Unable to create certificate

My domain is: penntech-it.com

I ran this command: sudo certbot certonly --standalone -d unifi.penntech-it.com -v

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for unifi.penntech-it.com
Performing the following challenges:
http-01 challenge for unifi.penntech-it.com
Waiting for verification...
Challenge failed for domain unifi.penntech-it.com
http-01 challenge for unifi.penntech-it.com

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: unifi.penntech-it.com
Type: connection
Detail: 51.140.36.218: Fetching http://unifi.penntech-it.com/.well-known/acme-challenge/WH9m4Bzbmaq8Eqm0MYSgH-H0913a5PSOo_uPQvaFTxU: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

The operating system my web server runs on is (include version): Ubuntu 22.04.1 LTS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

Some content from the log file:

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: unifi.penntech-it.com
Type: connection
Detail: 51.140.36.218: Fetching http://unifi.penntech-it.com/.well-known/acme-challenge/WH9m4Bzbmaq8Eqm0MYSgH-H0913a5PSOo_uPQvaFTxU: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connection>

2023-01-04 17:08:51,660:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-01-04 17:08:51,660:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-01-04 17:08:51,660:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-01-04 17:08:51,660:DEBUG:certbot._internal.plugins.standalone:Stopping server at :::80...
2023-01-04 17:08:52,011:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1574, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1434, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 133, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 459, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 389, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 439, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-01-04 17:08:52,012:ERROR:certbot._internal.log:Some challenges have failed.

website shows the domain is fine: Let's Debug (letsdebug.net)

You do not have Port 80 open. Best Practice - Keep Port 80 Open

$ nmap unifi.penntech-it.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-04 17:23 UTC
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.11 seconds

$ nmap -Pn unifi.penntech-it.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-04 17:23 UTC
Nmap scan report for unifi.penntech-it.com (51.140.36.218)
Host is up (0.16s latency).
Not shown: 996 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
6789/tcp open  ibm-db2-admin
8080/tcp open  http-proxy
8443/tcp open  https-alt

Nmap done: 1 IP address (1 host up) scanned in 11.95 seconds
1 Like

Here are a couple of links that maybe of value

  1. Let's Encrypt on Ubiquiti's UniFi
  2. Let's Encrypt on Ubiquiti's EdgeRouter
1 Like

But not fine for the subdomain unifi.penntech-it.com
https://letsdebug.net/unifi.penntech-it.com/1323258

1 Like

Hmm, Port 80 is fully open thats weird. UFW is disabled on Ubuntu, port 80 is open on Azure

Yes for penntech-it.com, but not unifi.penntech-it.com

$ nmap -Pn  penntech-it.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-04 17:31 UTC
Nmap scan report for penntech-it.com (192.124.249.52)
Host is up (0.032s latency).
rDNS record for 192.124.249.52: cloudproxy10052.sucuri.net
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 6.87 seconds
1 Like

2 Different IP Addresses

$ nslookup penntech-it.com ns73.domaincontrol.com.
Server:         ns73.domaincontrol.com.
Address:        97.74.106.47#53

Name:   penntech-it.com
Address: 192.124.249.52


$ nslookup unifi.penntech-it.com ns73.domaincontrol.com.
Server:         ns73.domaincontrol.com.
Address:        97.74.106.47#53

Name:   unifi.penntech-it.com
Address: 51.140.36.218
1 Like

The unifi subdomain IP is the Azure Unifi controller. I have the networking port 80 fully open for that IP address is what I am trying to say, so visually nothing should be blocking that port to that IP

However I still see this with nmap

$ nmap -Pn unifi.penntech-it.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-04 17:37 UTC
Nmap scan report for unifi.penntech-it.com (51.140.36.218)
Host is up (0.16s latency).
Not shown: 996 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
6789/tcp open  ibm-db2-admin
8080/tcp open  http-proxy
8443/tcp open  https-alt

Nmap done: 1 IP address (1 host up) scanned in 13.19 seconds

Also with using this online tool TCP Port Scanner, Online Port Scan, Port Scanning | IPVoid and an input of 51.140.36.218 and selecting Scan all common ports, I see

1 Like

Seem to be blocked now from attempting anymore requests

Ubiquiti_Admin@UbiquitiUCC:~$ sudo certbot certonly --standalone -d unifi.penntech-it.com -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for unifi.penntech-it.com
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Failed Validation Limit - Let's Encrypt
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher. Rate Limits are per week (rolling).

3 Likes

Not this one, the "too many authz" rate limit has a way shorter window.

That said, when encountering a problem, it's indeed best to use the staging environment first, fix the problem and only then go back to the production environment indeed :slight_smile:

6 Likes

Agreed! I struck out week.