Raspberry pi with duckdns DDNS failing to verify


#1

Hi,
I’m trying to set up a web server on my Raspberry pi at home. I’ve used duckdns for dynamic domain name service.

I know that I’ve got my router’s port forwarding set up correctly because my website works on both port 80 and port 443 at the domain name I’ve set up. I currently have a self-signed certificate instead of a signed letsencrypt one. Certbot claims that I keep failing challenges, what am I doing wrong?

My domain is: volumeup.duckdns.org

I ran this command:

sudo ./certbot-auto certonly --standalone --standalone-supported-challenges http-01 --email redacted@gmail.com -d volumeup.duckdns.org

It produced this output:

The standalone specific supported challenges flag is deprecated. Please use the --preferred-challenges flag instead.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for volumeup.duckdns.org
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. volumeup.duckdns.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://volumeup.duckdns.org/.well-known/acme-challenge/VAXOGZXNQ9_5y5UVL6SUW0fMkK__-ls2E7u5lnNXYoA: Timeout

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: volumeup.duckdns.org
    Type: connection
    Detail: Fetching
    http://volumeup.duckdns.org/.well-known/acme-challenge/VAXOGZXNQ9_5y5UVL6SUW0fMkK__-ls2E7u5lnNXYoA:
    Timeout

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version):

A custom server I wrote in go (source available if requested)

The operating system my web server runs on is (include version):

Raspbian Stretch

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi,

Update:
You need to open your http (aka port 80) as well since certbot will connect to port 80 first.

Just a suggestion.
Can you try check if you forget to open port forwarding or something on your router?

Thank you


#3

Thanks for the fast reply.

I have port 80 and port 443 open on my router. If you go to my domain on port 80, the server redirects you to https at port 443.

Edit:

When I run certbot, I have my server off, and run the certbot in standalone mode.


#4

I can easily reconfigure the server to only listen on port 80, and not redirect you to https on 443 if that would help debug this.


#5

Hi,

When I scanned your port, I can see that your IP doesn’t have port 80 opened. It only opened port 443.

Thank you


#6


#7

How very strange. I changed the server to only use port 80. The port doesn’t look blocked to me. Wierd.


#8

You know what, you’re right. The port is closed. Looks like I screwed up the port forwarding.

edit:
My ISP apparently blocks inbound port 80, but not 443. This sucks. Any ideas on how to verify a domain?


#9

Duck DNS has an API that you can use with the DNS-01 challenge.

Create the following script files:

auth.sh

#!/bin/bash
DUCKDNS_TOKEN="your_token_here"
[[ "$(curl -s "https://www.duckdns.org/update?domains=${CERTBOT_DOMAIN%.duckdns.org}&token=${DUCKDNS_TOKEN}&txt=${CERTBOT_VALIDATION}")" = "OK" ]]

cleanup.sh

#!/bin/bash
DUCKDNS_TOKEN="your_token_here"
[[ "$(curl -s "https://www.duckdns.org/update?domains=${CERTBOT_DOMAIN%.duckdns.org}&token=${DUCKDNS_TOKEN}&txt=${CERTBOT_VALIDATION}&clear=true")" = "OK" ]]

Put in your real Duck DNS token instead of “your_token_here”. Make both scripts executable with chmod +x auth.sh cleanup.sh

Then you can run certbot:

sudo certbot certonly --manual --preferred-challenges dns --manual-auth-hook /path/to/auth.sh --manual-cleanup-hook /path/to/cleanup.sh

(obviously use the real location of the scripts instead of /path/to)


My first letsencrypt renew.... attempt failed!
The server could not connect to the client to verify the domain
#10

@chickenofdoom in case you missed it my previous post had an error which I have now corrected, sorry. I mixed up the two scripts so if you copied and pasted them please do so again :slight_smile:


#11

@jmorahan

Thanks for the reply. My ISP blocks port 80 but not 443. I’ll give your method a try.


#12

Port 443 is no longer generally available for validation for new certificates, due to a security issue. You can redirect from 80 to 443, but you must be able to answer on 80 first. The only other option is the DNS challenge.

Good luck, let us know if it works :slight_smile:


#13

@jmorahan

Dude, it worked! You’re a hero! I’m gonna keep this in my bag of tricks.

Thanks so much.


#14

Hi!

I am trying to access my raspberrypi 3B from the internet.
For that I was following this instructions but when trying to generate the certificate I get the error:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for myexample.duckdns.org
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. myexample.duckdns.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://myexample.duckdns.org/.well-known/acme-challenge/LM7F.....: Timeout

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: myexample.duckdns.org
   Type:   connection
   Detail: Fetching
   http://myexample.duckdns.org/.well-known/acme-challenge/LM7FnA.....:
   Timeout

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Then, if I follow the recipe shared in here, I get the certificates generated but anyway I cannot connect to my raspberrypi from the internet.

I have also notice that it does not matter at all the port forwarding configuration of my modem. Using the commands from here, and deleting completely all my port forwarding sets, I can still generate the SSL certificate. How is that possible?

The raspberry pi is running a clean installation of Raspbian with a clean installation of home assistant (this instructions)

Thanks a lot for your help!!


#15

The method described above uses the DNS API of Duck DNS, so the validation looks for a DNS TXT record to verify your control of the (sub)domain and does not need to connect to your server at all.

Some home ISPs do block some ports from being accessed from the internet. If your ISP is blocking both 80 and 443, you might try forwarding an alternative port such as 8443 to your raspberry pi.


#16

Hi,

I see, then my certificates are ok, and my problem is with my port forwarding to access my raspberry.

I will keep trying with different ports.

Thanks a lot for your super quick clarification.

Cheers


#17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.