Likely a firewall problem

My domain is: cloud.awaresolucoes.com

I ran this command: sudo certbot --apache

It produced this output:

cloud@cloud:~$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.

1: cloud.awaresolucoes.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for cloud.awaresolucoes.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: cloud.awaresolucoes.com
Type: connection
Detail: 191.253.31.56: Fetching http://cloud.awaresolucoes.com/.well-known/acme-challenge/gZrK5F04YZMtHBn7bJ3J69hxspb2S88usTGuXD-0iNo: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
cloud@cloud:~$

My web server is (include version): apache, Version: 2.4.58-1ubuntu8.5

The operating system my web server runs on is (include version): Ubuntu 24.04.1 LTS

My hosting provider, if applicable, is: Vercel (Subdomain)

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 3.0.1.

There are issues with my ISP router: I cannot directly open ports 443 and 80. I can only redirect them internally as follows:

• Externally: port 8080 -> redirects to 80
• Externally: port 8443 -> redirects to 443

Is there a way to resolve this issue and successfully generate the SSL certificate?

Yes but not by using the --apache option. That requires your server to reply to an HTTP request on port 80 (from the Let's Encrypt server across the public internet).

There is a TLS-ALPN challenge which would work over port 443 (using Apache mod_md not Certbot) but you said port 443 is not open either.

That only leaves you with a DNS Challenge. That involves placing a TXT record in the DNS. See: Challenge Types - Let's Encrypt

That works best with a DNS provider with a supported API so Certbot can add/delete the TXT record automatically. But, your Vercel is only supported by Certbot using a 3rd party extension which in turn uses the lego client.

Personally, I think using the lego client directly might be easier. Or even using the acme.sh ACME client which also supports Vercel directly. Or switch your DNS provider to one supported by Certbot (like Cloudflare).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.