Timeout while verifying domain to obtain SSL certificate

Help
1

I am running a Nextcloud server with Apache2 on Raspberry Pi 3 Debian 9. I currently have a self-signed SSL certificate but wanted to make a switch to Let’s Encrypt SSL certificate.

My domain is www.kdrive.cc

I cloned the latest certbot repository and ran the command:
sudo ./certbot-auto --apache -d kdrive.cc -d www.kdrive.cc

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for kdrive.cc
http-01 challenge for www.kdrive.cc
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.kdrive.cc (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.kdrive.cc/.well-known/acme-challenge/hwmwBq7nf3KbwqrhhYAjUDkC4EPDUs2UxNsaeLGePSU: Timeout, kdrive.cc (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://kdrive.cc/.well-known/acme-challenge/SBsMXupKfEx3pX1z_yDMwbwK_qJNN-5Ne0f6Vx88-mY: Timeout

IMPORTANT NOTES:

I’ve seen many other people with this problem, and I tried fixing it using the suggestions from the community with no luck.

  • I can log-in to root shell
  • Port-forwarding to 80 and 443 works
  • I tried disabling firewall. It did not work
  • I do not have AAAA record

Thanks in advance.

2

Are you sure?

$ curl --connect-timeout 15 -i http://www.kdrive.cc/.well-known/acme-challenge/
curl: (28) Connection timed out after 15001 milliseconds

Your server is responding on :443 but not :80. The HTTP challenge MUST start over :80.

3

That’s weird. I can access http://www.kdrive.cc/ but I cannot connect to http://www.kdrive.cc/.well-known/acme-challenge/.

4

That is probably a red herring, I can't connect to your server on port 80 (regardless of URL) from any number of different networks around the world.

Is your ISP Optimum? There is some indication that they block incoming port 80:

Port 80 is particularly useful if you plan to host a website from your own server. In order to activate Port 80 you must subscribe to Optimum services 60 and above.

YOU may be able to access your server on 80 (because you are inside your own network), but others definitely cannot.

I would clarify this with your ISP.

If it is the case that port 80 is blocked by your ISP, and you cannot disable the block, then you can't use the HTTP-based challenge and will need to use the DNS-based challenge instead.

1 Like
5

Yes, we use Optimum. It looks like that might be the issue. Where can I find a guide for using DNS-based challenge?

6

The link to the Optimum site I posted shows you how to disable the port blocking if you are on the right kind of plan. Maybe try that first if you are eligible.

For DNS-based challenge, this depends on who your DNS host is (I am not sure who e.g.ns1.dnsowl.com is run by).

I am not aware of any great guides for the DNS challenge with Certbot :frowning: .

You can manually go through the DNS validation process like:

sudo ./certbot-auto --installer apache --manual --preferred-challenges dns -d kdrive.cc -d www.kdrive.cc

and follow the instructions to create the right TXT records in your DNS manager.

To get automatic renewal, again, will depend on who your DNS host is.

7

Thank you. I will try this.

8

The registrar NameSilo, apparently.

Some clients have NameSilo integration, such as acme.sh or GetSSL (using lexicon).

1 Like
9

It worked! Partially though. I see the SSL certificate on kdrive.cc, however www.kdrive.cc is still “insecure”.

I ran the below command for kdrive.cc first, and when it was successful, I ran it for www.kdrive.cc which returned a different TXT record. I made the changes in TXT record on my DNS host, and waited enough time to propagate.

sudo ./certbot-auto --installer apache --manual --preferred-challenges dns -d kdrive.cc

sudo ./certbot-auto --installer apache --manual --preferred-challenges dns -d www.kdrive.cc

Below is the output I got.


Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.kdrive.cc (dns-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record “redacted” found at _acme-challenge.www.kdrive.cc

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.kdrive.cc
    Type: unauthorized
    Detail: Incorrect TXT record
    "redacted" found at
    _acme-challenge.www.kdrive.cc

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

10

Are you sure the TXT record was correct? Currently it’s set like:

_acme-challenge.www.kdrive.cc. 7206 IN  CNAME   kdrive.cc.
kdrive.cc.              7207    IN      TXT     "kM6vNOKxZ-MbsuiV-RP7Ju_IHXkoTY_07-oq1QkGoZk"

And _acme-challenge.kdrive.cc. is also a CNAME to kdrive.cc..

What did Certbot say to set it to? What did the Let’s Encrypt error message say it was actually set to?

Maybe the DNS servers were still serving the old record for kdrive.cc.? Or there was a typo?

11

Ok. I changed the TXT record to include _acme-challenge, and changed CNAME to www. Everything works now.

Thank you very much!

12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.