Unable to create certificates for my domain

Selfsigned certificates works but not "public" Lets encrypt certificates. My guess is that my DNS/Domainprovider(Loopia) requires authentication via API to allow for generation of certificates via https-01 but unsure.

• Running an ansible script to install Matrix, hence no http server answering right now. It is provisioned during the installation but as the installation halts no nginx is set up
  spantaleev/matrix-docker-ansible-deploy: Matrix (An open network for secure, decentralized communication) server setup using Ansible and Docker (github.com)
• My domainname resolves to the correct external IP
• Running this on a Virtualbox image with bridged network
• Port 80,443 and 8080 is opened in FW and forwarded to bridged network adress (virtual box)
• When I ran selfsigned certificates instead of public certificates I was able to finish the installation and resolve the matrix.edwalls.nu and element.edwalls.nu

TASK [matrix-nginx-proxy : Attempt initial SSL certificate retrieval with standalone authenticator (directly)] ******************************************************************************************************************************
fatal: [matrix.edwalls.nu]: FAILED! => changed=true
cmd: /usr/bin/env docker run --rm --name=matrix-certbot --user=997:1001 --cap-drop=ALL -p 80:8080 --mount type=bind,src=/matrix/ssl/config,dst=/etc/letsencrypt --mount type=bind,src=/matrix/ssl/log,dst=/var/log/letsencrypt docker.io/certbot/certbot:amd64-v1.21.0 certonly --non-interactive --work-dir=/tmp --http-01-port 8080 --standalone --preferred-challenges http --agree-tos --email=my@emailadress.com -d matrix.edwalls.nu
delta: '0:00:36.661443'
end: '2022-01-04 18:17:08.420917'
msg: non-zero return code
rc: 1
start: '2022-01-04 18:16:31.759474'
stderr: |-
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
stderr_lines:
stdout: |-
Requesting a certificate for matrix.edwalls.nu

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: matrix.edwalls.nu
  Type:   dns
  Detail: DNS problem: query timed out looking up A for matrix.edwalls.nu

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 8080. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

stdout_lines:
...ignoring

TASK [matrix-nginx-proxy : Attempt initial SSL certificate retrieval with standalone authenticator (via proxy)] *****************************************************************************************************************************
fatal: [matrix.edwalls.nu]: FAILED! => changed=true
cmd: /usr/bin/env docker run --rm --name=matrix-certbot --user=997:1001 --cap-drop=ALL -p 127.0.0.1:2402:8080 --network=matrix --mount type=bind,src=/matrix/ssl/config,dst=/etc/letsencrypt --mount type=bind,src=/matrix/ssl/log,dst=/var/log/letsencrypt docker.io/certbot/certbot:amd64-v1.21.0 certonly --non-interactive --work-dir=/tmp --http-01-port 8080 --standalone --preferred-challenges http --agree-tos --email=my@emailadress.com -d matrix.edwalls.nu
delta: '0:00:38.443854'
end: '2022-01-04 18:17:47.392091'
msg: non-zero return code
rc: 1
start: '2022-01-04 18:17:08.948237'
stderr: |-
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
stderr_lines:
stdout: |-
Requesting a certificate for matrix.edwalls.nu

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: matrix.edwalls.nu
  Type:   connection
  Detail: Fetching http://matrix.edwalls.nu/.well-known/acme-challenge/<challenge>: Connection refused

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 8080. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

stdout_lines:
...ignoring

TASK [matrix-nginx-proxy : Fail if all SSL certificate retrieval attempts failed] ***********************************************************************************************************************************************************
fatal: [matrix.edwalls.nu]: FAILED! => changed=false
msg: |-
Failed to obtain a certificate directly (by listening on port 80)
and also failed to obtain by relying on the server at port 80 to proxy the request.
See above for details.
You may wish to set up proxying of /.well-known/acme-challenge to 2402 or,
more easily, stop the server on port 80 while this playbook runs.

There was a DNS problem.
Now seems more like an access problem.

You say there is nothing listening now, but something is responding:

curl -Ii matrix.edwalls.nu
HTTP/1.1 501 Unsupported method ('HEAD')
Server: BaseHTTP/0.6 Python/3.9.7
Date: Tue, 04 Jan 2022 18:32:17 GMT
Connection: close
Content-Type: text/html;charset=utf-8
Content-Length: 497

curl matrix.edwalls.nu
ACME client standalone challenge solver

Strange, i get connection refused when trying to curl to the matrix.edwalls.nu (from the internet and in)

A theory I have is that the docker container is not reachable via internet, only the hostmachine. Maybe I need to forward port 80 to the docker container?

Now it doesn't respond:

curl -Ii matrix.edwalls.nu
curl: (56) Recv failure: Connection reset by peer

It was reaching the ACME client previously:

Which I presume is within the container (only).

Seems like the DNS records needed a days ”work”. Tried now and everything works fine

Maybe the DNS records where not replicated where needed

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.