Moved server from one vps to another on oracle cloud and now I can't get certbot to create cert

mooncaptain · March 21, 2024, 12:21am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

NOTE: I can use telnet to verify that port 80 and 443 are open. I shutdown the process before using certbot.

My domain is:
derp.localtest.live
I ran this command:
sudo certbot certonly --standalone
It produced this output:>

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): derp.localtest.live
Requesting a certificate for derp.localtest.live

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: derp.localtest.live
Type: connection
Detail: 164.152.109.86: Fetching http://derp.localtest.live/.well-known/acme-challenge/9oq0P0cXmL5ig1WbLSr_-Nadl-B4NHPxXBuO2qTMcKU: Error getting validation data

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/
letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
not using a web server per se. running a derp server in a docker container

The operating system my web server runs on is (include version):
ubuntu 22.04
My hosting provider, if applicable, is:
oracle cloud
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no.
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.9.0

rg305 · March 21, 2024, 2:36am

I guess we should take nothing for granted.
On that system. what shows?:
curl -4 ifconfig.me

mooncaptain · March 21, 2024, 2:59am

164.152.109.86
This is the ip address in my A record pointer.

Also pinging url

ping derp.localtest.live
PING derp.localtest.live (164.152.109.86) 56(84) bytes of data.
64 bytes from 164.152.109.86 (164.152.109.86): icmp_seq=1 ttl=63 time=0.345 ms
64 bytes from 164.152.109.86 (164.152.109.86): icmp_seq=2 ttl=63 time=0.464 ms

rg305 · March 21, 2024, 3:34am

That's good.

OK, now let's try:
sudo certbot certonly --standalone -d derp.localtest.live --debug-challenges

That should pause the process midway.
Do NOT hit enter [yet]
Let me know when it is ready and waiting.

mooncaptain · March 21, 2024, 11:49am

Just executed command and got to

Press Enter to Continue

rg305 · March 21, 2024, 3:13pm

Sorry, I don't see anything answering.
If you stopped it, do it again.

mooncaptain · March 21, 2024, 4:16pm

just now started it again 1236 cdt

rg305 · March 21, 2024, 6:01pm

Sorry, I still don't see anything answering.
Maybe you can test it yourself from another system over the Internet.
I would simply try:
curl -Ii derp.localtest.live

mooncaptain · March 21, 2024, 6:31pm

Ok I’ll try.
I can see that it is listening on 80 from another ssh connection so I don’t know what the problem is.

mooncaptain · March 21, 2024, 6:54pm

I tried the curl and it failed

I did this

PS C:\Users\brook> telnet derp.localtest.live 80
Connecting To derp.localtest.live...

but it just hangs

just for laughs

PS C:\Users\brook> telnet derp.localtest.live 22
Connecting To derp.localtest.live...

the above makes a connection

I am looking at the Oracle Cloud Default Security List for my account and I allow 443 80 22 and some udp stuff through.

I'll let you know if I figure out anything - mostly by changing things and see what happens.

This used to work on the other instance I had setup. I am trying to move to a different processor. Going from intel to something like an ARM but not the same brand.

mooncaptain · March 21, 2024, 7:18pm

no luck changing anything on the Security list.
I shut down the certbot and started the app which is listening on 80 and 443

Here's what I see when I curl each.

curl derp.localtest.live
Found.

curl derp.localtest.live:443
Client sent an HTTP request to an HTTPS server.

so the ports are open and can talk to the application just not certbot.

I forgot here's the one you requested:

curl -Ii derp.localtest.live
HTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Location: https://derp.localtest.live/
Date: Thu, 21 Mar 2024 19:12:35 GMT

mooncaptain · March 21, 2024, 8:07pm

tried caddy and got the exact same message.

this has got to be a Oracle problem.

I'll check back when if I figure it out.

rg305 · March 21, 2024, 9:51pm

Well that is unexpected.
[certbot in --standalone mode would not redirect]
Something is grabbing the HTTP ACME requests before it reaches the client.

mooncaptain · March 21, 2024, 11:40pm

I did find that oracle cloud instances don't like ufw

And this seems likely for the latest version too. In my first try at this that worked I was using instructions that said I should install firewalld to manage the firewall which i did. I am in the middle of trying out firewalld to solve the problem. However, during the install process my instance crashed. Trying to recover now.

A lot to go through for a free vps.

Bruce5051 · March 21, 2024, 11:51pm

Presently I see Ports 80 & 443 filtered (i.e. blocked) from the viewpoint of the Internet.
Do you have a firewall and/or router filtering or blocking or dropping on TCP Ports 80 & 443?

$ nmap -Pn -p80,443 derp.localtest.live
Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-21 23:49 UTC
Nmap scan report for derp.localtest.live (164.152.109.86)
Host is up.

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.50 seconds

mooncaptain · March 22, 2024, 12:05am

yes I do that is the problem. I wanted to use ufw but that is not possible in the oracle cloud instances so now I am getting up to speed on iptables. I wanted to install firewalld but that crashed my other test system. Now I am working on getting iptables to open 80 and 443 and other ports I need for my project.

linkp · March 22, 2024, 1:25am

You may want see if firehol is to your liking. I moved to firehol from ufw many years ago and still use it.

rg305 · March 22, 2024, 2:28am

I found this extremely cool:
dnsbl ipset.sh · firehol/firehol Wiki · GitHub

Thanks for the tip.

Bruce5051 · March 22, 2024, 2:34am

FYI - @mooncaptain Presently I see Ports 80 & 443 CLOSED

$ nmap -Pn -p80,443 derp.localtest.live
Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-22 02:33 UTC
Nmap scan report for derp.localtest.live (164.152.109.86)
Host is up (0.057s latency).

PORT    STATE  SERVICE
80/tcp  closed http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds

mooncaptain · March 22, 2024, 2:46am

looks like a good firewall management system. the iptables on all the oracle cloud infrastructure linux boxes is tightly integrated with their cloud network. I would have to build all that from scratch in firehol so probably not going to do that in this instance. I have already opened up all the necessary ports using iptables. I seem to remember doing all this years ago - it looks a lot like how a mikrotik router gets programmed.

I haven't got my server working but I do have the certificates all loaded and the connection is encrypted.

The solution for Oracle Cloud infrastructure boxes is don't use ufw it doesn't work. Use iptables instead to open ports.