LetsEncrypt on Linux, verification fails, port 80 blocked

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: notaws.aicmsi.com

I ran this command: sudo certbot -d home.mydomain.com --manual --preferred-challenges dns certonly

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for notaws.aimcsi.com
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain notaws.aimcsi.com
http-01 challenge for notaws.aimcsi.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: notaws.aimcsi.com
    Type: connection
    Detail: Fetching
    http://notaws.aimcsi.com/.well-known/acme-challenge/pBGotFP5fQLRWg9SBmisABXJTNyJm8qANE7jE30PEgY:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): apache 2.4.41

The operating system my web server runs on is (include version): ubuntu 20.4.2 LTS

My hosting provider, if applicable, is: Verizon fios

I can login to a root shell on my machine (yes or no, or I don't know):I use sudo?

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.10.0.dev0

I am trying to get LetsEncrypt set up and autorenewing on this machine at a home office with DDNS set up.

It was working last year.... then the certificate expired. The autorenew failed for what ever reason.

Follwoing another page of instructions now, I use that command above and it fails on fetch. I tried that check my website page and overall it looked good.

googling, I saw there was an expired cert. So I deleted it.

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: notaws.aimcsi.com
Serial Number: 3a1ef1e928db9e1adb29bead6de9ecfe619
Domains: notaws.aimcsi.com
Expiry Date: 2020-11-19 19:30:09+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/notaws.aimcsi.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/notaws.aimcsi.com/privkey.pem


david@notaws:~$ sudo certbot delete --cert-name notaws.aimcsi.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log


The following certificate(s) are selected for deletion:

Are you sure you want to delete the above certificate(s)?


(Y)es/(N)o: y


Deleted all files relating to certificate notaws.aimcsi.com.

I tried giving that check my website page the full path (is that a folder with that long string at the end? the pBGotFP5fQL.... URL ?

I don't see a file or folder with that name on the computer.

So, I think port 80 is blocked by my ISP.

Any thoughts on being able to resolve this for a new cert AND have it autorenew? I found a page someone saying without static IP / open port 80, you can't have it autorenew? Is that correct?

I can get a cheap SSL for what, $5? Go that route?

Hi @feetsdr and welcome to the LE community forum :slight_smile:

HTTP authentication requires port 80.
Since that ports seems to be blocked, my first thought is to have that opened.
If that is not possible, then DNS challenge would be the next step.
I do see that you seem to have made an attempt at that with:

But the syntax in that command may have worked against you; as it none-the-less used:

hmm...
Let's try reordering the command as:
sudo certbot certonly -d notaws.aimcsi.com --preferred-challenges dns
[and removing --manual for now]