Rpi4 mail server certificate issue problem

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: c9mail.clasystem.com

I ran this command: certbot -v certonly --standalone --rsa-key-size 4096 --agree-tos --preferred-challenges http -d c9mail.clasystem.com --dry-run

It produced this output: Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: c9mail.clasystem.com

My web server is (include version): No web server

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Self hosted

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.30.0

I built a light traffic send-only mail server on a Raspberry Pi 4 using Postfix with a static IP.
My DNS records appear to be correct and I have A and AAAA records. I can ping the sub-domain (c9mail.clasystem.com) with ping -4 and ping -6. I have another simple web server on different machine (also static IP from same block provided by AT&T) that works ok and is secured with a cert from Letsencrypt.
It continually fails to retreive a cert due to the http-01 challenge. I can see port 80 (v6) is opening while trying to retreive and then closes several seconds later when it gives up.
It says the 'Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80'.
Does this temp http server run in memory or do I need to change permissions for some directory?

Thanks, any help would great

Hi @jagger, and welcome to the LE community forum :slight_smile:

LE prefers IPv6 over IPv4 when present.
Your site has both, but the IPv6 address is improper for use over the Internet:

Name:      c9mail.clasystem.com
Addresses: fe80::e65f:1ff:fe97:1cf7
           107.137.100.243

[much like 127.0.0.1, any IPv6 address that starts with fe80:: can't be reached via the Internet]

4 Likes

Thanks for the response rg305.
I can ping it fom outside.
There are 3 total ipv6 addr listed with 'ip a'.
the other 2 appear to be dynamic so I didn't use them.
scope global dynamic noprefixroute
scope global dynamic mngtmpaddr noprefixroute
Should I use one of those?

1 Like

I tried all 3 IPv6 listed for eth0

inet6 2600:1700:eb90:4900::3e8/128 scope global dynamic noprefixroute
inet6 2600:1700:eb90:4900:e65f:1ff:fe97:1cf7/64 scope global dynamic mngtmpaddr noprefixroute
inet6 fe80::e65f:1ff:fe97:1cf7/64 scope link

I could ping all 3 from outside,
Still no joy
Besides, doesn't certbot failover to IPv4 if IPv6 fails?

I can't ping either of those IPv6 IPs.

It depends on the failure.

Can you just remove the AAAA record from DNS?

4 Likes

fe80::/10 = link-local unicast, so that's never going to work over the internet.

Further, I concur with Rudy here: the other 2 IPv6 addresses are not pingable from my point of view. Also, 107.137.100.243 is not pingable too.

4 Likes

Thanks for responding guys.
I had shut the pi off overnight as it's still vulnerable at this point. It's powered up again and pingable to
2600:1700:eb90:4900:e65f:1ff:fe97:1cf7 and 107.137.100.243 now. Rudy, I tried without the IPv6 already and got the same http-01 challenge failure.

1 Like

I can ping them too. Standalone is harder to debug but can you do this?

certbot -v certonly --standalone --rsa-key-size 4096 --agree-tos --preferred-challenges http -d c9mail.clasystem.com --dry-run --debug-challenges 

That addition of --debug-challenges will start standalone and pause showing you the URL to test with. Leave that running and use a different system (or window) to test that URL

5 Likes

Here's what I got:
URL:
http://c9mail.clasystem.com/.well-known/acme-challenge/7bmcPrFnOlbHbQoyHn-Ja8ZsMbdM5iK-JKbCoUG3obk
Expected value:
7bmcPrFnOlbHbQoyHn-Ja8ZsMbdM5iK-JKbCoUG3obk.ImS2yynK3sgvoCJ_e8_iK17n8qhgVwuD_IiqGnyJZs0

I'm not really sure how to check this-

1 Like

IPv4 seems to be working (pingable), but IPv6 from my point of view not.

If it's vulnerable (what does that mean?) you shouldn't have it connected to the internet to begin with.

4 Likes

Good point! But it is a mail server after all and it has no SSL protection yet. Besides, is there another way of getting a cert? I'm still learning this stuff.

Is the standalone test still running? Because I don't see port 80 open to process the http request to you.

5 Likes

It's still running. But 80 is closed.
I let it continue till it finished, ran it again but 80 doesn't seem to open at all with that debug command and it still fails.

Is the port open in your router and NAT/forwarded to your server?

When you say port 80 does not open, how did you check that?

5 Likes

It's a public static IP. Not sure about NAT/forwarding
I check the port from another putty session using 'lsof -i :80' command every second while running certbot.

Do you have a router?

Use this to test while certbot standalone runs

curl -i -m5 c9mail.clasystem.com

Should see something like:

HTTP/1.0 200 OK
Server: BaseHTTP/0.6 Python/3.8.10
Date: Sat, 10 Sep 2022 14:10:33 GMT
Content-Type: text/html

ACME client standalone challenge solver

Right now I get a timeout trying to reach your domain. Something is preventing access to your server.

EDIT:
I don't know how lsof works in that case but you can try this to check the port. But, if certbot standalone did not show any error you can fairly assume it bound to port 80

sudo netstat -pant | grep -i ':80'
(should see python3 as process listening)
5 Likes

This is what I got:

ACME client standalone challenge solverroot@c9mail:/home/c91# curl -i -m5 c9mail .clasystem.com
HTTP/1.0 200 OK
Server: BaseHTTP/0.6 Python/3.8.10
Date: Sat, 10 Sep 2022 14:18:54 GMT
Content-Type: text/html

And this is what I get from the public internet (US East Coast)

curl -i -m5 c9mail.clasystem.com
curl: (28) Failed to connect to c9mail.clasystem.com port 80 after 2706 ms: Connection timed out

Did you try that command from outside your own network? Maybe even a cell phone with wifi off?

5 Likes

It's hardwired.
I only have a windows machine on another static IP but it doesn't like the curl command. However I can ping -6 and -4 to the 2600:1700:eb90:4900:e65f:1ff:fe97:1cf7 and 107.137.100.243
Maybe it is something to do with the router.
I take it back. I can't ping the IP6 from that windows machine
Funny thing I can ping the ipv6 addr from my local, private win10 machine.

I'll try it with my cell phone with wifi off,

ping uses ICMP which is different than using, say, curl or a browser for HTTP (using TCP)

Do you have a cell phone? Just turn off wifi and use a browser and try the URL shown by certbot standalone. Or, even just

http://c9mail.clasystem.com

Be sure to specify HTTP so a browser does not try HTTPS

I would remove the AAAA from DNS while you sort out basic connectivity. Once you have IPv4 working you can go back and try that again.

5 Likes