SSL nolonger working and renewal doesn't work

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nevitt33.com

I ran this command: sudo certbot --nginx

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?


1: nevitt33.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Renewing an existing certificate for nevitt33.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: nevitt33.com
Type: connection
Detail: Fetching http://nevitt33.com/.well-known/acme-challenge/MH12njhq9Nap4JU0pRVyVrb1emACCvRd5sq8zN1RhDY: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu Server 20.04

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.18.0

1 Like

Hi @Thumper33 and Welcome to the forum!
You will need to open some ports on your firewall or router (or wherever they are being blocked)

PORT    STATE    SERVICE
22/tcp  open     ssh
80/tcp  filtered http
443/tcp filtered https

I can see you still have a valid certificate:
https://crt.sh/?q=nevitt33.com

This issue might be as simple as opening ports that somehow have become filtered for some reason unknown to me (at least)

3 Likes

I have 80 and 443 forwarded, and I've never forwarded 22. Do I need to for SSH?

My server says that the firewall is inactive using "sudo ufw status verbose".

My router is an Asus, and here is a screenshot of the port forwarding. Pretty sure those work right, as I can access the website fine, it just can't seem to send OUT anything.

1 Like

You don't have to have ssh (22) open but it is useful sometimes :0)
Port forwarding can be baffling sometimes.

Check your website from outside your network and you will discover amazing things!

and

[Test result for nevitt33.com using dns-01](Let's Debug) is OK for dns challenge

BUT
Until you get your port forward working no one will be able to visit your site.

3 Likes

I don't think that the port forwarding is the issue. I put the server into the DMZ on the router which means that it should get all incoming packets. I still get the same failure when I run a certificate renewal, which is that it times out.

When I run sudo update-ca-certificates, it says my new list has more, but then I run it again and it still says I have the same amount more. Is this normal, or am I not actually getting the updates to stick? See return below:

Importing into legacy system store:
I already trust 134, your new list has 258
Import process completed.

Importing into BTLS system store:
I already trust 134, your new list has 258
Import process completed.

I can't comment on the validity of that statement; as I'm not an expert on your router's settings.
I can, however, confirm that port 80 and 443 remain unreachable:

curl -Iki http://nevitt33.com/
curl: (56) Recv failure: Connection reset by peer

curl -Iki https://nevitt33.com/
curl: (7) Failed to connect to nevitt33.com port 443: Connection timed out

If you please, let's begin closer to the beginning and verify the IP(s) now is use by your router with:
curl -4 ifconfig.co
curl -6 ifconfig.co

3 Likes

I concur with @rg305 that ports 80 and 443 are unreachable over the Internet. Your port forwarding, as presently configured, is preventing the world (and LetsEncrypt) from reaching your domain. You may want to look at this https://check-your-website.server-daten.de/?q=nevitt33.com. At the bottom of the report are many ports listed and what they are being used by. However, ports 80 and 443 are conspicuously missing.

2 Likes

First off, thank you so much for helping. I've been trying to figure this out, pushing the limits of my knowledge for a while. Here are the requested commands:

$ curl -4 ifconfig.co
146.70.51.58
$ curl -6 ifconfig.co
curl: (7) Couldn't connect to server

Something else to note that I don't understand... The port report that was linked above shows 22 for ssh as open, but my router isn't forwarding that port (see pic). How is that possible?

Edit... I googled what the commands above are returning after I sent the reply above. So, this is telling me that the server thinks its external ip is 146.70.51.58, but my router thinks it's external ip is 24.9.27.73. What the.... huh?

2 Likes

24.9.27.73 is a ComCast IP address. Is ComCast your internet service provider?

The IP address 146.70.51.58 seems to be of some company called "Miami Infrastructure"?

3 Likes

Yes, comcast is my internet provider. I think the other one is my VPN, TorGuard. The server is supposed to be set up with split tunneling, sending only packets from the vpn user through to the vpn, but I'm guessing that's nolonger working properly. It's been a long time since I set that up so I'm not sure where to start looking. Maybe a config got overwritten in an upgrade at some point. I'll see what info I can dig up on that. Thanks.

3 Likes

I was able to renew my cert!!!! :slight_smile:

I found that my openvpn.conf had been reset at some point and when I went to redo the split tunneling I missed a command. Without that command, all outbound traffic was sent through the vpn. I'm not sure if this fixes all my problems, but it certainly fixes a big one. Thanks a ton for all the help. :slight_smile:

5 Likes

:tada: Glad you found the cause. :clap:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.