Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: naspibagel.page

I ran this command: sudo certbot --apache
Then of course I chose my domain

It produced this output:
Domain: naspibagel.page
Type: connection
Detail: Fetching
http://naspibagel.page/.well-known/acme-challenge/6fUwpMM9Wsi8MWGCQZVokdDj088GiMDm_NmZ_WKXZO0:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

My web server is (include version): Apache2.4.38

The operating system my web server runs on is (include version): Raspbian

My hosting provider, if applicable, is: Google Domains

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

I think I'm getting a timeout error because of port 80. I can't seem to get it to forward correctly. I have verified with my ISP and my router manufacturer that they are not blocking port 80. I have configured port forwarding on 80 through my router as they suggested. I am having no problems forwarding port 443 and it is configured the same way 80 is. I've also allowed 80 and 443 on ufw and have a static ip.

sudo ufw status
Status: active

To Action From

22 ALLOW 192.168.0.28
80 ALLOW Anywhere
443 ALLOW Anywhere
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)

Nonetheless, there are multiple confirmations from different sources that Suddenlink does block port 80 on residential connections: "suddenlink" "port 80" at DuckDuckGo.

It does seem like the most likely cause.

Well it seems as though I can't get an open port 80 without giving Suddenlink money so it must be bypassed.

I've decided to try a DNS-01 challenge but even attempting that gives me errors saying I need to check that a DNS record exists for my domain. I have an A record so I'm not sure what the issue is.

I issue this command,

sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.naspibagel.page -d naspibagel.page

and get this response

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for naspibagel.page
dns-01 challenge for naspibagel.page

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?

(Y)es/(N)o: y
Output from acme-dns-auth.py:
Please add the following CNAME record to your main DNS zone:
_acme-challenge.naspibagel.page CNAME 9164f06f-48f3-4c51-98eb-156484df9bd1.auth.acme-dns.io.

Waiting for verification...

Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.

Press Enter to Continue
Cleaning up challenges
Failed authorization procedure. naspibagel.page (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.naspibagel.page - check that a DNS record exists for this domain, naspibagel.page (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.naspibagel.page - check that a DNS record exists for this domain

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: naspibagel.page
  Type: None
  Detail: DNS problem: NXDOMAIN looking up TXT for
  _acme-challenge.naspibagel.page - check that a DNS record exists
  for this domain

  Domain: naspibagel.page
  Type: None
  Detail: DNS problem: NXDOMAIN looking up TXT for
  _acme-challenge.naspibagel.page - check that a DNS record exists
  for this domain

Did you create this CNAME record in your Google DNS interface?

Try the process again, and create the record that is shown, before continuing further.

_az, thank you for your suggestion. I was able to successfully get my cert. For those with my same issue, and if you happen to be using Google Domains, it took me a couple tries but this is exactly what I did.

I went to the DNS settings page on Google Domains and down at the bottom and put that CNAME record into it that certbot explicitly said. Don't put the entire domain that it says. It says "_acme-challenge.naspibagel.page" but just put "_acme-challenge" in the "@" spot. I can't remember if I had the period after "challenge" or not. Then I scrolled down to CNAME on the "type" spot. I left the "1h" on "1h" and I put that long "9164 blah blah blah acme-dns.io" in the last spot.

HOWEVER, since obtaining my cert, I'm no longer able to access my domain from outside my own network. I get a timeout every time.

Are you sure it's since getting your certificate? I wasn't able to access your domain in my original response (before you had a certificate).

It seems like you have port 443 misconfigured at the moment, it's responding with HTTP, but it should be HTTPS.

This could be for one of two reasons:

1. You have port forwarded 443 externally to port 80 internally, or
2. You have misconfigured Apache

(1) needs to be identified and fixed in your modem/router's port forwarding.

for (2), you need to make sure that your port 443 Apache virtualhost is configured appropriately, e.g.:

<VirtualHost *:443>
ServerName naspibagel.page

SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/naspibagel.page/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/naspibagel.page/privkey.pem

# ... and the rest
</VirtualHost>

I had a feeling it was an Apache issue, I've been rooting around there looking for clues but I have no earthly idea whats going on in there. I copied your suggested configuration and restarted Apache, and I get the same issue. This is my apache conf

VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#

    ServerAdmin 50@hotmail.com
    ServerName naspibagel.page

    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/naspibagel.page/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/naspibagel.page/privkey.pem
    DocumentRoot /var/www/



    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

/VirtualHost>

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

My port forwarding is 443 all the way through externally to internally. Im pretty sure that is configured correctly. Thank you for taking the time to help me with this.

Well, https://naspibagel.page works for me now, where it wasn't working before.

So you did fix that problem.

Regarding being unable to access the non-HTTPS version (http://naspibagel.page), that would be explained by your ISP blocking port 80. That's not something you can fix without getting the port unblocked.

I'm getting 403 from Yachats Oregon...

2020-11-28T08:00:00Z
No timeout.

Yes, for me in a browser as well. That may come down to the fact that the domain is on the HSTS preload list, so the browser connects directly to port 443.

I've been testing with curl which does exhibit the timeout.

@CloudBagel are you still getting timeouts for HTTPS in the browser?

I'm getting the same result as Rip. It's the same no matter which device or network I use.

OK I'll check and report back

HTTP/1.1 403 Forbidden
Date: Sun, 29 Nov 2020 05:06:46 GMT
Server: Apache/2.4.38 (Raspbian)
Content-Type: text/html; charset=iso-8859-1```

Oh, then everything is working. That's not timing out.

You can check in /var/log/apache2/error.log if you want to see why Apache is producing that 403 error. Are your website files in /var/www/?

But your certificate and HTTPS are working fine.

Is that curl -i http://naspibagel.page ? Or HTTPS?

HTTP/1.1 403 Forbidden
Date: Sun, 29 Nov 2020 05:15:40 GMT
Server: Apache/2.4.38 (Raspbian)
Content-Length: 283
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.38 (Raspbian) Server at naspibagel.page Port 443</address>
</body></html>

```curl -i https://naspibagel.page```

80/tcp filtered http
443/tcp open https

The error log states that search permissions are missing on a component of the path. It says it about 30 times so I'm going to assume that is the issue. I believe my files are /var/www and I thought I had given myself permissions for it as well.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.