It produced this output:
sudo certbot --nginx -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): hellmanx.ddns.net:3670
Requesting a certificate for hellmanx.ddns.net:3670
Performing the following challenges:
http-01 challenge for hellmanx.ddns.net
Waiting for verification...
Challenge failed for domain hellmanx.ddns.net
http-01 challenge for hellmanx.ddns.net
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): nginx/1.18.0
The operating system my web server runs on is (include version):Debian 6.0.12- 1~bpo11+1 (2022-12-19) x86_64
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 2.5.0
You need to configure your Comcast internet connection to route ports 80 and 443 to your Debian server. Your webserver needs to be accessible from the internet.
This is usually done by "port forwarding" on your modem/router. It also requires that your Comcast service does not intentionally block you from using these ports.
Irrespective of what port you want to install the certificate on, you need to perform the HTTP challenge over port 80.
Everything is already working correctly. I am using port forwarding to access the webserver right now. I need the certification signed so I don't have that browser warning every so often.
I'll try moving the webserver to port 80 to get the challenge done if that's what's needed. I'll move it back to port 3670 afterward.
I'm just wondering how an auto-renewal will work if certbot doesn't like using specified ports.
ANotWorking
Error
hellmanx.ddns.net has an A (IPv4) record (73.214.218.190) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
A timeout was experienced while communicating with hellmanx.ddns.net/73.214.218.190: Get "http://hellmanx.ddns.net/.well-known/acme-challenge/letsdebug-test": context deadline exceeded
Trace:
@0ms: Making a request to http://hellmanx.ddns.net/.well-known/acme-challenge/letsdebug-test (using initial IP 73.214.218.190)
@0ms: Dialing 73.214.218.190
@10000ms: Experienced error: context deadline exceeded
IssueFromLetsEncrypt
Error
A test authorization for hellmanx.ddns.net to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
73.214.218.190: Fetching http://hellmanx.ddns.net/.well-known/acme-challenge/dvJZMP1UJgTAZcUF2ueZviSoWHsJzCLe7ScOdXjNjeY: Timeout during connect (likely firewall problem)
$ nmap -Pn hellmanx.ddns.net
Starting Nmap 7.80 ( https://nmap.org ) at 2023-04-09 18:01 UTC
Nmap scan report for hellmanx.ddns.net (73.214.218.190)
Host is up (0.090s latency).
rDNS record for 73.214.218.190: c-73-214-218-190.hsd1.pa.comcast.net
Not shown: 998 filtered ports
PORT STATE SERVICE
444/tcp open snpp
7777/tcp open cbt
Nmap done: 1 IP address (1 host up) scanned in 125.58 seconds
Well using TCP Port 443 (via sudo traceroute -T -p 443 hellmanx.ddns.net) I get the same basic results.
$ sudo traceroute -T -p 443 hellmanx.ddns.net
traceroute to hellmanx.ddns.net (73.214.218.190), 30 hops max, 60 byte packets
1 192.168.1.1 (192.168.1.1) 0.196 ms 0.145 ms 0.171 ms
2 96.120.60.137 (96.120.60.137) 7.769 ms 7.756 ms 7.742 ms
