Some challenges failed

My domain is: rmm.aptechnologiesgroup.com

I ran this command: sudo certbot certonly --standalone -d rmm.aptechnologiesgroup.com -d

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for rmm.aptechnologiesgroup.com
Waiting for verification...
Challenge failed for domain rmm.aptechnologiesgroup.com
http-01 challenge for rmm.aptechnologiesgroup.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: rmm.aptechnologiesgroup.com
    Type: connection
    Detail: 108.34.212.60: Fetching
    http://rmm.aptechnologiesgroup.com/.well-known/acme-challenge/JQY762gStXnnEwmaoM9DywnNRlurBDa80WKf6w4PUs8:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): nginx/1.22.1

The operating system my web server runs on is (include version): Ubuntu 20.04.5 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or `` if you're using Certbot): certbot 0.40.0

image
)

Have you forwarded port 80 and 443 to your server, on your modem/router?

Does your Verizon service allow incoming traffic on port 80?

3 Likes

Hi @arodriguez401, and welcome to the LE community forum :slight_smile:

You should have a working HTTP site before trying to secure it via HTTP-01 authentication.

3 Likes

They do. I have port forward port 80 and 443 from internal IP

It was working but for whatever reason I can't access the site publicly but only locally. I had it working at one point but forever reason it broke and i started from the beginning and can't remember i got it working

Port 80 looks like it is not getting through from around the world Check website performance and response: Check host - online website monitoring
nor with https://letsdebug.net/ results Let's Debug

2 Likes

Seems kind of old version of Certbot, the latest Certbot 1.32.0 Release

2 Likes

I've looking into that and got the same error. I'm stumped on why it's not able to reach out to the public. I've configured a port forward from the internal IP with port 80.

You think that could be the reason why?

I think it is worth investigating @_az's question, to be positively sure.

Look of other possible (additional) firewalls between you and the Internet.

3 Likes

Well, Port 80 is the first concern. I had just pointed that out.

3 Likes

I'll call my ISP and see if they can open that port from my public IP and then i'll take it from there

1 Like

Additional debugging information.

$ nmap rmm.aptechnologiesgroup.com
Starting Nmap 7.80 ( https://nmap.org ) at 2022-11-15 21:09 UTC
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.18 seconds

$ nmap -Pn rmm.aptechnologiesgroup.com
Starting Nmap 7.80 ( https://nmap.org ) at 2022-11-15 21:09 UTC
Nmap scan report for rmm.aptechnologiesgroup.com (108.34.212.60)
Host is up (0.085s latency).
rDNS record for 108.34.212.60: pool-108-34-212-60.prvdri.fios.verizon.net
Not shown: 999 filtered ports
PORT     STATE SERVICE
9001/tcp open  tor-orport

Nmap done: 1 IP address (1 host up) scanned in 59.22 seconds
2 Likes

Is your public IP correct?
Check with:
curl -4 ifconfig.co

Useless you are using some sort of DDNS software program to automatically update your IP...
It looks like it's from a generic "pool" of IPs:

Name:    rmm.aptechnologiesgroup.com
Address: 108.34.212.60

Address: 108.34.212.60
Name:    pool-108-34-212-60.prvdri.fios.verizon.net
3 Likes

I am at the moment. I think I figured out the problem. Thanks :slight_smile:

2 Likes

I'm running a VM hosting this website and it seems i've ran out of certs. I've built and destroyed this server a bit too many times and not realizing that the certs have a rate limit. I would need to wait until the certs expires to try again unfortunately

2 Likes

If you are still testing, then I would suggest using the staging environment [not production].

4 Likes

That's not the correct way to see hitting a rate limit. The correct way of seeing it is: "I've been abusing a free to use, but costly to run service due to lack of knowledge, which is not an excuse."

6 Likes

Get the Certificate once and copy it to the rebuilt server.

Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher. Rate Limits are per week (rolling).

3 Likes

Yeah, you are right it's not an excuse but I wasn't aware of it and it was a learning curve for me. There was no form of abuse here especially with no malice intentions. I believe among many other techs we all ran into some issues like this at point but learned from it and educate newcomers to not to feel discourage on asking without knowing. Plus it was my own findings that came to the solution of the problem. Learned from my mistakes and moved on. If you would like to point me in the direction on paid SSL to start using a testing for my environment i would be glad to take your recommendations.

1 Like