Problems with the IP address local versus global : how to make cerbot working?

#1

Hi,
I’m developing a web page with my PC Ubuntu 18.04.01 Server Edition connected to my Internet Service Provider’s router (called “station”)
I bought an internet domain with Namecheap.com and linked it as Dynamic DNS Record with the global IP Address of the Internet Service Provider’s station, since it is not possible to link an internet domain to a local IP address like 192.168.1.9
In this way, when inserting the local IP address into the web browser in a laptop connected to the same ISP’s “station”, or when I insert the domain name in a laptop or in a smartphone not connected to my local network , I get the webpage correctly

Now, I want to get a https certificate via certbot but I get this error message:

marco@pc01:~/go/src/MyPage$ sudo certbot certonly --webroot -w 
/home/marco/go/src/MyPage -d ggc.world -d www.mypage.org
[sudo] password for marco:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mypage.org
http-01 challenge for www.mypage.org
Using the webroot path /home/marco/go/src/MyPage for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.mypage.org (http-01): urn:ietf:params:acme:error:connection  
:: The server could not connect to the client to verify the domain :: Fetching 
http://www.mypage.org/.well-known/acme-challenge/RyUD0QsqGz-  
14UpDytB1ybTCiXfYivGPCzl62uwxUgE: Connection refused, mypage.org (http-01):  
urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the 
domain :: Fetching http://mypage.org/.well-known/acme-challenge 
/qFfREkIdFgSaIEVEIM1dXeu4oEl8YBWD38hMs6cQz6c: Connection refused

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: www.mypage.org
Type: connection
Detail: Fetching
http://www.mypage.org/.well-known/acme-challenge/RyUD0QsqGz-   
14UpDytB1ybTCiXfYivGPCzl62uwxUgE:
Connection refused

Domain: mypage.org
Type: connection
Detail: Fetching
http://mypage.org/.well-known/acme-challenge  
/qFfREkIdFgSaIEVEIM1dXeu4oEl8YBWD38hMs6cQz6c:
Connection refused

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

In the configuration file of my webpage I put this:

httpaddr = 192.168.1.7
httpport = 8080

where 192.168.1.7 is the local address

while in the configuration of the domain I put the global IP address of the Internet Service Provider’s router.

But if i put in the configuratoin file of the web page the Global IP Address, which here I put as 11.111.111.111, the web page doesn’t show up:

marco@pc01:~/go/src/MyPages$ bee run
______
| ___ \
| |_/ / ___ ___
| ___ \ / _ \ / _ \
| |_/ /| __/| __/
\____/ \___| \___| v1.10.0
2019/04/10 17:13:15 INFO ▶ 0001 Using 'MyPage' as 'appname'
2019/04/10 17:13:15 INFO ▶ 0002 Initializing watcher...
2019/04/10 17:13:16 SUCCESS ▶ 0003 Built Successfully!
2019/04/10 17:13:16 INFO ▶ 0004 Restarting 'MyPage'...
2019/04/10 17:13:16 SUCCESS ▶ 0005 './MyPage' is running...
2019/04/10 17:13:16.170 [I] [asm_amd64.s:2361] http server Running on http://11.111.111.111:8080
2019/04/10 17:13:16.170 [C] [asm_amd64.s:2361] ListenAndServe: listen tcp 
11.111.111.111:8080: bind: cannot assign requested address

so… briefly the problem is that in the Namecheap.com’s configuration I had to insert the IP global address of the Internet Service Provider’s router, and in the webpage configuration file I have to put the local IP address, which is not accepted by Certbot, because it requires only Global IP Addresses.

So… how can I successfully proceed with cerbot in order to obtain the https certificate?

Looking forward to your kind help.
Marco

#2

Let’s Encrypt accesses your website on port 80 (whatever reverse proxying or port forwarding you do internally).

When using Certbot’s webroot plugin, you have to have a web server already running on port 80.

Can you configure your thing to use port 80?

If not, you can use Certbot’s standalone plugin, which temporarily runs a simple built-in web server.

Assuming ggc.world is your domain and mypage.org isn’t, connecting to your web server on port 80 and port 8080 both result in a “Connection refused” error.

What do you mean by your “ISP’s” IP address? Are you behind CGNAT without the ability to use all ports?

#3

Thanks a lot for your kind quick reply to my question.
First of all, I wanted to “hide” the actual name, ggc.world, of my domain, because it’s in the very early stages…but I didn’t hide it properly)))… so the domain is one and only one: ggc.world
Regarding the Internet Service Provider’s IP Address I was talking about, in the pic here IPs is called “WAN IPv4 Address” on the bottom-right corner.
As you can see from this other photo, I already set the port 8080: PortsEnabled . Is this correct or do I have to change it or add another port?
Marco

#4

You need to add port 80 to your port forwarding configuration.

And, as I said, you need to run a web server on port 80, either Bee(?) or Certbot’s standalone server.

For most purposes, you can run websites on different ports, but Let’s Encrypt HTTP validation requires port 80. (But it doesn’t stop you from also using other ports.)

