I ran this command: certbot --apache --agree-tos --redirect --hsts --staple-ocsp --email admin@[redacted] -d lmkecloud.net
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Requesting a certificate for lmkecloud.net
Performing the following challenges:
http-01 challenge for lmkecloud.net
Waiting for verification...
Challenge failed for domain lmkecloud.net
http-01 challenge for lmkecloud.net
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: lmkecloud.net
Type: dns
Detail: No valid IP addresses found for lmkecloud.net
My web server is apache2
The operating system my web server runs on is Debian 11
Your hostname has an A resource record with contents 192.168.20.5 which is a private IP address and Let's Encrypt won't be able to connect to that IP address for validation of your hostname.
Nobody can visit your site using that IP address by the way.
Solutions:
Change the A record to the actual public IP address of your website;
Use the dns-01 challenge. Certbot has a certbot-dns-google plugin as I see your domain is hosted by Google.
Hi @lmkecloud and welcome to the LE community forum
PING is not required for any type of certificate.
So focus on the need.
Where do you plan on using that certificate?
If on a web server, then you might want to use it to validate the challenge requests (via HTTP).
If so, then HTTP requests (not PING) need to reach your web server.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for lmkecloud.net and www.lmkecloud.net
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: lmkecloud.net
Type: connection
Detail: Fetching http://lmkecloud.net/.well-known/acme-challenge/MI_CZNNJcPr18GKxtxk1XEeBrG7Up9zLQMH3y0Kg3D0: Timeout during connect (likely firewall problem)
Domain: www.lmkecloud.net
Type: connection
Detail: Fetching http://www.lmkecloud.net/.well-known/acme-challenge/WPokU5r9a2P_5eWGNSQeo4gGdvC-EfdZGXMZXR-bfDE: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
This is my firewall status:
Status: active
To Action From
-- ------ ----
WWW ALLOW Anywhere
80/tcp ALLOW Anywhere
WWW (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
@lmkecloud As Rudy pointed out, your server is not reachable. Your most recent error messages saying "timeout" confirm that. You can also try using Let's Debug (click re-run test after making changes).
Update: And, you will need to update your firewall to allow port 443 for https (if WWW does not do that). That is not causing your current problems but will need to be open.
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 is a NameVirtualHost
default server 127.0.0.1 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost 127.0.0.1 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost lmkecloud.net (/etc/apache2/sites-enabled/collabora.conf:1)
*:443 127.0.0.1 (/etc/apache2/sites-enabled/default-ssl.conf:2)
@lmkecloud Ah, perhaps a clue. I found an article for a NetComm NF18MESH that says:
"For example, you cannot host a web server accessible through port 80 of your public IP and enable remote http administration of the NF18MESH through port 80, you must provide both with unique port numbers."
I guess your model is similar. Do you have remove http admin enabled? If so, try disabling it or use a port other than 80 for it. Can you check your manual to see if it is the same as the MESH model in this regard?
Unfortunately there is option to remove http. I'll contact the router manufacturer.
Thank you so much for all the help you guys have provided on this issue. Much appreciate it.
@lmkecloud I searched a manual for your model NF18ACV and saw in the Security section there is an Incoming IP Filtering config. On that page it says when firewall is enabled that all inbound IP traffic is blocked and you must setup IP filters to allow.
The instructions were not very clear but did you try that to setup inbound http? Or temporarily disable your firewall to see if you would get further along?
I do not know if this is the same model year of your router but I looked at the one from here: https://support.netcommwireless.com/products/NF18ACV
If that is not it I am out of ideas Best to talk with the vendor.