I have a internal server in my company with domain kronosys00.com.br and certbot don't install the certificate:
The problem:
certbot certonly --webroot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): kronosys00.com.br
Requesting a certificate for kronosys00.com.br
Input the webroot for kronosys00.com.br: (Enter 'c' to cancel): /var/www/html
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: kronosys00.com.br
Type: connection
Detail: 190.124.247.125: Fetching http://kronosys00.com.br/.well-known/acme-challenge/A3mnWuAfn8xAeAHYi146p1Xbij0qJQdI0vn4Mxctqyg: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
If a run ufw status:
ufw status
Status: active
To Action From
-- ------ ----
80 ALLOW Anywhere
443 ALLOW Anywhere
80/tcp ALLOW Anywhere
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
The nginx config is: nano /etc/nginx/sites-available/default
Your domain cannot be reached from the public internet. Even just trying your home page from various places does not work. A helpful site for new setups is Let's Debug (link here).
Use that as you make changes to your comms config to test connectivity. Once that works try to get a cert again. Or, be sure to use --dry-run on your certbot --webroot command while testing to ensure you do not run into rate limits on the Let's Encrypt production system.
Your domain must be reachable with http (port 80) when using the --webroot option. Most often the error you see is because of a firewall - possibly one in your router.
Does your ISP block port 80? Some residential ISP's do that in the US
But, do you still have ports 8080 and 8085 open? Because I don't see them open from my test server in the US
ALSO (added):
Here is test result for port 8080. I tried both IPv4 and IPv6 because you have both in your DNS
curl -6 -m8 http://kronosys00.com.br:8080
curl: (28) Failed to connect to kronosys00.com.br port 8080 after 4002 ms: Connection timed out
curl -4 -m8 http://kronosys00.com.br:8080
curl: (28) Failed to connect to kronosys00.com.br port 8080 after 4001 ms: Connection timed out
nslookup kronosys00.com.br
A Address: 190.124.247.125
AAAA Address: 2804:728c:ffff:5e43:756d:4314:9f95:1b7f
I can reach a Tomcat default page on port 8452 with the IPv4 address but not with IPv6. Is that you?
Let's Encrypt servers will first use IPv6 so you should either remove the AAAA record until you have that working or correct the IPv6 config.
You might have to check with your ISP about port 80 if you are sure you had it setup right.
The HTTP Challenge (like --webroot) requires port 80. But, the DNS Challenge is possible although it is often harder to setup. See Let's Encrypt docs about it here:
I can reach your domain on port 8452 with HTTP but not with HTTPS. That means you have to configure Tomcat to use HTTPS on that port. I don't know Tomcat well but they have a forum and other help here: https://tomcat.apache.org/findhelp.html
I still see your IPv6 AAAA address in your DNS. Have you removed that yet? Because it is not working only IPv4 is.
curl -I4 https://kronosys00.com.br:8452
curl: (35) error:0A00010B:SSL routines::wrong version number
curl -I4 http://kronosys00.com.br:8452
HTTP/1.1 200
