Setup letsencrypt with port forwarding > timeout


#1

I am trying to setup a letsencrypt certification with the following configuration:

dynamic dns domain > home router port 4433 > server port 443

at the moment I am using a self signed cert and everything is fine but trying to setup letsencrypt does not work; I am getting the following error:

Timeout during connect (likely firewall problem)

Im quite sure this has to do with port forwarding ?


#2

Hi,

Please fill in this form so we could help you>

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Thank you


#3

I’m quite sure too. Let’s Encrypt needs to reach your server on port 80.


#4

You have to open port 80. Or you may use the dns-01 - challenge, so you have to create a dns-entry _acme-challenge.yourdomain.com (type txt) with a special value.


#5

I have port 80 opened but forwarded like this:
router (8080) -> server(80)

is there a way to configure certbot to use 8080 to access my server ?


#6

What’s your domain name? It’s impossible to say, if this may work. But it’s simple to test it with your domain name.

Perhaps your router should open port 80 -> server(80).

No. This is not a limit of certbot, it’s a limit of the ACME-protocol, which is used by Letsencrypt.

You must show that you are the owner of this domain. A port 8080 is too unrelevant to do that.


#7

Very sorry I would like to keep my domain name hidden since this is a private cloud address and I don’t want it to be loose on the net.

I deleted the 8080 forwarding
I forwarded and tested port 80 with OSX network utility on my domain and it is definitely open and accessible

so now it is router(80) -> server (80)

I tried certbot again and same issue


#8

But if you want to use Letsencrypt, your domain must be public. And there are public Certificate Transparency logs.

https://crt.sh/

https://transparencyreport.google.com/https/certificates

Is your domain public? If not, this is the reason of the timeout.


#9

it is true that if I put mydomain.com in my browser I get a timeout… I tried crt.sh, nothing there either…

however if I test port 80 on my domain it is open but I guess apache will redirect to 443 internally because at the moment I am using a self signed cert.

not sure what “public” means ? need an html page ?


#10

There must be a public dns-entry yourdomain.com -> some entries. So that Letsencrypt can confirm, that you are owner of yourdomain.com

There are actual two simple validations:

  1. You can create a dns entry (type txt) with the name _acme-challenge.yourdomain.com and a special value given from Letsencrypt. Then you don’t need a webserver (dns-01 - challenge).

  2. You have a dns-entry yourdomain.com -> ip-address, there is port 80 open, you put a special file into

/.well-known/acme-challenge/file-with-a-special-name

so that Letsencrypt can load the file

http://yourdomain.com/.well-known/acme-challenge/file-with-a-special-name

To do that your port 80 must be open (http-01 - challenge).

The problem with the dns-01 - challenge is, that the renew (every 60 - 80 days) needs an api of your dns-provider. Or you have to do that manual. So if there is a webserver, the http-01 - challenge is simple, certbot can save the file direct.

PS: If you create a certificate, then this is logged with your domain name. Then it can be found using one of the Certificate transpareny logs. So your domain name is public.


#11

Thank you so much for your help, i’ll try that


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.