@JuergenAuer @Rip

Good morning guys,

I found the issue, I had to restore my ISP’s ‘smart wifi/modem’ and when I did that it messed up bridge mode to my router some how… it’s been broadcasting and conflicting IP’s with everything on the bridged router since yesterday morning.

Looks like I just have a faulty ‘SMART’ modem/router that can’t disable bridge mode… heh.

Thanks for the help though!

1 Like

@ihasamoose that’s a step in the right direction. However; Your site is still timing out from my location in Oregon.
Still no answer on port(s) 80 or 443.

Rip

@Rip

Yessir, because it was being routed via the ‘smart modem/router’ it had a different IP. Once I routed it through my router, it gave it a new IP. I’ll check in tomorrow, it should update by the morning!

1 Like

Sweet, keep us updated here man…

Looks like it’s working.

Thanks to everyone who took the time out of their day to assist.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.