Let's Encrypt Apache failed to install, some challange have failed

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: e-inv.newarmada.biz

I ran this command: sudo certbot certonly --webroot -w /var/www/html -d e-inv.newarmada.biz -v

It produced this output:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: e-inv.newarmada.biz
Type: connection
Detail: 103.165.127.198: Fetching http://e-inv.newarmada.biz/.well-known/acme-challenge/SP2eJnOH2sIW3tku2ccglRcBIFkD2Vf971klln0WHBc: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Some challenges have failed.

My web server is (include version):
Apache/2.4.52

The operating system my web server runs on is (include version):
Ubuntu 22.04.4 LTS

My hosting provider, if applicable, is:
hostinger

I can login to a root shell on my machine (yes or no, or I don't know):
I dont know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
cloudflare and hostinger

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

Port 80 needs to be open to the public internet.

how to open port 80 to the public internet?
I'm really sorry, I'm still newbie on this thing

You need to have your site working for HTTP to use that HTTP Challenge.

You should ask your hosting provider if you need help with that. That is just part of basic server setup.

You should use the https://letsdebug.net site to test changes to your system. Once you get an OK response you can try getting a cert again

2 Likes

I'm really sorry, I didn't mention in the first time
Actually, I have domain on hostinger. And this time I have private server that I want one of my subdomain appoint to my Public IP (My Server). And the subdomain is work on http, with cloudflare DNS setting is DNS only not proxied DNS. Then I want to install Let's Encrypt in my Origin Server.
And when I try to install it, then that error occurs

HTTP connections from the public internet do not work right now. The Let's Encrypt auth server timed out. And, the Let's Debug test site also times out

Usually the term "Origin Server" is used for the server "behind" a Cloudflare proxied name. But, your domain is not currently proxied.

Are you planning on proxying this name later?

2 Likes

I'm sorry, in this case "Origin Server" is my private server (please correct me if I'm wrong). Before I try to install Let's Encrypt, I try to install Cloudflare SSL in my Origin Server with Import CertificateFile and CertificateKeyFile in my default-ssl.conf.

In the Let's Debug that you've mentioned before, I see
"e-inv.newarmada.biz has an A (IPv4) record (103.165.127.198) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address."

Then I try this

sudo ss -ltn
State   Recv-Q   Send-Q     Local Address:Port      Peer Address:Port  Process
LISTEN  0        4096             0.0.0.0:10000          0.0.0.0:*
LISTEN  0        50               0.0.0.0:445            0.0.0.0:*
LISTEN  0        70               0.0.0.0:33060          0.0.0.0:*
LISTEN  0        50               0.0.0.0:139            0.0.0.0:*
LISTEN  0        4096       127.0.0.53%lo:53             0.0.0.0:*
LISTEN  0        128              0.0.0.0:22             0.0.0.0:*
LISTEN  0        151              0.0.0.0:3306           0.0.0.0:*
LISTEN  0        4096                [::]:10000             [::]:*
LISTEN  0        511                    *:443                  *:*
LISTEN  0        50                  [::]:445               [::]:*
LISTEN  0        50                  [::]:139               [::]:*
LISTEN  0        128                 [::]:22                [::]:*
LISTEN  0        511                    *:80                   *:*

Also I try to

sudo netstat -tuln | grep :80
tcp6       0      0 :::80                   :::*                    LISTEN

and

sudo netstat -tuln | grep :443
tcp6       0      0 :::443                  :::*                    LISTEN

is that right or there is something wrong?

I think for now, I will not use proxied dns from cloudflare. For now I want to make my website become https as soon as possible.

Those ss look alright. If you use the options below it should show you which program is listening. But, just because something is listening does not mean it can be reached from the public internet. There can be firewalls, routing problems, or various other issues preventing that.

sudo ss -pltn | grep -i listen | grep -Ei ':80|:443'

Check your Hostinger network config panel and make sure these ports are open and not blocked for any reason.

Make sure the IP in the DNS matches your public IP

2 Likes

Okay thanks, but I'm pretty sure that I've turned off my (private server) firewall with sudo disable ufw. Is there anything else to check that firewall between public internet to my private server?
And about routing problems, I'm still not sure that my routing in apache2 configuration is right, because I've seen many solution in apache configuration and it says different in each solution.

sudo ss -pltn | grep -i listen | grep -Ei ':80|:443'

