Let's Encrypt Apache failed to install, some challange have failed

dns API is you calling dns not they inbound to you so you wouldn't need any port open: you'd even able to do it on mobile if someone bothered make one

2 Likes

So, If I used port 38117 like http://e-inv.newarmada.biz:38117
Can i do the authenticate it in Let's Encrypt? I mean would it work to install the Let's Encrypt?

I have changed my ip into 103.165.127.197:30107

and then I try this in my private server
root@storageserver:~# sudo certbot certonly --webroot -w /var/www/html -d e-inv.newarmada.biz:30107 -v --debug
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for e-inv.newarmada.biz:30107
Performing the following challenges:
http-01 challenge for e-inv.newarmada.biz
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain e-inv.newarmada.biz
http-01 challenge for e-inv.newarmada.biz

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: e-inv.newarmada.biz
Type: connection
Detail: 103.165.127.197: Fetching http://e-inv.newarmada.biz/.well-known/acme-challenge/2ZwMf3wI_Xg4o4BApi_CbSHF_Faka6tiNS4x6-yupiI: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1574, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1434, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 133, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 459, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 389, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 439, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

it said it still cant install the certbot,
I try to access folder inside .well-known in my webroot and it work, but why when i try to install Let's Encrpyt with that is not working

That is not an IP address. It is an IP with a port. The port number is being ignored by Certbot and Let's Encrypt so it fails the same as before.

webroot uses the HTTP challenge which sends an HTTP request using port 80 to your domain. You could try the Cloudflare DNS method instead as already suggested

2 Likes

Im still not understand this one, so If i want to use the command
sudo certbot certonly --webroot -w /var/www/html -d e-inv.newarmada.biz:30107 -v --debug

it mean I have to use port 80 for authentication?

Just like orangepizza said? use certbot's cloudflare dns api?

Yes. The "30107" is ignored. Certbot should probably issue an error when you add the port but it does not. It just ignores it. The Let's Encrypt Server is the one sending you the HTTP challenge. It uses port 80 but will follow redirects to port 80 or port 443. Please read the Challenges page I linked to.

Yes

3 Likes

Im really sorry, I dont see at the first time. For now, my 443 port is open so can I do with
sudo certbot certonly --webroot -w /var/www/html -d e-inv.newarmada.biz

No. the --webroot HTTP Challenge starts with HTTP to port 80. You can redirect it to HTTPS (port 443) but it starts HTTP port 80.

3 Likes

okay then I will try the orangepizza said

2 Likes

Anyway, I want to ask, If I try to install wildcard (*newarmada.biz => IP : 185.232.14.169) certificate , then my subdomain e-inv.newarmada.biz:30107 (IP => 103.165.127.197) is automatically be https?

No, but the issued certificate (for newarmada.biz and *.newarmada.biz) would cover that domain name too. Its server needs to be configured to use and serve the certificate.

And a wildcard certificate can only be issued by using the DNS-01 Challenge.

3 Likes

Good news, Now I have fullchain.pem and privkey.pem after following orangepizza suggestion. Then for the installation, what should I do? Do I have to insert that 2 file in my (private server) apache2 default-ssl.conf? Or maybe anything else

1 Like

You use Apache SSL certificate statements in the appropriate VirtualHost

The Mozilla Configurator helps with many different servers.

I do not recommend to use stapling or the HSTS option until you fully understand what those do. They can cause problems if not used correctly and are not necessary.

2 Likes

It work, but just in https:e-inv.newarmada.biz

Then if I access https://e-inv.newarmada.biz:30107/portal-maj-supplier it said SSL protocol error

Should I write the spesific port when I try to get SSL from lets encrypt?

The Apache VirtualHost for port 30107 is not configured for SSL (HTTPS). It is configured for HTTP only.

You need to configure that VirtualHost too.

Many of your questions are general about ports, apache config and general setup. While we often help with common problems like those it is not our primary focus. It would help if you would learn more about how Apache and general comms works.

2 Likes

But when I try to access https://e-inv.newarmada.biz/portal-supplier-maj/ (without spesific port)
It work
Should I change the port to the HTTPS port other than 443?

Only you know how your system should work.

We help you get certs. There are many ways you can use them.

3 Likes

It works thanks a lot!!!!

So the conclusion is Let's Encrypt using more than 1 method to Challenge (as a step) for we to get SSL Certificate. There are HTTP challenge and DNS Challenge. HTTP Challenge is require port 80 in our server (public or from hosting). If port 80 is not available in our server (due to another things) then we can use DNS Challenge (no matter what port we used to). The DNS Challenge is use our domain or subdomain (also depend on our DNS provider that support with certbot or no) to produce SSL certificate for our website.

Please correct me if I'm wrong, and thanks a lot

2 Likes