Obtain first certificate: timeout

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: campo-randale.de

I ran this command: certbot --apache

It produced this output:
Domain: crbox.campo-randale.de
Type: connection
Detail: Fetching
http://crbox.campo-randale.de/.well-known/acme-challenge/d2C02-4MXN8jysq6y5WTnMxkghw8fpkGjU8GPK2AC5Y:
Timeout during connect (likely firewall problem)

(the challenge is faked)

My web server is (include version): Apache2.4

The operating system my web server runs on is (include version): Linux

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.30.2

But the Web-Service is reachable from the internet via port 80. (At least when I try to get the cert :wink: I do not see any FW problems. What can I check next?

Hi @hjfh

is this your domain? If yes, that domain is parked, so you can’t create a certificate.

If no, please share your domain name.

? Yes, this is my domain. Why you think it is parked? I can access the host crbox.campo-randale.de via http. But the FW permit https, too. (just in the moment the FW drops the connections)

Checked the main domain, the result is curious ( https://check-your-website.server-daten.de/?q=campo-randale.de ):

Domainname Http-Status redirect Sec. G
http://campo-randale.de/
217.160.157.99 403 0.057 M
Forbidden
http://www.campo-randale.de/
217.160.157.99 403 0.053 M
Forbidden
https://campo-randale.de/
217.160.157.99 -4 0.080 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.
https://www.campo-randale.de/
217.160.157.99 -4 0.080 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.
http://campo-randale.de:443/
217.160.157.99 403 0.053 Q
Forbidden
Visible Content:
http://www.campo-randale.de:443/
217.160.157.99 403 0.050 Q
Forbidden
Visible Content:
http://campo-randale.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
217.160.157.99 300 0.047
Visible Content: Multiple Choices The document name you requested ( /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de ) could not be found on this server. However, we found documents with names similar to the one you requested. Available documents: /./acme-challenge/check-your-website-dot-server-daten-dot-de (common basename) /…/acme-challenge/check-your-website-dot-server-daten-dot-de (common basename)
http://www.campo-randale.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
217.160.157.99 300 0.044
Visible Content: Multiple Choices The document name you requested ( /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de ) could not be found on this server. However, we found documents with names similar to the one you requested. Available documents: /./acme-challenge/check-your-website-dot-server-daten-dot-de (common basename) /…/acme-challenge/check-your-website-dot-server-daten-dot-de (common basename)

https has a typical error, so the tool checks http over port 443.

Checked that url manual, there is

<!DOCTYPE html>
<html>
    <head>
        <meta charset="utf-8">
        <style type="text/css">
            html, body, #partner, iframe {
                height:100%;
                width:100%;
                margin:0;
                padding:0;
                border:0;
                outline:0;
                font-size:100%;
                vertical-align:baseline;
                background:transparent;
            }
            body {
                overflow:hidden;
            }
        </style>
        <meta content="NOW" name="expires">
        <meta content="index, follow, all" name="GOOGLEBOT">
        <meta content="index, follow, all" name="robots">
        <!-- Following Meta-Tag fixes scaling-issues on mobile devices -->
        <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport">
    </head>
    <body>
        <div id="partner"></div>
        <script type="text/javascript">
            document.write(
                    '<script type="text/javascript" language="JavaScript"'
                            + 'src="//sedoparking.com/frmpark/'
                            + window.location.host + '/'
                            + 'IONOSParkingDE'
                            + '/park.js">'
                    + '<\/script>'
            );
        </script>
    </body>
</html>

a sedoparking included.

And critical: /.well-known/acme-challenge sends a multiple choice, so it looks that you can’t use http-01 validation.

Now checking the subdomain - crbox

Ah, your main domain is hosted via 1&1 ( https://check-your-website.server-daten.de/?q=campo-randale.de ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
campo-randale.de A 217.160.157.99 Karlsruhe/Baden-Württemberg/Germany (DE) - 1&1 Internet SE Hostname: campo-randale.net yes 1 0
AAAA yes
www.campo-randale.de A 217.160.157.99 Karlsruhe/Baden-Württemberg/Germany (DE) - 1&1 Internet SE Hostname: campo-randale.net yes 1 0
AAAA yes

Your subdomain - looks like a home server ( https://check-your-website.server-daten.de/?q=crbox.campo-randale.de ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
crbox.campo-randale.de A 195.145.32.219 Gelnhausen/Hesse/Germany (DE) - Deutsche Telekom AG No Hostname found yes 1 0
AAAA yes
www.crbox.campo-randale.de Name Error yes 1 0

And there are only timeouts:

Domainname Http-Status redirect Sec. G
http://crbox.campo-randale.de/
195.145.32.219 -14 10.026 T
Timeout - The operation has timed out
https://crbox.campo-randale.de/
195.145.32.219 -14 10.026 T
Timeout - The operation has timed out
http://crbox.campo-randale.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
195.145.32.219 -14 10.030 T
Timeout - The operation has timed out
Visible Content:

If you see the subdomain internal, your http works.