3 ae-312-1258-rur102.beaverton.or.bverton.comcast.net (68.87.217.41) 7.914 ms 7.901 ms 7.932 ms
4 68.85.243.153 (68.85.243.153) 7.869 ms 7.854 ms 7.840 ms
5 96.216.60.113 (96.216.60.113) 7.826 ms 7.691 ms 7.677 ms
6 24.124.129.62 (24.124.129.62) 7.662 ms 12.514 ms 12.495 ms
7 ae-69-ar01.troutdale.or.bverton.comcast.net (68.85.243.197) 17.370 ms 16.192 ms 12.235 ms
8 be-36221-cs02.seattle.wa.ibone.comcast.net (68.86.93.53) 15.654 ms be-36231-cs03.seattle.wa.ibone.comcast.net (68.86.93.57) 15.362 ms be-36241-cs04.seattle.wa.ibone.comcast.net (68.86.93.61) 15.306 ms
9 be-1211-cr11.seattle.wa.ibone.comcast.net (96.110.47.190) 15.269 ms be-1111-cr11.seattle.wa.ibone.comcast.net (96.110.47.178) 15.350 ms 15.322 ms
10 be-302-cr11.champa.co.ibone.comcast.net (96.110.36.213) 40.142 ms 39.829 ms 40.084 ms
11 be-1311-cs03.champa.co.ibone.comcast.net (96.110.37.201) 40.481 ms be-1411-cs04.champa.co.ibone.comcast.net (96.110.37.205) 41.099 ms 39.370 ms
12 be-1413-cr13.champa.co.ibone.comcast.net (96.110.37.238) 38.664 ms be-1414-cr14.champa.co.ibone.comcast.net (96.110.37.254) 38.401 ms be-1213-cr13.champa.co.ibone.comcast.net (96.110.37.230) 37.993 ms
13 be-304-cr13.1601milehigh.co.ibone.comcast.net (96.110.36.206) 39.686 ms be-304-cr14.1601milehigh.co.ibone.comcast.net (96.110.39.14) 39.640 ms be-301-cr13.1601milehigh.co.ibone.comcast.net (96.110.36.194) 39.865 ms
14 be-1314-cs03.1601milehigh.co.ibone.comcast.net (96.110.39.121) 39.836 ms be-1214-cs02.1601milehigh.co.ibone.comcast.net (96.110.39.117) 39.809 ms be-1314-cs03.1601milehigh.co.ibone.comcast.net (96.110.39.121) 40.801 ms
15 be-1211-cr11.1601milehigh.co.ibone.comcast.net (96.110.39.70) 36.695 ms be-1111-cr11.1601milehigh.co.ibone.comcast.net (96.110.39.66) 40.236 ms be-1211-cr11.1601milehigh.co.ibone.comcast.net (96.110.39.70) 40.063 ms
16 be-304-cr21.350ecermak.il.ibone.comcast.net (96.110.37.157) 71.490 ms be-303-cr21.350ecermak.il.ibone.comcast.net (96.110.37.153) 72.803 ms 73.163 ms
17 be-1321-cs23.350ecermak.il.ibone.comcast.net (68.86.82.249) 74.933 ms 74.894 ms be-1221-cs22.350ecermak.il.ibone.comcast.net (68.86.82.245) 73.289 ms
18 be-1124-cr24.350ecermak.il.ibone.comcast.net (68.86.84.138) 73.470 ms be-1324-cr24.350ecermak.il.ibone.comcast.net (68.86.84.170) 73.603 ms be-1424-cr24.350ecermak.il.ibone.comcast.net (68.86.84.174) 72.743 ms
19 be-301-cr12.pittsburgh.pa.ibone.comcast.net (96.110.39.158) 81.973 ms 81.938 ms be-302-cr12.pittsburgh.pa.ibone.comcast.net (96.110.39.162) 82.303 ms
20 be-1212-cs02.pittsburgh.pa.ibone.comcast.net (96.110.38.149) 82.536 ms 80.551 ms 71.020 ms
21 96.110.42.174 (96.110.42.174) 74.461 ms be-31621-ar01.mckeesport.pa.pitt.comcast.net (96.110.42.166) 74.479 ms 71.112 ms
22 po-1-xar02.blairsville.pa.pitt.comcast.net (162.151.152.66) 76.406 ms 76.390 ms 76.306 ms
23 po-1-rur202.blairsville.pa.pitt.comcast.net (96.216.140.194) 76.036 ms 76.346 ms 76.140 ms
24 68.86.102.10 (68.86.102.10) 76.317 ms 75.979 ms 76.219 ms
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
Whereas for Port 3670 (via sudo traceroute -T -p 3670 hellmanx.ddns.net) I get through.
