Standalone Timeout, Ports Open

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.wisptales.duckdns.org

I ran this command:
sudo certbot certonly --standalone --key-type rsa -d wisptales.duckdns.org -d www.wisptales.duckdns.org

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for wisptales.duckdns.org and www.wisptales.duckdns.org
Performing the following challenges:
http-01 challenge for wisptales.duckdns.org
http-01 challenge for www.wisptales.duckdns.org
Waiting for verification...
Challenge failed for domain wisptales.duckdns.org
Challenge failed for domain www.wisptales.duckdns.org
http-01 challenge for wisptales.duckdns.org
http-01 challenge for www.wisptales.duckdns.org
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version): None

The operating system my web server runs on is (include version):
Raspberry PI Os Lite "Debian GNU/Linux 11 (bullseye)"

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

So, duckdns properly resolves my ipv4 and ipv6.
I have disabled my ufw firewall (and rebooted my pi), just to make sure.
Made sure iptables isn't causing me trouble (It isn't, all connections allowed).
I have port forwarded my 80 and 443 ports to my raspberry from my router.
I even setup a simple python server listening on 80 and 443 ports, and
used telnet to test if I can connect to the server from a remote machine --I can-- .

I still keep getting the above error.
What could I be doing wrong?
Thank you in advance.

2

some possible reason:

  1. ISP blocks port 80 - nothing you can possible to do fix it, will need to use DNS-01 challange
  2. router's admin page sit on port 80/443, and it won't forward that port until you move admin page out of that port
5 Likes
3

Yes, thank you. It's likely your 1st proposal.
I have confirmed my telnet client on port 80 only works in my internal network.

But another port -say 52000- works fine from any external network as well.

1 Like
4

NEVERMIND. We cross-posted.

Was your "remote machine" on the public internet or just your private one?

Because I can't see anything on port 80. Can you start your test python server so we check? Or, use a cell phone with wifi off to use your provider's public internet to test access.

4 Likes
5

I have done exactly what you propose. Only my private network has proper access to port 80.

6

Yeah, sorry, cross-posted.

I can see your python server on 52000 using IPv4 but not IPv6 (below). For what that's worth.

This won't help getting a Let's Encrypt cert using the http challenge because only ports 80 and 443 are allowed. The DNS Challenge is possible as long as you are happy connecting to a non-standard port and configuring your server manually for HTTPS

curl -i6 -m10 www.wisptales.duckdns.org:52000
curl: (28) Failed to connect to www.wisptales.duckdns.org port 52000 after 5009 ms: Connection timed out

curl -i4 -m10 www.wisptales.duckdns.org:52000
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.9.2

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
6 Likes
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.