NO-IP falling at the acme challenge step

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: iosdevserver.com

I ran this command: sudo certbot certonly --standalone -d iosdevserver.com -v

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator standalone, Installer None

Requesting a certificate for iosdevserver.com

Performing the following challenges:

http-01 challenge for iosdevserver.com

Waiting for verification...

Challenge failed for domain iosdevserver.com

http-01 challenge for iosdevserver.com

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:

Domain: iosdevserver.com

Type: connection

Detail: Fetching http://iosdevserver.com/.well-known/acme-challenge/tpyzIz6i6axekR4AGiOY2u3GcITG2O6bBqYwodKM85M: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Cleaning up challenges

Some challenges have failed.

My web server is (include version): Intel NUC

The operating system my web server runs on is (include version): Ubuntu Desktop 20.04

My hosting provider, if applicable, is: NO-IP

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.19.0

Welcome to the Let's Encrypt Community, Renato

A couple of thoughts....

The standalone authenticator temporarily spins up its own webserver bound to port 80 (HTTP). This would cause a conflict if a webserver were running on port 80 at 47.222.55.247 for iosdevserver.com, which would lead me to recommend using the webroot authenticator. However, this indicates that even the temporary webserver could not be reached:

This leads me to believe one or more of the following:

• 47.222.55.247 is not actually the current correct IP address for iosdevserver.com
• the router for 47.222.55.247 is not properly forwarding inbound requests on port 80 to the webserver
• a firewall is preventing inbound communications on port 80 to the webserver

Try adding --debug-challenges to your certbot command to have certbot pause after setting up the challenge files then try to request the challenge files with a web browser on your phone or other device outside of your network. Also, make sure that you're using --dry-run for testing so that you don't get rate-limited!

Something like this:

sudo certbot certonly --standalone -d "iosdevserver.com,www.iosdevserver.com" --debug-challenges --dry-run

You need a "functional web server" before you can secure it (via HTTP authentication).
I realize that you are using --standalone; Which implies you don't have a web server.
But that doesn't negate all the requirements needed in actually having a "functional web server".
When certbot acts as the web server, be 100% sure that:

Thanks Griffin and rg305 for your quick reply!
I am a beginner in all this IP world. I started yesterday :o), literally!
I did deploy a NodeJS application ("Hello from my Intel NUC") that is listening the port 80. From my Mac to my Ubuntu server, I can load this http passing the wildcard url ("whateverIwant.iosdevserver.com").

What I noticed today is that from outside my network, I used my mobile phone LTE coverage, I am not able to load the http.

I found some information in the No-IP website regarding Port 80 Redirect service. I tried, but still not working. I believe I need to talk to No-IP to help me troubleshoot this issue.

Not sure if you have any other idea, but like Griffin mentioned, traffic is not coming in.
I will open a ticket with No-IP.

Thanks again!

UPDADE. Looks like my ISP iss blocking my port 80 and 443. I was able to use the Port 80 Redirect service. Configured my HTTP port as 8080 in my router and No-IP. Change my NodeJS to listen port 8080. Now I am able to see the "Hello from my Intel NUC" from outside my network.
Tried certbot and got this message:

rf@iosdevserver : ~ $ sudo certbot certonly --standalone -d "ap1.iosdevserver.com" --debug-challenges --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Simulating a certificate request for ap1.iosdevserver.com

Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about

challenges.

Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:

Domain: ap1.iosdevserver.com

Type: connection

Detail: Fetching http://47.222.55.247:8080/.well-known/acme-challenge/zPk0fZGV9Q6V9JOjHsHimAh-Wj48iBKnNXcYYgC24FU: Invalid port in redirect target. Only ports 80 and 443 are supported, not 8080

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Thanks again,
Renato.

An HTTP-01 challenge starts from a domain name on port 80 (http) then follows up to 10 redirects to domain names on either port 80 (http) or port 443 (https). IPv6 addresses (DNS AAAA records) are given priority over IPv4 addresses (DNS A records) for challenge requests.

You might want to consider satisfying DNS-01 challenges instead. You can start off with satisfying these challenges manually:

sudo certbot certonly --manual --preferred-challenges dns -d "iosdevserver.com,www.iosdevserver.com" --dry-run

Once you've successfully satisfied the dry run challenges, run the command above again without --dry-run.

Unfortunately LE won't follow redirects to IP addresses, nor to any port (other than 80 and 443).
So, this won't work for both reasons:
http://47.222.55.247:8080/.well-known/acme-challenge/zPk0fZGV9Q6V9JOjHsHimAh-Wj48iBKnNXcYYgC24FU

What all are the options included therein?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.