Trying to install SSL on my ubuntu server

yachtcapt · December 28, 2024, 8:31pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
alaskaeaglecharters.com, at godaddy, on business comcast with static IP; alaskaeaglecharters.com worked before, I rebuilt the server ....nothing changed except the server, which has the same static IP. Domain works in incognito, and on my phone. When using netstat, it shows 80, 443 open

I ran this command:

sudo certbot --apache -d alaskaeaglecharters.com -d www.alaskaeaglecharters.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for alaskaeaglecharters.com and www.alaskaeaglecharters.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: alaskaeaglecharters.com
Type: connection
Detail: 50.214.75.163: Fetching http://alaskaeaglecharters.com/.well-known/acme-challenge/9LOCZuPuKcUYvOz5nQrR09OPXW2r-eTeFn4oBg4N4jY: Timeout during connect (likely firewall problem)

Domain: www.alaskaeaglecharters.com
Type: connection
Detail: 50.214.75.163: Fetching http://www.alaskaeaglecharters.com/.well-known/acme-challenge/EW8n7Ak58xOXgNksRBgGECybVZMBxlPJ4ajxoOonxEk: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Apache2 - 2.4.58

The operating system my web server runs on is (include version):
ubuntu 24.04.1 LTS

My hosting provider, if applicable, is:
self hosted at home on a NUC7i3BNK

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.9.0

Osiris · December 28, 2024, 8:44pm

There's no access to incoming port 80, which is required for the http-01 challenge used by the apache authenticator plugin. See also e.g. Let's Debug.

Looks like your IP belongs to Comcast Business. Are you indeed on a business plan? Or residential? According to https://business.comcast.com/support/article/internet/ports-blocked-on-comcast-network, Comcast doesn't block incoming port 80/443 for their business clients, but I think they do for residential clients.

If you're on a Comcast Business plan, maybe you need to open the required ports (TCP 80 and TCP 443) in your firewall and/or NAT router (portmaps).

Bruce5051 · December 28, 2024, 9:55pm

Hi @yachtcapt,

I have Comcast Xfinity and they are not blocking ports 80 or 443 for me.

I am betting that it is a router or firewall between the server at IPv4 Address 50.214.75.163 and the public internet.

I find no port are accessible for alaskaeaglecharters.com

$ nmap -Pn alaskaeaglecharters.com
Starting Nmap 7.93 ( https://nmap.org ) at 2024-12-28 13:49 PST
Nmap scan report for alaskaeaglecharters.com (50.214.75.163)
Host is up.
rDNS record for 50.214.75.163: 50-214-75-163-static.hfc.comcastbusiness.net
All 1000 scanned ports on alaskaeaglecharters.com (50.214.75.163) are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 201.52 seconds

Ports 80 & 443 are showing filtered (i.e. inaccessible).

$ nmap -Pn -p80,443 www.alaskaeaglecharters.com
Starting Nmap 7.93 ( https://nmap.org ) at 2024-12-28 14:06 PST
Nmap scan report for www.alaskaeaglecharters.com (50.214.75.163)
Host is up.
rDNS record for 50.214.75.163: 50-214-75-163-static.hfc.comcastbusiness.net

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.17 seconds

Here is a list of issued certificates crt.sh | alaskaeaglecharters.com, the latest being 2024-12-21 just a week ago.

Bruce5051 · December 28, 2024, 10:15pm

Hi @yachtcapt,

Also your domain name from here SSL fails on ubuntu with apache - #5 by yachtcapt
marine-captain.com also is presently showing Port 80 & 443 are filtered

$ nmap -Pn -p80,443 marine-captain.com
Starting Nmap 7.93 ( https://nmap.org ) at 2024-12-28 14:14 PST
Nmap scan report for marine-captain.com (50.214.75.161)
Host is up.
rDNS record for 50.214.75.161: 50-214-75-161-static.hfc.comcastbusiness.net

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.08 seconds

Topic		Replies	Views
Can't generate SSL certificate for a domain. Using Apache server (having issues in .well-known/acme-challenge/) Help	3	414	October 23, 2023
Certification SSL ,, plz help Help	2	522	July 15, 2022
Not able to install SSL for my domain Help	18	4469	August 31, 2018
Timeout during connect (likely firewall problem) Help	45	15216	October 12, 2021
Googles .app extension requires ssl to work yet certbot won't recognize because of no SSL Help	3	293	April 5, 2023

Trying to install SSL on my ubuntu server

Related topics