First off, I’m rather new at this. So please forgive me if I misspeak. Also, I apologize for the wall of text. The ‘certbot’ output is rather lengthy.
I’m trying to set up a web server that is publicly accessible. I’d like to secure it with HTTPS. This web server is on an HSTS domain (access.mfgs.dev). Because I’m new, and HSTS may impact my learning curve, I’ve also have a non-HSTS domain (access.mfgs.me). I’ve got a basic Apache install, with zero customization, all defaults. I also have the firewalls (iptables & firewalld) either opened up completely or turned off. I’ll harden that later.
I’ve tried a number of ‘certbot’ runs, and they all come back the same, with “Timeout during connect (likely firewall problem)”. However, when I run ‘certbot’ with ‘–debug-challenges’ I can successfully use this command:
Both of these return successfully with the contents:
Also, for the non-HSTS domain (access.mfgs.me), I am able to open a web browser to the same URL and see the contents of of the file.
I don’t know if it’s relevant or not, but this is a home computer on a dynamic IP, and both domains are my domains Google Domains as the registrar. Both of these FQDN’s are “Dynamic DNS Synthetic Records,” and ddclient is updating them frequently with the current IP (even though they haven’t changed at all). I have “Port Forwarding” set up on my home router for both 80 -> 80 and 443 -> 443 to my single web server. Both of these FQDN’s are pingable, and the non-HSTS one is, at the time of writing this, serving out the default Apache “Testing 123…” web page. So both DNS and routing seem good to me.
I’ve Googled eleventy-billion different variations of my issue. It seems that the general consensus is if you can get to a point where the ‘.well-known’ file is accessible (which it is), then ‘certbot’ should work. I’m at my wit’s end, and I don’t know what else to do. Any help or pointers would be appreciated.
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
certbot certonly --webroot -w /var/www/html -d access.mfgs.dev,access.mfgs.me --dry-run --test-cert --debug-challenges -v
It produced this output:
Too long, see reply post (new user, I hope I can reply to this post)
My web server is (include version):
The operating system my web server runs on is (include version):
CentOS Linux release 7.6.1810 (Core)
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you’re using Certbot):
Thank you in advance.