Problem using port certbot from py-certbot on FreeBSD 10.2 in webroot mode


#1

I’m running a FreeBSD 10.2.
Compiled and installed certbot from py-certbot port.
I’m running the following command:
certbot certonly --webroot -w /isle/www/mydomainnam g -d mydomainname

(for sure I use my real server mydomainname)

It returns the following:
Failed authorization procedure. domainname (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to http://mydomainname/.well-known/acme-challenge/uGDEAuNd5BQYMe250CTVaZRKgFtoSVbUoIiVM2Rn3LE

I have verified that the /isle/www/mydomainname/ has appropriate folder.
I also verified that I have allowed external connection to my port 80.
Here is what I see with tcpdump:

13:40:25.306883 IP outbound1.letsencrypt.org.46882 > myservername.http: Flags [S], seq 773495659, win 5840, options [mss 1460,sackOK,TS val 1172712281 ecr 0,nop,wscale 1], length 0
13:40:25.306911 IP myservername.http > outbound1.letsencrypt.org.46882: Flags [R.], seq 0, ack 773495660, win 0, length 0

This is a standalone FreeBSD server.
I’m not using cloud hosting.

Anyone could please help?


#2

Can you reach that location generally from the web ? (I can’t check, since you didn’t provide your domain name )


#3

That is a mail server with dovecot and exim, so I do not have any web server running on it.
But if I do “nc -l 80” I see my request sent from a browser.
Also I posted output from tcpdump that clearly shows that requests are coming.
certbot was executed in a webroot mode. I.e. it should serve as a web server, right?
And it seems that it is not doing so.


#4

This is what I see in the logs:

2016-08-18 12:35:16,442:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u’status’: u’pending’, u’token’: u’RLdMzp-5AQMct5XBE9feiPMq4Tsn1dMyJ_O9voJmA6I’, u’type’: u’dns-01’, u’uri’: u’https://acme-v01.api.letsencrypt.org/acme/challenge/Rza_RwXW7WJExWIwcSgMvuLNYvaw0-GiNvQtS9jR7Z0/238683430’}
2016-08-18 12:35:16,443:INFO:certbot.reporter:Reporting to user: The following errors were reported by the server:

And I have a correct a DNS records for my domain names. But there is no reverse ip lookup. But it should not be a problem.

I successfully used letsencrypt of another machine on same hosting, but that machine is a Windows server.


#5

--webroot is intended for systems with an existing web server. If you want certbot to spawn its own web server, you need --standalone. (Note that you can use either port 80 or 443, this is explained in the linked documentation. The default is 443, IIRC.)


#6

Oh…no… Thank you! It works.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.