Problem creating RSA certificate on Windows 11

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
removed on request

I ran this command:
certbot certonly --webroot -w /app/product/ords --key-type rsa -d removed on request -v

It produced this output:
Saving debug log to C:\Certbot\log\letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: C:\Certbot\renewal*removed on request*.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for removed on request
Performing the following challenges:
http-01 challenge for removed on request
Using the webroot path C:\app\product\ords for all unmatched domains.
Creating a web.config file in C:\app\product\ords.well-known\acme-challenge to allow IIS to serve challenge files.
Waiting for verification...
Challenge failed for domain removed on request
http-01 challenge for removed on request

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: removed on request
Type: connection
Detail: 98.110.226.5: Fetching http://removed on request/.well-known/acme-challenge/wjAhwXAR0gnYKlKGIekIJO8iTtydGbyH_id3vz7gSoY: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Cleaning web.config file generated by Certbot in C:\app\product\ords.well-known\acme-challenge.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

C:\Program Files\Certbot>
'' is not recognized as an internal or external command,
operable program or batch file.

C:\Program Files\Certbot>certbot --version
certbot 2.9.0

My web server is (include version):
ORDS (Oracle RESTful Data Service) Version 23.4

The operating system my web server runs on is (include version):
Windows 11

My hosting provider, if applicable, is:
(None)

I can login to a root shell on my machine (yes or no, or I don't know):
(Yes. I am an Admin user)

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.9.0

I would like for web clients to use port 9090. Currently I have ports 80 and 9090 open on the router and Windows 11 firewall. The ORDS web server is located at C:\app\product\ords

Hello @PhilMand, welcome to the Let's Encrypt community.

Please see Certbot Discontinuing Windows Beta Support in 2024

However here is likely the real issue:

Both Ports 80 & 443 are filtered (i.e. from the Internet they are blocked)

$ nmap -Pn -p80,443 <redacted at OP's request>.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-24 21:33 UTC
Nmap scan report for <redacted at OP's request>.com (98.110.226.5)
Host is up.
rDNS record for 98.110.226.5: static-98-110-226-5.bstnma.fios.verizon.net

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.30 seconds

From around the world Permanent link to this check report shows "Connection timed out".

Since you are using the HTTP-01 challenge of the Challenge Types - Let's Encrypt
states "The HTTP-01 challenge can only be done on port 80."

Thanks for replying Bruce5051. I wonder what's blocking the port. Could Verizon (FIOS) be blocking port 80 or 443? Does that mean that all traffic would have to be on port 80 or 443 permanently? After I setup the certificate, can I still have my clients use port 9090 to connect to the server?

Your router (firewall) possibly.

They could; but I have not checked recently about Verizon FiOS, usually 443 is still allowed.

Presently nobody from the Internet can access your website due to the ports being filtered.

You could, however certificates expire in 90 days and recommend being renewed every 60 days.

There is the DNS-01 challenge which does not need to access Port 80.

Here is a list DNS providers who easily integrate with Let's Encrypt DNS validation

I just added port 443 to the Oracle (ORDS) server. (Ports 80 and 9090 were already forwarded).
I ran the same command again and got the same result.
Then I added port 443 to Windows Firewall (TCP). (Ports 80 and 9090 were already opened).
Again. Same results.

Yeah, I still see Ports 80 & 443 being filtered; Port 9090 is Open.

$ nmap -Pn -p80,443,9090 <redacted at OP's request>.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-24 21:52 UTC
Nmap scan report for <redacted at OP's request>.com (98.110.226.5)
Host is up (0.096s latency).
rDNS record for 98.110.226.5: static-98-110-226-5.bstnma.fios.verizon.net

PORT     STATE    SERVICE
80/tcp   filtered http
443/tcp  filtered https
9090/tcp open     zeus-admin

Nmap done: 1 IP address (1 host up) scanned in 2.04 seconds

I would double check the router.

I use DynDNS (Purchased by Oracle). They don't appear on your list.
I wonder if I have to configure ports 80 and 443 there? It has been a while since I've been on there.

What is Open on the router that connects to <redacted at OP's request>.com with an IP Address of 98.110.226.5: static-98-110-226-5.bstnma.fios.verizon.net?

Ports 9090, 80, 443, 1521, 21 and 20101 are forwarded to the Oracle server.
Both TCP and UPD protocols.
I just checked the router.

Here is an online tool Open Port Check Tool - Test Port Forwarding on Your Router

This is what I see with it.

image1077×795 53.5 KB

This is what I presently see for those TCP Ports.

$ nmap -Pn -p21,80,443,1521,9090,20101 <redacted at OP's request>.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-24 22:02 UTC
Nmap scan report for <redacted at OP's request>.com (98.110.226.5)
Host is up (0.091s latency).
rDNS record for 98.110.226.5: static-98-110-226-5.bstnma.fios.verizon.net

PORT      STATE    SERVICE
21/tcp    filtered ftp
80/tcp    filtered http
443/tcp   filtered https
1521/tcp  open     oracle
9090/tcp  open     zeus-admin
20101/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 1.96 seconds

Is that on premises with the router, or located somewhere else?

The server and the router are on the same LAN. I log into them remotely from my home. I asked the router to reboot (I figured it couldn't hurt). Ports 80 and 443 are not configured any differently on the router than 1521.

According to https://docs.oracle.com/en/database/oracle/oracle-rest-data-services/23.4/index.html ORDS (Oracle RESTful Data Service) Version 23.4 is a "Oracle REST Data Services is a Java Enterprise Edition (Java EE) based data service that provides enhanced security, file caching features, and RESTful Web Services." That does not say that it is a webserver; is it?

If not what are you using for a webserver?
(I am assuming the webserver makes calls to ORDS to retrieve information)

It's just ORDS Standalone. I don't use anything else.

I don't know ORDS; kindly wait to see if there are more knowledgeable Let's Encrypt community volunteers willing to assist.

Thanks.
Also, the route is an ASUS RT-AX55

From here ORDS Best Practices | Oracle. I see "spins up its own Jetty web server"

image903×291 4.03 KB

Maybe try looking for a community support forum for ORDS, I found these but I don't really know what I am looking for

• ORDS, SODA & JSON in the Database - Oracle Forums
• ORDS - Troubleshooting query
• https://community.nintex.com/nintex-automation-3/how-to-configure-oracle-ords-oauth-2-on-k2-5-2-10210
• How do I get my ORDS sample service working? - Stack Overflow

From the Asus RT-AX55 manual https://dlcdnets.asus.com/pub/ASUS/wireless/RT-AX55/E21014_RT-AX55_UM_V2_WEB_.pdf?model=RT-AX55

image501×823 65.6 KB

image512×832 76 KB

This is what I believe you want.