Letsencrypt cannot reach my webserver


#1

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:
certbot-auto certonly --webroot -w /var/www/certificates/ -d bb.endian.com

It produced this output:
"""

  • The following errors were reported by the server:

    Domain: bb.endian.com
    Type: connection
    Detail: Could not connect to bb.endian.com
    […]
    """

My operating system is (include version):
Ubuntu

My web server is (include version):
nginx 1.1.19

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

Issue description:
I recently created a certificate for jira.endian.com, which did work out magnificently.

I wanted to create a certificate also for bb.endian.com, which runs on the same server but on a different public ip address.
Configuration on nginx is identical for both virtual hosts.
Both sites are reachable from public, which is proven.
DNS is also correct and produces the correct public ip address.

But letsencrypt cannot connect to it.
A tcpdump on our perimeter firewall shows that there was no attempt to bb.endian.com from letsencrypt

I assume there is a routing issue or a DNS issue. (?)


#2

Is your site currently working on port 80 (http) ? I’ve tried from 3 different locations and can’t get to it on port 80.

I can reach jira.endian.com on port 80 though. I can also reach bb.endian.com on port 443


#3

I can connect to your web server on port 443, but not on port 80. The webroot plugin uses http-01 challenges, which are performed on port 80 (a HTTP redirect to https:// on port 443 is fine, but the first request has to be on port 80 via HTTP in order to avoid a vhost selection vulnerability on some shared hosting environments).

If you’d like to use the webroot plugin, you’ll need to make your web server available on port 80, or alternatively use the tls-sni-01 challenge, which works on port 443. You could use the standalone plugin for this, or try the nginx plugin that’s been included with the latest certbot release (Note: it’s an alpha version :wink:).


#4

thank you guys!
site is used only for https, that’s why port 80 is not forwarded and not reachable by letsencrypt
will see how to work around this.
thank you!


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.