My server is not queried

My issue is that I do not see letsencrypt try to access my server on the firewall.
If I try to access the acme-challenge file externally (from my phone) I do have access to the file.
Thus the server is properly setup and the ddns is properly resolving the host fqdn
What could be the issue?

My domain is: study.klomp.ca

I ran this command: sudo certbot certonly --apache --dry-run -d study.klomp.ca

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for study.klomp.ca
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. study.klomp.ca (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://study.klomp.ca/.well-known/acme-challenge/CPg93NGPfjJ1xseCsUH5nmZIZ5OCkFIrX9gt1JWRmlQ: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: study.klomp.ca
    Type: connection
    Detail: Fetching
    http://study.klomp.ca/.well-known/acme-challenge/CPg93NGPfjJ1xseCsUH5nmZIZ5OCkFIrX9gt1JWRmlQ:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): apache2 2.4.18-2ubuntu3.10

The operating system my web server runs on is (include version): Ubuntu 16.04.6 LTS

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no, ssh

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

My FQDN is resolving properly:

; <<>> DiG 9.10.3-P4-Ubuntu <<>> study.klomp.ca 1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47193
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;study.klomp.ca. IN A

;; ANSWER SECTION:
study.klomp.ca. 1800 IN CNAME klomp.zanity.net.
klomp.zanity.net. 60 IN A 149.248.114.142

;; Query time: 132 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Sat Apr 06 23:25:27 EDT 2019
;; MSG SIZE rcvd: 89

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53294
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;1.1.1.1. IN A

;; ANSWER SECTION:
1.1.1.1. 0 IN A 1.1.1.1

;; Query time: 0 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Sat Apr 06 23:25:27 EDT 2019
;; MSG SIZE rcvd: 52

http://study.klomp.ca/ times out for me too.

Are you sure it can be accessed by other ISPs and other countries?

Maybe your ISP is having an issue?

My server is restricted And I saw you try to access my server.
Thus my setup is working!
Wonder why Letsencrypt is not accessing my server.

Thanks for validating.

I’ve allowed the test script access to my site, and it did successfully accessed it
Check script

To use HTTP validation, the entire Internet needs to be able to access http://study.klomp.ca/.well-known/acme-challenge/.

My server redirects HTTP to HTTPS.
Does this mean I have to set the challenge to use TLS-ALPN-01 instead?

Hi @LinuxLover9

there is only https allowed. So the check result reports an open port 443, but not the required open port 80.

Domainname Http-Status redirect Sec. G
http://study.klomp.ca/
149.248.114.142 -14 10.027 T
Timeout - The operation has timed out
https://study.klomp.ca/
149.248.114.142 200 1.217 N
Certificate error: RemoteCertificateChainErrors
http://study.klomp.ca/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
149.248.114.142 -14 10.026 T
Timeout - The operation has timed out
Visible Content:

You must open your http port.

That's not a problem (if the redirect is correct, with folder and file and only port 80 / 443). Letsencrypt follows these redirects.

You have three options:

  • open port 80
  • use tls-alpn-01
  • use dns-01

But it's always bad to have a website with a closed port 80. That's a misconfiguration.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.