Obtained New Public IP Now Fails Requesting Certificate

Tactical12YearOld · August 29, 2021, 4:47pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: tactical12yearold.com

I ran this command: I start the SWAG docker for Unraid and it tries to cert

It produced this output:
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:

Domain: nextcloud.tactical12yearold.com
Type: connection
Detail: Fetching http://nextcloud.tactical12yearold.com/.well-known/acme-challenge/hHrbuGEbJ58yHEjFS4zC7VThdRJaZHg1jqmWCzQFoqk: Error getting validation data

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.

My web server is (include version): not sure of this it is a nextcloud docker

The operating system my web server runs on is (include version): unraidOS

My hosting provider, if applicable, is: I use godaddy for the domain but the ns is hosted by my work.

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): not sure i'm using a swag docker.

I know the error says its a firewall issue but I have all my translations right and pointing to where they should that hasn't changed but I did swap NIC's on my router the before this became an issue. I can't image that's the problem as everything else is working. Really don't know what happened/changed.

orangepizza · August 29, 2021, 4:52pm

I can't connect to your nextcloud subdomain. port forwarding problem?

Tactical12YearOld · August 29, 2021, 4:56pm

Thats what the problem is. When I start swag it tries to request a certificate but it fails and then I can't access the site. but I've triple checked my NAT and the ports are pointing to where they should be. It was working until yesterday when I got a new IP from my ISP. I will try to delete and recreate my port forwarding rules in pfsense and see if that helps.

orangepizza · August 29, 2021, 5:14pm

if you got new ip, did you update the DNS record? currently http://tactical12yearold.com/ (50.xx comcast ip)and http://nextcloud.tactical12yearold.com/ (75.97 PenTeleData Inc.) have different ip from different ISP provider. as both are home IP , I think you didn't update DNS record when you moved

Tactical12YearOld · August 29, 2021, 5:21pm

So that is because I am using a name server at the comcast ip (different location) to point to my home IP. That didn't matter before. What would have changed? Edit: Also redoing my port forward rules did not make a difference. Edit Again: I think my isp might be blocking the 80 and 443 port as I just tried to check if they were open using a third party site and they were closed.

rg305 · August 29, 2021, 6:39pm

Are you sure the IP you have now is the same as the IP found by global DNS?

Do you fully understand the part DNS plays in this?
And how to keep the IP up-to-date?

Tactical12YearOld · August 29, 2021, 7:23pm

Yes I checked world propagation and it routes to where it should. I route the domain from godaddy to a nameserver where the A records point to where they should for the subdomains. I just got done with ISP support and by default 80 and 443 are blocked but he said my nat translations should get around that and they are set properly as they did not change from when it was working. He said though that since I changed nics for the pfsense router that the different mac addresses probably caused a new IP to be assigned to the modem. I'm wondering if that is the change that broke it. But like I said I updated the A record to point to the new IP and world propagation says it goes where it needs to.

rg305 · August 29, 2021, 7:29pm

That is a slightly confusing statement.
But I'll take that to mean that you CAN port forward those ports to any internal IP.

Has your internal IP changed?
Is the port forwarding configured to the correct internal IP?
Does external 80 go to an internal 80? (in some systems, like pfSense, the port can also be manipulated/changed)

Tactical12YearOld · August 29, 2021, 8:08pm

yes I should be able to port forward those ports to an internal IP. I also have them redirecting to ports 180 and 1443 because I have other things using 80 and 443. The NAT translation is:
Interface: WAN
Protocol: TCP
Source Address: any
Source Port: any
Destination Address: WAN Address
Destination Port: 80
NAT IP: Server IP where the reverse proxy is running
NAT Ports: 180

The reverse proxy takes that traffic from port 180 and 1443 and gives it to the webserver as a single port 444. (I think).

The NAT is the same for 443 to 1443
But I've hit a rate limit for requesting certificates.

rg305 · August 29, 2021, 8:10pm

That what the staging system is for (testing).

This sounds a bit... confusing:

How can you combine HTTP and HTTPS onto one single port?

rg305 · August 29, 2021, 8:12pm

Are you running certbot on the reverse proxy, or on the web server?
In either case, what is the exact certbot command being run?

Tactical12YearOld · August 29, 2021, 8:16pm

Reverse proxy, its a docker called SWAG that has fail2ban, LetsEncrypt, and nginx. I looked in the logs and it looks like its running certbot renew.

rg305 · August 29, 2021, 8:20pm

The reverse proxy, as described, would get the inbound HTTP challenge requests on port 180.
certbot renew might not be configured to listen on 180.
Let's check the renewal.conf file for that domain.
Found at: /etc/letsencrypt/renewal/{FQDN}.conf

Tactical12YearOld · August 29, 2021, 8:25pm

So there is nothing in the renewal folder...

rg305 · August 29, 2021, 8:28pm

So, do you have a certificate to renew?
If so, where is it?

Tactical12YearOld · August 29, 2021, 8:33pm

I'm not sure on that. Where would I get this cert from? I found a cert in the folder of the webserver folder/keys. In there there is a cert.crt and a cert.key. Would that be it? That doesn't make sense to me though as the domain is the one that needs to be certified. Would I get it from godaddy the domain provider?

rg305 · August 29, 2021, 8:39pm

On May 31st, a cert was issued to the nextcloud FQDN:
crt.sh | 4620174991
[It has nothing to do with GoDaddy]

There are only three places that cert could possibly be:

pfSense [likely, but you should remember having done this then]
you are way too young to have such memory loss - LOL
web proxy [not there - you already looked]
web server [not likely]
unless you inserted the web proxy after May 31st, or proxy was set to pass HTTPS as stream

Try (on each system):
certbot certificates

orangepizza · August 30, 2021, 12:42am

if it was working it should renewed itself at the end of July (1/29- 3/31 - 5/31 lineage ) I think problem was there longer then you think it was. btw last cert he has is now expired(notafter 2021-08-29) so that won't do anything.

system · September 29, 2021, 12:42am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.