Port 80 blocked by ISP, how can I generate certificates anyway?

Help
1

My domain is: it's my NAS. I have DDNS set for it on beinish-nas.duckdns.org

I ran this command: certbot certonly --standalone

It produced this output:

Saving debug log to C:\Certbot\log\letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): beilin-nas.duckdns.org
Requesting a certificate for beilin-nas.duckdns.org

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: beinish-nas.duckdns.org
  Type:   connection
  Detail: Fetching http://beinish-nas.duckdns.org/.well-known/acme-challenge/hRss-: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

C:\PROGRA~2\Certbot>

My web server is (include version): I'm not running one, I tried to do this through my NAS' built-in let's encrypt option but wasn't able to do it.

The operating system my web server runs on is (include version): Some sort of linux. It's an asustor NAS, no specific distro

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes, it's an admin panel for my NAS

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 1.17.0

I was trying to use the built in option but it didn't work since by default it uses port 80.
Port 80 is blocked by my ISP unfortunately. I tried to manually create the certs on my Wndows machine but wasn't able to find an ACME client that can generate the cert on another port. I read a little about the challenges and saw that I can use TLS-ALPN-01 but I didn't understand how.

Any help would be appreciated :slight_smile:

2 Likes
2

Welcome to the Let's Encrypt Community :slightly_smiling_face:

You can satisfy a dns-01 challenge with this:

2 Likes
3

Thanks.
I tried running certbot plugins:

Saving debug log to C:\Certbot\log\letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PS C:\WINDOWS\system32>

I get errors trying to call those parameters:

certbot: error: unrecognized arguments: --dns-duckdns-token

I tried to just clone the repo locally but lack the knowledge to understand how to run it using the python scripts it copied.

2 Likes
4

You're using Windows, right? On my work computer, I've used pip install to install certain Python modules. Not sure if that works with certbot too, but worth a try.

Please see the README of the plugin about that here:

3 Likes
5

Thanks, that's the command I used to install it but I still got that error when I add parameters like --dns-duckdns-token or preferred-challenges

3 Likes
6

I'm afraid I'm not that familiar with Python/certbot on Windows.. Maybe someone else can pitch in.

2 Likes
7

I can SSH to my NAS which is running Linux and try the same there :slight_smile:
Edit: Sorry but I couldn't figure it out. The linux my NAS is running is not a known distro so I can't even install Python natively.

2 Likes
8

Did you try running it like this?

certbot certonly --preferred-challenges dns --authenticator dns-duckdns --dns-duckdns-token <your-duckdns-token> --dns-duckdns-propagation-seconds 60 -d "beinish-nas.duckdns.org"

1 Like
9

Thanks, but I got the same error.

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --dns-duckdns-token aaaa --dns-duckdns-propagation-seconds 60
PS C:\WINDOWS\system32>
3 Likes
10

As I said, I'm not familiar with certbot on Windows, but does it perhaps run in its own virtualenv or something like that?

@_az Sorry to tag you, but do you have any idea how one could install third party DNS plugins for certbot on Windows?

3 Likes
11

I don't recall whether pip is included in the Windows bundle, sorry. If it is, I suppose it might be possible to run python.exe -m pip install certbot-dns-duckdns with the Python that's included in the Windows bundle. But this is very much not officially supported yet.

You might consider also trying Posh-ACME's or lego's DuckDNS support, both of which should work on Windows.

6 Likes
12

Thank you. Posh ACME worked and I managed to generate a cert :slight_smile:

3 Likes
13

Just checked by running python -m pip with the Windows PATH variable augmented to contain the C:\Program Files (x86)\certbot\Python path and it returns an error about not having the pip module. Not sure if it's possible to forcibly add the pip module, but I'm pretty sure switching to Posh ACME (or a different Windows client supporting DNS plugins) is more sensible than trying to hack certbot in non-supported ways.

2 Likes
14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.