New to certbot, unable to cerate cert with nginx plugin

My domain is: mukkai.in

I ran this command: sudo certbot --test-cert

It produced this output:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for mukkai.in and 2 more domains

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: mukkai.in
  Type:   connection
  Detail: 68.199.52.2: Fetching http://mukkai.in/.well-known/acme-challenge/6UZNm2kWKzx4sWBr8SDZTv0duSK24bYMYc1nCfnvj5U: Timeout during connect (likely firewall problem)

  Domain: www.mukkai.in
  Type:   connection
  Detail: 68.199.52.2: Fetching http://www.mukkai.in/.well-known/acme-challenge/NY313KKdyBVuraUgHTr0tEtq49fLIj9jHONKJbVgtcg: Timeout during connect (likely firewall problem)

  Domain: mynas.mukkai.in
  Type:   connection
  Detail: 68.199.52.2: Fetching http://mynas.mukkai.in/.well-known/acme-challenge/mKeXVt0P_MCQnrm18c9mJkXcnIP7FvVhVVfN66uXyr4: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22.04 LTS

My hosting provider, if applicable, is: Self hosted on a VM

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.29

$ cat /etc/nginx/sites-enabled/mukkai.in
server {
        listen 80;
        root /var/www/mukkai.in/html;
        server_name mukkai.in mynas.mukkai.in www.mukkai.in;
        location ~/.well-known {
                root /var/www/mukkai.in/html;
                allow all;
        }
}

I even manually created a test file and looked it up with

mukkai.in/.well-known/acme-challenge/test.txt and I can see the file

1 Like

Welcome to the community @emaaraarkay

Thanks for creating the test file. Did you try getting it from outside your local network? Like from a cell phone with wifi off?

Because I cannot see that file and a port test shows port 80 blocked probably by a firewall

curl -I -m10 http://mukkai.in/.well-known/acme-challenge/test.txt
curl: (28) Connection timed out after 10000 milliseconds

nmap -p80,443 mukkai.in
rDNS record for 68.199.52.2: ool-44c73402.dyn.optonline.net
PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp closed   https

The timeout I get is the same as Let's Encrypt servers get.

The Let's Encrypt servers are (today) in Europe and the US. Does your firewall block requests from these regions? (my test server is also in the US).

Or, check your router for a firewall setting and that any NAT port forwarding is correct

2 Likes

I have had multiple iterations and failures. I will make that file available and post back here. give me a bit.

$ nmap -p80,443 mukkai.in
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-09 22:01 EDT
Nmap scan report for mukkai.in (68.199.52.2)
Host is up (0.0014s latency).
rDNS record for 68.199.52.2: ool-44c73402.dyn.optonline.net

PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds

Looks like my ISP does block port 80. Is there a work around for this?

Not if you want port 80 open to all. As for getting a Let's Encrypt cert, you could read about the DNS challenge instead.

Are you using Google Cloud DNS or just Google Domains DNS ?
(it is an important difference)

3 Likes

I am using Google Domains DNS

I don't believe there is an API for Google Domains DNS so you can use it for automated DNS challenge. You can do a manual cert request and manually add a TXT record to your DNS to satisfy the challenge. You will need to do this every 60 days or so as Let's Encrypt certs only last 90 days and it is best to renew before they expire.

The manual effort quickly becomes a burden. If possible, you could switch to a DNS provider that does offer an API. Cloudflare is one such provider. An acme client called acme.sh supports more DNS providers than certbot. See its github

Read about certbot manual
https://eff-certbot.readthedocs.io/en/stable/using.html#manual
and its Cloudflare support here:
https://certbot-dns-cloudflare.readthedocs.io/en/stable/

3 Likes

Thank you. I was able to get a staging and production cert. thanks for the help.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.