I am trying to setup a letsencrypt certification with the following configuration:
dynamic dns domain > home router port 4433 > server port 443
at the moment I am using a self signed cert and everything is fine but trying to setup letsencrypt does not work; I am getting the following error:
Timeout during connect (likely firewall problem)
Im quite sure this has to do with port forwarding ?
Hi,
Please fill in this form so we could help you>
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Thank you
I'm quite sure too. Let's Encrypt needs to reach your server on port 80.
You have to open port 80. Or you may use the dns-01 - challenge, so you have to create a dns-entry _acme-challenge.yourdomain.com (type txt) with a special value.
I have port 80 opened but forwarded like this:
router (8080) -> server(80)
is there a way to configure certbot to use 8080 to access my server ?
What's your domain name? It's impossible to say, if this may work. But it's simple to test it with your domain name.
Perhaps your router should open port 80 -> server(80).
No. This is not a limit of certbot, it's a limit of the ACME-protocol, which is used by Letsencrypt.
You must show that you are the owner of this domain. A port 8080 is too unrelevant to do that.
Very sorry I would like to keep my domain name hidden since this is a private cloud address and I don’t want it to be loose on the net.
I deleted the 8080 forwarding
I forwarded and tested port 80 with OSX network utility on my domain and it is definitely open and accessible
so now it is router(80) -> server (80)
I tried certbot again and same issue
But if you want to use Letsencrypt, your domain must be public. And there are public Certificate Transparency logs.
https://transparencyreport.google.com/https/certificates
Is your domain public? If not, this is the reason of the timeout.
it is true that if I put mydomain.com in my browser I get a timeout… I tried crt.sh, nothing there either…
however if I test port 80 on my domain it is open but I guess apache will redirect to 443 internally because at the moment I am using a self signed cert.
not sure what “public” means ? need an html page ?
There must be a public dns-entry yourdomain.com -> some entries. So that Letsencrypt can confirm, that you are owner of yourdomain.com
There are actual two simple validations:
You can create a dns entry (type txt) with the name _acme-challenge.yourdomain.com and a special value given from Letsencrypt. Then you don't need a webserver (dns-01 - challenge).
You have a dns-entry yourdomain.com -> ip-address, there is port 80 open, you put a special file into
/.well-known/acme-challenge/file-with-a-special-name
so that Letsencrypt can load the file
http://yourdomain.com/.well-known/acme-challenge/file-with-a-special-name
To do that your port 80 must be open (http-01 - challenge).
The problem with the dns-01 - challenge is, that the renew (every 60 - 80 days) needs an api of your dns-provider. Or you have to do that manual. So if there is a webserver, the http-01 - challenge is simple, certbot can save the file direct.
PS: If you create a certificate, then this is logged with your domain name. Then it can be found using one of the Certificate transpareny logs. So your domain name is public.
Thank you so much for your help, i’ll try that