SSL Certificate errors but it used to work?

sciphi · March 3, 2023, 7:13am

I ran this command: sudo certbot certonly

I have tried many different combinations of other options as well. I have an nginx webserver running on the machine. I also tried it where I turn that off and let it run the webserver itself. That is what I used to use and it worked well till this last time.

It produced this output:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: home.superversive.net
Type: connection
Detail: 159.196.215.189: Fetching http://home.superversive.net/.well-known/acme-challenge/6bgzwSTgTsiMvAgDWa8wprx_xQ4j56AtNoYBGN_6kq8: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22.04.2 LTS

My hosting provider, if applicable, is: Self hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 2.3.0

I have been trying for a while to get this to go and it wont. It used to work beautifully but I gather something has changed?

I used to run the following command after stopping nginx on the server

sudo certbot certonly --nginx -v --rsa-key-size 2048 --standalone --agree-tos --no-eff-email --email jwrennie@gmail.com -d home.superversive.net

And it would run happily, review, and the shell script would stop and then restart nginx.

There is an old configuration directory with the various files in it. I updated certbot to use the current snap version as recommended on the website after it broke.

I can definitely connect to the webserver on port 80 on home.superversive.net. I have it port forwarded through my router. I manually created the .well-known and acme-challenge folders and stuck index.html files in them that I can access from the web so the machine and the sub folders required do seem accessible. The webserver is running out of the default /var/www/html/ directory.

If I can manually get the challenge files and copy them I can if that would work. I'm really at a loss here.

sciphi · March 3, 2023, 7:21am

Ok I ran the command sudo certbot certonly --manual

And I got the following error

####################

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): home.superversive.net

An RSA certificate named home.superversive.net already exists. Do you want to
update its key type to ECDSA?

(U)pdate key type/(K)eep existing key type: u
Renewing an existing certificate for home.superversive.net

Create a file containing just this data:

9BknCj8LkzJLgPQccFP4lymLn2pTKLb-iH9vg9b4hKw.vYyk5ClB4rfi9dzMt3DRz_wCqXeeygq3ksL-ndHPSFo

And make it available on your web server at this URL:

http://home.superversive.net/.well-known/acme-challenge/9BknCj8LkzJLgPQccFP4lymLn2pTKLb-iH9vg9b4hKw

Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: home.superversive.net
Type: connection
Detail: 159.196.215.189: Fetching http://home.superversive.net/.well-known/acme-challenge/9BknCj8LkzJLgPQccFP4lymLn2pTKLb-iH9vg9b4hKw: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

########################

What I don't understand, is that tested it by opening a browser and going to

http://home.superversive.net/.well-known/acme-challenge/9BknCj8LkzJLgPQccFP4lymLn2pTKLb-iH9vg9b4hKw

And it downloads a file just fine. I can get the files so I don't understand. If it couldn't get the file that would make sense, but the file is there with the requested data in it.

sciphi · March 3, 2023, 7:30am

Ok, I got a friend off my network to try accessing the file and it is timing out for him, so looks like I have some sort of nginx or firewall problem I will have to figure out. Ugh.

sciphi · March 3, 2023, 8:01am

Every other service I have running on the machine not on post 80 seems to work fine externally it is only port 80 that is misbehaving. I have changed internet service providers since the last renewal but I do have a static IP address.

Is there anyway to tell certbot to connect on a different port and I just tell my firewall to forward that different port to port 80 on my local machine? I found the --http-01-port HTTP01_PORT command but from the description I have to be able to accept connetions on port 80 and then forward it where I like but it looks like my stupid ISP is blocking port 80.

Is there any other way to solve this? It looks like I can setup a TXT record, which I think I can do with freedns.afraid.org? I'll keep banging away if anybody has any ideas.

sciphi · March 3, 2023, 8:05am

Yep my ISP was thee problem, one call to the help department and they unblocked the port for me. So problem solved.

I should have tried connecting to my home webserver from my phone after turning the local wifi off and that would have found the problem quicker.

This thread can be tossed if you like.

griffin · March 3, 2023, 12:33pm

Welcome to the Let's Encrypt Community, Jason!

Sorry for not replying sooner. I noticed this thread earlier and brought it to the attention of a group of our regulars and community leaders, mostly out of my astonishment at your diligence in posting and ultimate resolution of your own issue. Unless you explicitly wish it, I have no intention of having this thread removed. On the contrary, I would rather encourage others to read your thread and model your exemplary behavior here.

rg305 · March 3, 2023, 12:42pm

sciphi · March 3, 2023, 7:43pm

You are welcome to leave it up if you think it is a good example..

It was most perplexing. I have other services running on open ports on my home network and I could hit the page going to the external address locally so it didn't even occur to me that just that port would be blocked.

system · April 2, 2023, 7:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.