Unable to generate certificate with sudo certbot --apache

Server
1

I am currently working on Ubuntu 14.04 server. I need to access my local website through HTTPS. I am trying to get apache certificate using sudo certbot --apache.
This will result in the following output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: shopworx.io

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for shopworx.io
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. shopworx.io (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://shopworx.io/.well-known/acme-challenge/PgONPDqJeTo_e_gkUBQGL5diox22pWoqmLLPtqW1G64: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: shopworx.io
    Type: connection
    Detail: Fetching
    http://shopworx.io/.well-known/acme-challenge/PgONPDqJeTo_e_gkUBQGL5diox22pWoqmLLPtqW1G64:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

Please help me out to get it done. I am a new bee in this.

Apache version: Apache 2.2.22

My /etc/apache2/sites-available/default contains following:
<VirtualHost :80>
ServerAdmin webmaster@localhost
ServerName shopworx.io
RewriteEngine On
RewriteLog /var/log/apache2/rewrite.log
RewriteLogLevel 9
RewriteCond %{HTTP_HOST} “^192.168.1.202”
#RewriteCond %{HTTP_HOST} “^privatecloud.com”
RewriteCond %{REQUEST_URI} “^/$”
RewriteRule ^(.) https://192.168.1.202/con
#RewriteCond “%{HTTP_HOST}” “^([^.]+).privatecloud.com” [NC]
RewriteCond “%{HTTP_HOST}” “^([^.]+).192.168.1.202.com” [NC]
RewriteCond “%1” “!=login” [NC]
RewriteRule “/server/connector/([^.]+)” “/server/connector/$1?customer=%1” [PT,QSA]
RewriteRule “^/assets/([^*]+)” “/con/assets/$1” [PT,QSA]
DocumentRoot /var/www

Options FollowSymLinks

AllowOverride None

<Directory /var/www/>

Options Indexes FollowSymLinks MultiViews

AllowOverride All

Order allow,deny

allow from all

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

<Directory “/usr/lib/cgi-bin”>

AllowOverride None

Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

ErrorLog ${APACHE_LOG_DIR}/error.log

Possible values include: debug, info, notice, warn, error, crit,

alert, emerg.

LogLevel warn

CustomLog ${APACHE_LOG_DIR}/access.log combined

Alias /doc/ “/usr/share/doc/”

<Directory “/usr/share/doc/”>

Options Indexes MultiViews FollowSymLinks

AllowOverride None

Order deny,allow

Deny from all

Allow from 127.0.0.0/255.0.0.0 ::1/128

2

The validation is done from Let’s Encrypt’s servers, so if this is a “local” website in the sense that you’ve pointed the domain name at a local IP address in your hosts file or something like that, then certbot --apache won’t work because Let’s Encrypt doesn’t know about your hosts file (and wouldn’t trust it anyway). Currently the public DNS seems to be pointed at some redirection thing, which is what the validation attempt will hit instead (and I guess it may be blocking some IP addresses since apparently Let’s Encrypt can’t connect at all).

If you want to use certbot --apache then you’ll have to point the domain at the server’s public IP address in the real public DNS. If you don’t want to do that, you can use the DNS challenge instead; you seem to be using godaddy DNS, acme.sh claims to support it but I’ve never tried it myself.

1 Like
3

Hi @shetaves

additional:

your /.well-known/acme-challenge (and your domain) redirects to entrib.com.

But your domain has 184.168.131.241, entrib.com has 192.254.187.15.

So it's not really possible that a Certbot creates the validating file in the correct directory.

4

Thanks for the support. This issue resolved after I have added my FQDN registration with GoDaddy & add a route in the router. Seems like issue with the communication at first place.

1 Like
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.