LISTEN 0   511   *:443  *:*  users:(("apache2",pid=236168,fd=6),("apache2",pid=236145,fd=6),("apache2",pid=236144,fd=6),("apache2",pid=235978,fd=6),("apache2",pid=235974,fd=6),("apache2",pid=235973,fd=6),("apache2",pid=235972,fd=6),("apache2",pid=235971,fd=6),("apache2",pid=235966,fd=6),("apache2",pid=235963,fd=6),("apache2",pid=235961,fd=6))
LISTEN 0   511   *:80   *:*  users:(("apache2",pid=236168,fd=4),("apache2",pid=236145,fd=4),("apache2",pid=236144,fd=4),("apache2",pid=235978,fd=4),("apache2",pid=235974,fd=4),("apache2",pid=235973,fd=4),("apache2",pid=235972,fd=4),("apache2",pid=235971,fd=4),("apache2",pid=235966,fd=4),("apache2",pid=235963,fd=4),("apache2",pid=235961,fd=4))

I guess it's not in the Hostinger Side because it's my private server. As I said before, I have IP from Hostinger that different with my Public IP of my private server. But maybe I'm wrong, I try to check in Hostinger Panel and there is no port blocked, instead I Allow an IP Address (my Private Server Public IP)

Yeah, I've done it

Perhaps I misunderstood.

So then check all the comms gear between your private server and the public internet. For home networks this often involves a router, for example. Follow "the wire" from your server to your ISP

I get the same connect failures from my own server as Let's Debug and Let's Encrypt. Can you try reaching it from the public internet? Like a mobile phone with wifi disabled?

curl -i -m8 http://e-inv.newarmada.biz
curl: (7) Failed to connect to e-inv.newarmada.biz port 80 after 1278 ms:
Connection refused

curl -i -m8 https://e-inv.newarmada.biz
curl: (7) Failed to connect to e-inv.newarmada.biz port 443 after 250 ms:
Connection refused
2 Likes

In my office, The server connect to MikroTik then NAT to Public IP. The firewall is not blocking anything from my server into Public IP. I guess the comms gear is alrady correct, but I'm still not sure.

Yeah, I've tried to access my Public IP from home and it works but with http only.
I'm sorry, just now when you reply before this one, I try to change my ip address. ANd now maybe you can check the curl again

The Cloudflare DNS is still showing the same IP.

Use https://unboundtest.com to check your IP in the public DNS

Also, Let's Debug is still showing the same error. You can check your connection with https://letsdebug.net

2 Likes

it said like this,
;; ANSWER SECTION:
e-inv.newarmada.biz. 0 IN A 103.165.127.198

and the lets debug test said like this,
[

Let's Debug

](https://letsdebug.net/)

Test result for e-inv.newarmada.biz using http-01

ANotWorking

ERROR

e-inv.newarmada.biz has an A (IPv4) record (103.165.127.198) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

A timeout was experienced while communicating with e-inv.newarmada.biz/103.165.127.198: Get "http://e-inv.newarmada.biz/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://e-inv.newarmada.biz/.well-known/acme-challenge/letsdebug-test (using initial IP 103.165.127.198)
@0ms: Dialing 103.165.127.198
@10000ms: Experienced error: context deadline exceeded

IssueFromLetsEncrypt

ERROR

A test authorization for e-inv.newarmada.biz to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

103.165.127.198: Fetching http://e-inv.newarmada.biz/.well-known/acme-challenge/BxyyZbWYF1kzyde2c-FDj3Fd-a870RPP92FDKqHAy64: Timeout during connect (likely firewall problem)

StatusNotOperational

WARNING

The current status as reported by the Let's Encrypt status page is Partial Service Disruption as at 2024-07-11 03:23:43.995 +0000 UTC. Depending on the reported problem, this may affect certificate issuance. For more information, please visit the status page.

So, how to check request 103.165.127.198 over port 80 is not succeded. I try to access 103.165.127.198:80 using my mobile phone without connected to office wifi, and I'm really sorry that now is unaccessible. Maybe for a few hours I will try to fix this one first. Then I'll back again to this case

but, Can Let's Encrypt secure my new subdomain with spesific port (like e-inv.newarmada.biz:88801) that appoint to my Public IP Address? If yes, please tell me how the turotials

a certificate cover a domain will valid for any port, but validation itself need to be for specific ports.
80 for http-01 443 for tls-01 or you need to able to modify dns record of that domain

2 Likes

so If i want to install Let's Encrypt in my http website (and I want my website become https) then I have to used port 80 in validation process?

that or using dns api for dns-01 challange: what kind of dns provider are you using?

2 Likes

I'm using hostinger with cloudflare, but in my Public IP, I set the dns setting is dns only (not proxied)

you still should be able to certbot's cloudflare dns api:
https://certbot-dns-cloudflare.readthedocs.io/en/stable/

2 Likes

Can I do it if my Public IP with spesific port (ex: 38117)?