Port forwarding correct? Extern port 80 -> intern port 80.

Firewall?

A working port 80 is required to use http-01 validation.

Yes, when I enable the redirection I can access the website from the internet. I is enabled now.

Are there special hints to do when the site is hosted as a vhost in apache?

Yep, now your port 80 works:

Domainname Http-Status redirect Sec. G
http://crbox.campo-randale.de/
195.145.32.219 200 0.054 H
https://crbox.campo-randale.de/
195.145.32.219 -4 0.094 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.
http://crbox.campo-randale.de:443/
195.145.32.219 403 0.054 Q
Forbidden
Visible Content: Access forbidden! You don’t have permission to access the requested directory. There is either no index document or the directory is read-protected. If you think this is a server error, please contact the webmaster . Error 403 crbox.campo-randale.de Apache
http://crbox.campo-randale.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
195.145.32.219 404 0.053 A
Not Found

That’s the expected result: Port 80 is open and answers with the http status 404 - Not Found checking a file in /.well-known/acme-challenge.

So http-validation should work.

Certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks that file.

Fine … now you found what I try to described: Web-service ist running but cerbot failed …

Should the file in acme-challenge stay if the certbot throws the reported error message? There is no .well-known directory at my host …

Then your configuration may be buggy.

What says

apachectl -S

VirtualHost configuration:
192.168.252.148:80 crbox.campo-randale.de (/etc/apache2/vhosts.d/crbox_campo-randale_de.conf:13)
ServerRoot: “/srv/www”
Main DocumentRoot: “/srv/www/htdocs”
Main ErrorLog: “/var/log/apache2/error_log”
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex rewrite-map: using_defaults
PidFile: “/var/run/httpd.pid”
Define: SYSCONFIG
Define: SSL
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“wwwrun” id=473
Group: name=“www” id=476

What’s the content of

Is there a DocumentRoot (without any additional location definitions)? If yes, use --webroot instead of --apache.

certbot run -a webroot -i apache -w yourDocumentRoot -d crbox.campo-randale.de

Indeed there is a DocumentRoot for this vhost. But the comment line:
certbot -i apache -w /srv/www/htdocs/vhosts/crbox_campo-randale_de/nextcloud -d crbox.campo-randale.de give the same result…

There is no -a webroot parameter, so it’s the same command as --apache.

Sorry typo,
has to be:

certbot run -a webroot -i apache -w …

(No copy &Paste at this terminal :wink:

Then this

is wrong.

Create the two subdirectories

/srv/www/htdocs/vhosts/crbox_campo-randale_de/nextcloud/.well-known/acme-challenge

there a file (file name 1234), then try to load that file via

http://crbox.campo-randale.de/.well-known/acme-challenge/1234

And share the content of the config file.

The file 1234 is then readable via Browser. (Hm, I have to stop access to the file system via apache later …)

Wich config file did you point? vhost?

The content of that file.

Your /1234 file works, so webroot should work.

This is the result :-\

certbot run -a webroot -i apache -w /srv/www/htdocs/vhosts/crbox_campo-randale_de/nextcloud/ -d crbox.campo-randale.de

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for crbox.campo-randale.de
Using the webroot path /srv/www/htdocs/vhosts/crbox_campo-randale_de/nextcloud for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. crbox.campo-randale.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://crbox.campo-randale.de/.well-known/acme-challenge/k57egdNMux2iLORNvVLbyE1Rmq46aGD-FuOnagvCDOU: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: crbox.campo-randale.de
    Type: connection
    Detail: Fetching
    http://crbox.campo-randale.de/.well-known/acme-challenge/k57egdNMux2iLORNvVLbyE1Rmq46aGD-FuOnagvCDOU:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

the vhost.conf is available at the web http://crbox.campo-randale.de/crbox_campo-randale_de.conf

Your server is online - https://check-your-website.server-daten.de/?q=crbox.campo-randale.de - why sees Letsencrypt a timeout?

Is there a blocking firewall with regional settings? So the online tool can see your site, Letsencrypt not?

Oops … :worried:
Indeed, I have some filtered regions … But I have never seen a problem with it …
OK, wich IPs are neccessary to play with letsencrypt?