Let's Encrypt problems

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:corp.networkingtechnology.org

I ran this command: certbot -v renew

It produced this output:Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: hermes.corp.networkingtechnology.org
Type: connection
Detail: During secondary validation: 79.132.230.58: Fetching http://hermes.corp.networkingtechnology.org/.well-known/acme-challenge/PAy93No_fSSGWGdo7wu5hmyCqnBOsodAjQrNLedNevE: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate hermes.corp.networkingtechnology.org with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/hermes.corp.networkingtechnology.org/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details

My web server is (include version): Apache 2.4.37

The operating system my web server runs on is (include version): Alma Linux 8.10

My hosting provider, if applicable, is: ME

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):1.22.0

2

"Secondary validation" means that some locations that Let's Encrypt is checking from worked, but some did not.

And this means what it says, that when it tried to connect it just kept waiting and didn't get a response (a "timeout"), which is likely a firewall blocking the connection.

When I use an online tool to see where your site is accessible from, it looks like it's only visible from some parts of the world and not others:

You may want to read through this FAQ on how and why Let's Encrypt checks from multiple places around the world, to ensure that you actually control the name as seen by everywhere:

6 Likes
3

It seems self-defeating. SSL is supposed to give security as are DKIM, DMARC and SPF. Since all these were introduced, websites are no more secure. Hackers are breaking into sites daily, Has spam stopped? No it's got worse. China, India and Brazil are seriously into hacking and the ONLY way to stop them is to block them on the firewall, but I have to open my ports to every hacker on the planet to get a free certificate.
I created a rule allowing these two ports and the problem is solved, but I hate the idea of allowing the damned hackers and spammers, not to mention the alphabet agencies worldwide, access to ANYTHING.

4

No you don't. You can use DNS validation and get free certs for systems that aren't even on the public Internet. See also here:

6 Likes
5

You can also wrap Certbot in hooks that enable/disable firewall chains.

I do this with both HTTP-01 and DNS-01 challenges - the ports are only open ephemerally, when I am actively trying to solve ACME challenges.

6 Likes
6

Ryan can but others apparently can not.

5 Likes
7

As long as we are spit-balling ideas, you would only need to open port 80 for the HTTP Challenge. If you are redirecting the HTTP challenge request to HTTPS just don't do that. Handle the reply when it arrives as HTTP (port 80).

You could also use a firewall that could inspect the URI and only allow ones in port 80 if they began with /.well-known/acme-challenge/

6 Likes
8

Everyone can!

These are my install notes for firewall rules with acme-dns.

I use Certbot hooks to either start/stop this on the same server, or execute a Fabric script that SSH's into this server to toggle the rules.


In order to easily toggle this:

	# do not execute these
	# startup
	iptables -I OUTPUT -p udp --sport 53 -j ACCEPT
	iptables -I INPUT -p udp --dport 53 -j ACCEPT

	# shutdown
	iptables -I OUTPUT -p udp --sport 53 -j REJECT
	iptables -I INPUT -p udp --dport 53 -j REJECT

We'll use a trick from the Q&A:

	https://serverfault.com/questions/905465/toggle-port-rule-on-an-ubuntu-iptables-firewall/905468#905468

# create the acme-dns chain

	iptables -N acme-dns

# set the tables to run it BEFORE the port 53 deny

	iptables -A INPUT -j acme-dns

# it make make sense to first..

	iptables-save > iptables.dump
	vi iptables.dump

# then manually add in the acme-dns line as the first chain

	:INPUT DROP [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [451:186415]
	:acme-dns - [0:0]
	:f2b-postfix - [0:0]
	:f2b-sshd - [0:0]
	:f2b-sshd-invalid_accounts - [0:0]
	:f2b-sshd-system_accounts - [0:0]
	-A INPUT -j acme-dns

# and reload

	iptables-restore < iptables.dump

# now to toggle rules...

# turn on acme-dns

	iptables -A acme-dns -p tcp --dport 53 -j ACCEPT
	iptables -A acme-dns -p udp --dport 53 -j ACCEPT
	iptables -A acme-dns -p tcp --dport 8011 -j ACCEPT

# turn off acme-dns

	iptables -F acme-dns

I ended up doing this via `iptables` and a custom "acme-dns"" chain

After a bit of fiddling, the top of the output from my `iptables-save` (and iptables-restore) looks roughly like this:

	:INPUT DROP [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [451:186415]
	:acme-dns - [0:0]
	:f2b-postfix - [0:0]
	:f2b-sshd - [0:0]
	:f2b-sshd-invalid_accounts - [0:0]
	:f2b-sshd-system_accounts - [0:0]
	-A INPUT -j acme-dns

note: The f2b stuff is fail2ban.

This line...

	:acme-dns - [0:0]

...is essentially the same as:

	iptables -N acme-dns

And this line

	-A INPUT -j acme-dns

...is the same as

	iptables -A INPUT -j acme-dns


When running acme-dns, i do:

	iptables -A acme-dns -p tcp --dport 53 -j ACCEPT
	iptables -A acme-dns -p udp --dport 53 -j ACCEPT
	iptables -A acme-dns -p tcp --dport 8011 -j ACCEPT

And when shutting it off...

	iptables -F acme-dns

Edit: This above could be changed trivially to support ports 80/443

4 Likes
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.