Let's encrypt ssl certificate error

Hi
i have just installed jitsi meet server in my ubuntu machine and i’m trying to apply for a let’s encrypt ssl certificate . so when i ran this command:
sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
it shows this error :

root@jitsi:~# sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

This script will:

  • Need a working DNS record pointing to this machine(for domain example.ddns.net)
  • Download certbot-auto from https://dl.eff.org to /usr/local/sbin
  • Install additional dependencies in order to request Let’s Encrypt certificate
  • If running with jetty serving web content, will stop Jitsi Videobridge
  • Configure and reload nginx or apache2, whichever is used

You need to agree to the ACME server’s Subscriber Agreement (https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf)
by providing an email address for important account notifications
Enter your email and press [ENTER]: geniussoft2019@gmail.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.ddns.net
Using the webroot path /usr/share/jitsi-meet for all unmatched domains.
Waiting for verification…
Challenge failed for domain example.ddns.net
http-01 challenge for example.ddns.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:Domain: example.ddns.net
    Type: connection
    Detail: Fetching
    http://example.ddns.net/.well-known/acme-challenge/RmUdqMiICD0-VLjcHAPleAblpZaiRKe9xsSS-4ZmZms:
    Timeout during connect (likely firewall problem)To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

so what’s went wrong ? thanks

Hi @GeniusSoft

what's your domain name? You need a public visible domain and an open port 80. Your port 80 doesn't answer.

1 Like

MY DNS is : geniussoft.ddns.net
please how can i verify that my port 80 is opened

Use online tools like https://check-your-website.server-daten.de/

1 Like

I verify it . I have an open port 80

No. There you see the problem - https://check-your-website.server-daten.de/?q=geniussoft.ddns.net

You have ipv4 and ipv6 addresses:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
geniussoft.ddns.net A 41.226.134.188
Al Madinah/Tunis/TN yes 1 0
AAAA 2001:5c0:1000:b::213d yes
www.geniussoft.ddns.net Name Error yes 1 0

But your ipv6 doesn't work.

Domainname Http-Status redirect Sec. G
http://geniussoft.ddns.net/
41.226.134.188 301 https://geniussoft.ddns.net/ 0.173 A
http://geniussoft.ddns.net/
2001:5c0:1000:b::213d -14 10.030 T
Timeout - The operation has timed out
https://geniussoft.ddns.net/
41.226.134.188 200 1.540 N
Certificate error: RemoteCertificateChainErrors
https://geniussoft.ddns.net/
2001:5c0:1000:b::213d -14 10.027 T
Timeout - The operation has timed out
http://geniussoft.ddns.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
41.226.134.188 301 https://geniussoft.ddns.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.173 A
Visible Content: 301 Moved Permanently nginx/1.14.0 (Ubuntu)
http://geniussoft.ddns.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:5c0:1000:b::213d -14 10.027 T
Timeout - The operation has timed out
Visible Content:
https://geniussoft.ddns.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -14 10.027 T
Timeout - The operation has timed out
Visible Content:

There is a timeout. That's critical, Letsencrypt prefers ipv6 and can't check your validation file.

So

  • fix your ipv6 (or)
  • remove the ipv6 dns AAAA entry, create a new certificate, then fix your ipv6.

You can check the ipv6 directly - use 2001:5c0:1000:b::213d in the main field. So you can check your setup without having an AAAA entry.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.