Unable to generate certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.reddcar.com

I ran this command: certbot --apache -v -d www.reddcar.com

It produced this output:

[root@prodwebserver ~]# certbot --apache -v -d www.reddcar.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Requesting a certificate for www.reddcar.com
Performing the following challenges:
http-01 challenge for www.reddcar.com
Waiting for verification...
Challenge failed for domain www.reddcar.com
http-01 challenge for www.reddcar.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: www.reddcar.com
Type: connection
Detail: Fetching http://www.reddcar.com/.well-known/acme-challenge/4IO1_m-oEOUS6Td0JOA3jSHMjf9sEcPRYu3CE_uPW7U: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Server version: Apache/2.4.52 (Unix)
Server built: Dec 20 2021 21:33:02

The operating system my web server runs on is (include version):
ArchLinux (latest packages)
Linux prodwebserver 5.10.95-1-ec2-lts #1 SMP Tue, 01 Feb 2022 18:28:12 +0000 x86_64 GNU/Linux

My hosting provider, if applicable, is:
Running dedicated EC2 instance on AWS

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0

I tried this last DEC: Unable to generate certificate
but the ticket closed and I got too busy during the holidays.

Long story short I've re-verified my access/FW rules and everything is open. You can reach the website direct via: http://www.reddcar.com and see the test page.

I only have two AWS rules for port 80 and 443 allowed in from anywhere and no iptables rules (all default policy ALLOW).

I re-ran the DNS test here: Let's Debug and it still claims the site is inaccessible (even though if you visit it directly you can clearly see its open).

Curious where else I need to shine the light on this issue.

Something is wrong with your port 80. Either a firewall or Apache isn't listening there.

When you visit http://www.reddcar.com what do you get? I get the apache webserver serving the test page just fine.

I get a timeout. Maybe it's geographical?

Very strange. I just tried a free geopeeker and it too returned inaccessible from all over the world. Looking back through AWS I'm not seeing any policies that are blocking from a geo/region. Ironically we have our dev.reddcar.com server (exact same thing) in the same us-west-2 region and were able to secure an SSL with certbot without issues. The difference is we lock access down to our users for security reasons. Any thoughts on what types of geo/regional settings might exist in EC2/AWS that could be restricting access? I am in Seattle, WA, us-west-2 is Oregon.

Ok disregard. This was a total PEBCAK (Problem Exists Between Chair and Keyboard) issue. Turns out my AWS security group policies were just fine. The issue is my production server was bound to the dev_security group policy (probably an oversight when it was initialized). Rerunning the Let's Debug its green and clear now.... Let's Debug

I will revert if I run into any more issues with requesting the cert.

Just reran the request and it worked without problems. Sorry for the firedrill...

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.