Letsencrypt initial setup on ubuntu 16.04 (can't switch to port 80)

piflixe · December 22, 2016, 2:35pm

Hi there!
I am new to letsencrypt so please be kind. I set up a server running ubuntu 16.04 running apache webserver. The server is running behind a FritzBox router. I am using DNS and portforwarding to forward traffic to the server. Until now, I have a self-signed certificate that I invoked with these commands:

a2enmod ssl
a2ensite default-ssl

This is working. But now I heard from LE and thought this would be better. I installed

sudo apt-get install python-letsencrypt-apache 
sudo letsencrypt --apache

but in the documentation, I can’t find any hints on how to set up custom ports or use port 80 instead. I could create a portforwarding to port 80 but not to 443 since this is reserved for FritzBox remote access. I tried

letsencrypt --standalone-supported-challenges http-01

but this still gives me an error, that prot 443 can’t be reached so I assume it doesn’t even try on port 80. I get the output

Failed authorization procedure. konstruktiv.selfhost.de (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested 64f9dc972ae7acad1b8bbbda2fce1fb1.3ed77a75f69a5f67e917d808a4a95868.acme.invalid from 93.220.125.47:443. Received certificate containing 'konstruktiv.selfhost.de, eeeqhlbgnqg9h1br.myfritz.net, fritz.box, www.fritz.box, myfritz.box, www.myfritz.box, fritz.nas, www.fritz.nas'

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: konstruktiv.selfhost.de
   Type:   unauthorized
   Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
   Requested 64f9dc972ae7acad1b8bbbda2fce1fb1.3ed77a75f69a5f67e917d808
   a4a95868.acme.invalid from 93.220.125.47:443. Received certificate
   containing 'konstruktiv.selfhost.de, eeeqhlbgnqg9h1br.myfritz.net,
   fritz.box, www.fritz.box, myfritz.box, www.myfritz.box, fritz.nas,
   www.fritz.nas'

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

Could someone please give me a hint on how to set up LE using port 80?

I would also encourage the documentation for ubuntu 16.04 to include some kind of step-by-step instructions for servers behind a router using portforwarding since I guess this is a quiet common scenario for small servers on rasppi or similar. I am really willing to help on that too.

Thank you very much!

Osiris · December 22, 2016, 2:56pm

If your server isn’t reachable behind the FritzBox through port 443, it’s totally useless to enable TLS (formerly known as SSL) on your server: secured sites (TLS) by default use port 443.

The solution would be to change the port the FritzBox is listening to for the remote access. And portmap port 443 to your server.

After that, you could use certbot with the default mode: the apache plugin, which uses the tls-sni-01 challenge on port 443. Using the apache module is the most easy mode to use: it also installs the certificate automatically for you.

piflixe · December 22, 2016, 3:10pm

Well I configured the server so traffic from prot 58029 is forwarded to port 443.

I did the exact same thin on another server using ubuntu 14.04 and certbot-auto --standalone-supported-challenges http-01 and this worked fine since it used port 80.

I will try disabling port 443 for remote access of the fritzbox. Thanks for the hint!

piflixe · December 22, 2016, 3:14pm

HI Osiris,
thanks for the idea! But it is still not working. I have forwarded port 443 to the local server. I run

letsencrypt --apache

and get the following error

Failed authorization procedure. konstruktiv.selfhost.de (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 93.220.125.47:443 for TLS-SNI-01 challenge

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: konstruktiv.selfhost.de
   Type:   connection
   Detail: Failed to connect to 93.220.125.47:443 for TLS-SNI-01
   challenge

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

piflixe · December 22, 2016, 3:23pm

But I get the feeling that the portforwarding on port 443 is not workin correctly since I cant reach https://93.220.125.47 I assume this should bring me to the apache stat page, right?

Osiris · December 22, 2016, 3:24pm

Well, your server is completely inaccessible remotely (from NL):

osiris@desktop ~ $ telnet konstruktiv.selfhost.de 443
Trying 93.220.125.47...
telnet: connect to address 93.220.125.47: No route to host
osiris@desktop ~ $ telnet konstruktiv.selfhost.de 80
Trying 93.220.125.47...
telnet: connect to address 93.220.125.47: No route to host
osiris@desktop ~ $ traceroute konstruktiv.selfhost.de
traceroute to konstruktiv.selfhost.de (93.220.125.47), 30 hops max, 60 byte packets
 1  speedtouch (192.168.1.254)  0.547 ms  0.546 ms  0.796 ms
 2  lo0.dr13.d12.xs4all.net (194.109.5.212)  13.835 ms  13.851 ms  15.431 ms
 3  0.ae23.xr3.3d12.xs4all.net (194.109.7.53)  13.839 ms 0.ae23.xr4.1d12.xs4all.net (194.109.7.17)  13.855 ms  15.408 ms
 4  asd2-rou-1043.NL.eurorings.net (134.222.93.144)  15.403 ms  15.559 ms  15.555 ms
 5  ffm-s1-rou-1102.DE.eurorings.net (134.222.48.177)  20.146 ms asd2-rou-1043.NL.eurorings.net (134.222.93.144)  15.857 ms ffm-s1-rou-1102.DE.eurorings.net (134.222.48.177)  21.668 ms
 6  ffm-s1-rou-1102.DE.eurorings.net (134.222.48.177)  22.153 ms  25.954 ms f-ee2.F.DE.NET.DTAG.DE (134.222.249.118)  25.936 ms
 7  f-ee2.F.DE.NET.DTAG.DE (134.222.249.118)  25.908 ms b-ec4-i.B.DE.NET.DTAG.DE (62.154.47.98)  24.934 ms b-ec4-i.B.DE.NET.DTAG.DE (62.154.46.194)  25.346 ms
 8  87.186.192.21 (87.186.192.21)  23.340 ms b-ec4-i.B.DE.NET.DTAG.DE (62.154.46.194)  23.498 ms 87.186.192.21 (87.186.192.21)  22.428 ms
 9  87.186.192.21 (87.186.192.21)  23.463 ms p5DDC7D2F.dip0.t-ipconnect.de (93.220.125.47)  39.632 ms !X  40.453 ms !X
osiris@desktop ~ $

So it would make sense Let’s Encrypt can’t reach it too.

piflixe · December 22, 2016, 3:28pm

Hi Osiris, that is exactly the idea. I just have port 58029 open which redirect to ths 443 ssl port If you try https://konstruktiv.selfhost.de:58029 you see the apache stats.

Osiris · December 22, 2016, 3:40pm

And what’s the “idea” behind that? Because your site should be reachable through port 80 or 443 for Let’s Encrypt to work… Or use the DNS challenge…

piflixe · December 22, 2016, 3:51pm

Can’t I use a certificate on a custom port since I have different servers behind a Router on a normal DSL line? I you see https://konstruktiv.selfhost.de:58047/owncloud this is a server running ubuntu 14.04 and I managed to configure it using port 80 and portforwarding with certbot-auto

Osiris · December 22, 2016, 3:53pm

You can indeed. But for certbot to verify your domain name without the dns-01 challenge, it needs access to port 80 or 443. And you’ll need to renew your certificate every 3 months

So it’s up to you if you want to enable port 80 only once a month or figure out a more permanent method.

system · January 21, 2017, 3:53pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.