$ sudo traceroute -T -p 3670 hellmanx.ddns.net
traceroute to hellmanx.ddns.net (73.214.218.190), 30 hops max, 60 byte packets
1 192.168.1.1 (192.168.1.1) 0.201 ms 0.190 ms 0.218 ms
2 96.120.60.137 (96.120.60.137) 7.608 ms 7.593 ms 7.580 ms
3 ae-312-1258-rur102.beaverton.or.bverton.comcast.net (68.87.217.41) 7.565 ms 7.552 ms 13.649 ms
4 68.85.243.153 (68.85.243.153) 13.634 ms 13.621 ms 13.608 ms
5 96.216.60.113 (96.216.60.113) 7.483 ms 7.470 ms 13.566 ms
6 24.124.129.62 (24.124.129.62) 7.439 ms 18.921 ms 18.902 ms
7 ae-69-ar01.troutdale.or.bverton.comcast.net (68.85.243.197) 31.566 ms 9.510 ms 13.714 ms
8 be-36211-cs01.seattle.wa.ibone.comcast.net (68.86.93.49) 17.497 ms be-36231-cs03.seattle.wa.ibone.comcast.net (68.86.93.57) 16.804 ms 16.784 ms
9 be-1411-cr11.seattle.wa.ibone.comcast.net (96.110.47.214) 17.409 ms be-1111-cr11.seattle.wa.ibone.comcast.net (96.110.47.178) 17.377 ms 17.347 ms
10 be-302-cr11.champa.co.ibone.comcast.net (96.110.36.213) 40.628 ms be-301-cr11.champa.co.ibone.comcast.net (96.110.36.209) 41.506 ms 40.627 ms
11 be-1211-cs02.champa.co.ibone.comcast.net (96.110.37.197) 40.573 ms 40.533 ms 40.493 ms
12 be-1413-cr13.champa.co.ibone.comcast.net (96.110.37.238) 40.461 ms be-1314-cr14.champa.co.ibone.comcast.net (96.110.37.250) 41.006 ms be-1213-cr13.champa.co.ibone.comcast.net (96.110.37.230) 37.714 ms
13 be-304-cr14.1601milehigh.co.ibone.comcast.net (96.110.39.14) 37.653 ms be-303-cr14.1601milehigh.co.ibone.comcast.net (96.110.39.10) 37.620 ms be-304-cr13.1601milehigh.co.ibone.comcast.net (96.110.36.206) 37.593 ms
14 be-1114-cs01.1601milehigh.co.ibone.comcast.net (96.110.39.113) 37.559 ms be-1113-cs01.1601milehigh.co.ibone.comcast.net (96.110.39.97) 37.531 ms be-1413-cs04.1601milehigh.co.ibone.comcast.net (96.110.39.109) 37.513 ms
15 be-1311-cr11.1601milehigh.co.ibone.comcast.net (96.110.39.74) 37.498 ms be-1411-cr11.1601milehigh.co.ibone.comcast.net (96.110.39.78) 38.968 ms be-1211-cr11.1601milehigh.co.ibone.comcast.net (96.110.39.70) 38.040 ms
16 be-302-cr21.350ecermak.il.ibone.comcast.net (96.110.37.149) 65.413 ms be-304-cr21.350ecermak.il.ibone.comcast.net (96.110.37.157) 65.588 ms *
17 be-1321-cs23.350ecermak.il.ibone.comcast.net (68.86.82.249) 66.329 ms 66.289 ms be-1121-cs21.350ecermak.il.ibone.comcast.net (68.86.82.241) 67.169 ms
18 be-1224-cr24.350ecermak.il.ibone.comcast.net (68.86.84.142) 60.185 ms 62.362 ms 62.298 ms
19 be-301-cr12.pittsburgh.pa.ibone.comcast.net (96.110.39.158) 71.679 ms 71.623 ms 76.286 ms
20 be-1112-cs01.pittsburgh.pa.ibone.comcast.net (96.110.38.145) 75.547 ms be-1412-cs04.pittsburgh.pa.ibone.comcast.net (96.110.38.157) 76.220 ms be-1312-cs03.pittsburgh.pa.ibone.comcast.net (96.110.38.153) 72.973 ms
21 be-31621-ar01.mckeesport.pa.pitt.comcast.net (96.110.42.166) 73.339 ms 72.917 ms 96.110.42.174 (96.110.42.174) 72.902 ms
22 po-1-xar02.blairsville.pa.pitt.comcast.net (162.151.152.66) 73.294 ms 73.269 ms 78.052 ms
23 po-1-rur202.blairsville.pa.pitt.comcast.net (96.216.140.194) 74.545 ms 70.591 ms 76.023 ms
24 68.86.102.10 (68.86.102.10) 75.450 ms 75.368 ms 75.906 ms
25 c-73-214-218-190.hsd1.pa.comcast.net (73.214.218.190) 88.531 ms 88.471 ms 88.435 ms
26 c-73-214-218-190.hsd1.pa.comcast.net (73.214.218.190) 93.719 ms 93.611 ms 98.296 ms
Oh, yeah. Forgot to mention I left the port closed overnight. Have friends that use it, don't need passwords going though HTTP. Could've just used the self-signed cert though.
Note that publicly-trusted CAs are very limited in what TCP ports they are allowed to use for proof-of-control challenges. Search for "Authorized Ports" in
Let's Encrypt already supports 2/3 of those that are likely to work on residential ISP hosting.
Also, the ACME standard allows HTTP-01 challenges only on port 80 and TLS-ALPN-01 challenges only on port 443.
While it's true that Let's Encrypt-associated people originally helped write all of these rules, the industry rules do rather strictly limit the port numbers that are allowed to be used, so it can't quite be considered an arbitrary preference on Let's Encrypt's part. These same restrictions will be enforced by other CAs as well.