#5

Bee is the Beego MVC Golang Framework: Beego
I tried to add port 80 to my port forwarding configuration but it says “Public port overlap detected” : PublicPortsOverlap
The port 8080 is used in the app configuration :
httpaddr = 192.168.1.7
httpport = 8080

#6

It might be because both of the port 80 rules are set to use TCP, instead of one UDP and one TCP?

#7

As said here: Beego-MVC the listening port is set to 8080 by default, but I actually I do not know if Beego’s port requires TCP or UDP rule.
What about Cerbot? Do I have to set up for port 80 TCP rule or UDP rule?

#8

HTTP doesn’t use UDP.

(HTTPS may in the future – or right now if you’re Google.)

#9

I now set the port forwarding in this way: PortForwarding
Could be right now?

#10

Maybe?

On second thought, you might need to use the “Port Mapping” section instead of the “Port Triggering” section.

I don’t know anything about your specific router model.

#11

Yesterday I had a (paid!!!))))) phone call with the Vodafone technical staff who setted the porting as you saw before…this is why I’m disappointed about Vodafone…

I tried again :

marco@pc01:~/go/src/MyPage$ sudo certbot certonly --webroot -w /home/marco/go/src/MyPage -d ggc.world -d www.ggc.world
[sudo] password for marco:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ggc.world
http-01 challenge for www.ggc.world
Using the webroot path /home/marco/go/src/MyPage for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. ggc.world (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://ggc.world/.well-known/acme-challenge/shu2yrUBiBBnYJUrqz3Z1u11ZSBnfut2SoXHk5SYTJ8: Connection refused, www.ggc.world (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.ggc.world/.well-known/acme-challenge/WjAcdY8gE-hvfutYjnVFJcW_hoJIEzNXJMyTKW5a_iA: Connection refused

IMPORTANT NOTES:

So, I try to use the Ports Mapping section now…

#12

I guess the type of the service for the Ports Mapping has to be HTTP: PortsMappingServiceTypes

I set the Ports Mapping in this way: PortsMapping

But after launching sudo certbot certonly --webroot -w /home/marco/go/src/MyPage -d ggc.world -d www.ggc.world the same error message appears.
So I guess there are two possibilities: or it take some time before the new Ports Mapping and Ports Triggering configuration takes effect, or something has to be changed

#13

Are you running a web server on port 80 now?

#14

I was wrong. But this time I set in the Ports Mapping Section Service Cerbot (User Defined), Local IP, Address 192.168.1.7 ,Protocol TCP, Local Port: 80, Public Port: 80 : CerbotServiceInPortsMappingSection

But running sudo certbot certonly --webroot -w /home/marco/go/src/MyPage -d ggc.world -d
the same error message appears

#15

Hi @marcoippolito

there

https://drive.google.com/file/d/1ZQ7SmMhVhkEaWW4fufIEEFokIKhVsGl4/view

is a firewall section. Allows your firewall the connection?

The message

http://www.ggc.world/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
37.116.214.189
	-2
	
	1.100
	V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 37.116.214.189:80
Visible Content: 

looks like a blocking firewall.

#16

Hi @JuergenAuer these are the firewall settings:
FireWallSettings-1
FireWallSettings-2
and these are the other settings:
Settings-3
Settings-4
Setting-5

#17

This ( https://check-your-website.server-daten.de/?q=ggc.world ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
ggc.world A 37.116.214.189 yes 1 0
AAAA yes
www.ggc.world A 37.116.214.189 yes 1 0
AAAA yes

is your public ip address. Do you use this address?

Letsencrypt sees that address and tries to connect it.

PS: Checking your domain there are the ConnectionRefused - messages:

Checking your ip ( https://check-your-website.server-daten.de/?q=37.116.214.189 ) there are only timeouts. That’s curious, I’ve expected the same ConnectionRefused - answer.

#18

Yes. It’s my public IP address

And in PC hosting the web page:

marco@pc01:~$ sudo ufw status verbose
[sudo] password for marco:
Status: inactive

Now the webserver is active and checking this link https://check-your-website.server-daten.de/?q=ggc.world

it says
"• Status: Valid Chain of trust. Parent-DS with Algorithm 8, KeyTag 36130, DigestType 1 and Digest
“rE07RSuwzDXchrxmh+5KzbzpL/M=” validates local Key with the same values, Key ist Secure Entry
Point (SEP) of the zone

• Status: Valid Chain of trust. Parent-DS with Algorithm 8, KeyTag 36130, DigestType 2 and Digest 
"Dri6TRtwP006A7xxRMArfOvDKHMT19J8KSv24KQ1oKs=" validates local Key with the same values, 
Key ist Secure Entry Point (SEP) of the zone"

I do not undestand why it happens:
“ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 37.116.214.189:80”

Infact trying again:
sudo certbot certonly --webroot -w /home/marco/go/src/MyPage/ -d ggc.world -d www.ggc.world

As the pictures about the Vodafone Station’s configuration there is no firewall set and I disabled for now the Ubuntu 18.04.01’s firewall in the PC…so what is going on?

#19

These are DNSSEC informations about the world - zone. Good to know, but not the connection problem.

You have additional blocking components. Is this a Linux over Windows? Perhaps the Windows firewall blocks.

#20

Is there a web server running on port 80?