Unable to obtain certificate for domain

vegafjord · July 24, 2022, 1:54pm

I am trying to install letsencrypt for hage.vegafjord.me using freedombox, but get an error message. I received a log, but I don't understand it's content.

Expected Results
Expect to get a certificate.

Actual results
An error message.

Screenshot

Screenshots on my cloud, because I couldn't add them to this post:

I also have another screenshot displaying the message shown in the freedombox.

Information
Device: Pioneer Freedombox
My web server is (include version): Freedombox (don't know how to check version)
The operating system my web server runs on is (include version): Debian v11.2
My domain is: https://hage.vegafjord.me
My hosting provider, if applicable, is: myself
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): unsure
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): unsure

rg305 · July 24, 2022, 6:26pm

Hi @vegafjord, and welcome to the LE community forum

Please get your IP address:
curl -6 ifconfig.co

and compare that IP to the output of:
nslookup hage.vegafjord.me

vegafjord · July 24, 2022, 9:09pm

I get this as a result:

vegafjord@freedombox:~$ curl -6 ifconfig.co
[ipv6 address = A]
vegafjord@freedombox:~$ nslookup hage.vegafjord.me
Server:         [local ipv4 address = B]
Address:        [local ipv4 address = B]#[port]

Non-authoritative answer:
Name:   hage.vegafjord.me
Address: [ipv6 address = A]

vegafjord@freedombox:~$

Osiris · July 24, 2022, 9:09pm

I'm pretty sure that's not the literal output of those commands. Please post the exact output.

vegafjord · July 24, 2022, 9:12pm

I have to censor the ip-address.

Osiris · July 24, 2022, 9:14pm

Why? From the screenshots it seems your client is using the http-01 challenge, so the IP address needs to be public for the challenge to be validated anyway...

vegafjord · July 24, 2022, 9:20pm

I don't understand what you are saying. Could you explain as if I don't know letsencrypt?

Osiris · July 24, 2022, 9:23pm

To obtain a certificate for a certain hostname, Let's Encrypt needs to know the requesting party is actually the owner of that hostname, so a challenge needs to be performed. See How It Works - Let's Encrypt for more info about that. One of the three possible challenges (see Challenge Types - Let's Encrypt for info about those three challenge types) is the http-01 challenge, which requires a (HTTP) connection from the LE validation servers to a webserver running on the host.

To make that HTTP connection, it's obviously necessary for LE to be able to resolve the hostname to an IP address. Without the IP address, no HTTP connection. So your hostname needs to be publicly resolvable to the correct IP address of the host.

vegafjord · July 24, 2022, 9:37pm

I still don't understand, but here you go anyways.

vegafjord@freedombox:~$ curl
curl: try 'curl --help' or 'curl --manual' for more information
vegafjord@freedombox:~$ curl -6 ifconfig.co
2a01:799:3da:6c00:a317:99b5:caa2:78b6
vegafjord@freedombox:~$ nslookup hage.vegafjord.me
Server:         192.168.10.1
Address:        192.168.10.1#53

Non-authoritative answer:
Name:   hage.vegafjord.me
Address: 2a01:799:3da:6c00:a317:99b5:caa2:78b6

vegafjord@freedombox:~$

Osiris · July 24, 2022, 9:40pm

I can't reach 2a01:799:3da:6c00:a317:99b5:caa2:78b6 in any way (ping, port 80, port 443). Does that host accept incoming connections from the internet?

(I realise now that your host is IPv6 only, which is fine, but I didn't notice that so I didn't try a dig for the AAAA record. Now I see the hostname can resolve to the AAAA record indeed. Due to DNS your IP address was public anyway, so redacting it was useless to begin with )

system · August 23, 2022, 9:41pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.