Problem with a subdomain

Hello,
I have a fresh install of debian buster and apache.
I want to install https before installing softwares.
My subdomain is dolizelec.zelec.homelinux.net.
The redirection seems to be correct as if I call http://dolizelec.zelec.homelinux.net in a navigator, I have the default apache page.
I install certbot with this guide https://certbot.eff.org/lets-encrypt/debianbuster-apache with snap.
The problem come with
root@dolizelec:/etc# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): mymailadress


Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?


(Y)es/(N)o: y


Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.


(Y)es/(N)o: y
Account registered.
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to cancel): dolizelec.zelec.homelinux.net
Requesting a certificate for dolizelec.zelec.homelinux.net
Performing the following challenges:
http-01 challenge for dolizelec.zelec.homelinux.net
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain dolizelec.zelec.homelinux.net
http-01 challenge for dolizelec.zelec.homelinux.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: dolizelec.zelec.homelinux.net
    Type: connection
    Detail: Fetching
    http://dolizelec.zelec.homelinux.net/.well-known/acme-challenge/TINcokC_5hkU0X8OVGSLX_ykH70YPqjQdu2o0_f38hc:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

Thanks for help
Benoit

Hi @bensz

there

is your job. Your subdomain doesn't answer.

See your check, created this morning - https://check-your-website.server-daten.de/?q=dolizelec.zelec.homelinux.net

Domainname Http-Status redirect Sec. G
http://dolizelec.zelec.homelinux.net/ 92.188.16.194 -14 10.037 T
Timeout - The operation has timed out
http://www.dolizelec.zelec.homelinux.net/ 92.188.16.194 -14 10.020 T
Timeout - The operation has timed out

Only timeouts, no answer.

So Letsencrypt can't check your domain name.

A working port 80 + open firewall + correct router forward is required.

1 Like

Hi,
Thanks for your reply.
The thing I don't understand is http://dolizelec.zelec.homelinux.net reply.
If you call http://dolizelec.zelec.homelinux.net in a browser, you'll see the apache default page that I modified in /var/www/html/index.html

No, I see a timeout. And my online tool sees a timeout, same with Letsencrypt.

So it's a router- or firewall problem if you see it.

Thank you.
I'll search
Benoit

Which browser? Because Chrome for example tries https version of a web site if it can't connect to http and in this case https works on your side.

Hello,
I use firefox.
Thanks
Benoit

I'm using Firefox too (Windows and GNU/Linux) and I can't reach your site, so as @JuergenAuer said, it is a firewall/router problem.

Thanks,
I'm searching in my router.
Benoit

1 Like

Now I see an answer.

I change a parameter in my router.
The problem is now
Waiting for verification...
Challenge failed for domain dolizelec.zelec.homelinux.net
http-01 challenge for dolizelec.zelec.homelinux.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

Then your Apache configuration is buggy.

What says

apachectl -S

root@dolizelec:~# apachectl -S
VirtualHost configuration:
*:80 dolizelec.zelec.lan (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

There you see the next problem.

No port 80 vHost with your domain name. Create one.

Hello,
Thanks for your help,
Benoit

LE will follow redirection.
So long as the ports are either 80 or 443.
Your current redirection would break LE redirection; as it is using 4433.

 curl -Iki http://dolizelec.zelec.homelinux.net/.well-known/acme-challenge/test-1234
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 13 Jan 2021 09:50:56 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://dolizelec.zelec.homelinux.net:4433/.well-known/acme-challenge/test-1234
X-Frame-Options: SAMEORIGIN

Hello,
Thanks for reply.
I know this problem, I'm searching in my router parameters to solve.
Thanks
Benoit

1 Like

It might not be the router that is doing that redirection.
I would follow port 80 through your router to where it port forwards to.
There is an nginx web server there that is doing this redirection.

The nginx server is my router.
Thanks

Then can you review the nginx configuration - like with a normal web server?