I am able to reach an nginx 404 page by accessing my public IP on port 80, which stops working when I turn off nginx, so I am confident that the machine is accessible and that port forwarding is happening correctly, but using certbot to renew my certificates is failing as outlined below.
My domain is: smilebags.duckdns.org
I ran this command: sudo certbot renew
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/smilebags.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for smilebags.duckdns.org
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: smilebags.duckdns.org
Type: connection
Detail: 203.217.45.240: Fetching http://smilebags.duckdns.org/.well-known/acme-challenge/q9rXlz9boAkX6UxUfCsY0SFyTOFKP3NfLmmSCW82me8: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
Failed to renew certificate smilebags.duckdns.org with error: Some challenges have failed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/smilebags.duckdns.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu)
The operating system my web server runs on is (include version): Ubuntu 22.04.1 LTS
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.3.0
$ curl -Ii http://smilebags.duckdns.org/.well-known/acme-challenge/sometestfile
curl: (28) Failed to connect to smilebags.duckdns.org port 80 after 75240 ms: Operation timed out
$ nmap -Pn smilebags.duckdns.org
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-17 17:12 UTC
Nmap scan report for smilebags.duckdns.org (203.217.45.240)
Host is up.
rDNS record for 203.217.45.240: 203-217-45-240.tpgi.com.au
All 1000 scanned ports on smilebags.duckdns.org (203.217.45.240) are filtered
Nmap done: 1 IP address (1 host up) scanned in 201.83 seconds
I'm afraid your IP address of 203.217.45.240 is not reachable from my location at all.
Sometimes portmaps seem to be working from inside the same network as the server, but something else is blocking access from the public internet. E.g., a firewall or something similar. Or even your ISP might be blocking access to port 80.
Hi, thanks for the help and useful debug info everyone.
I do have a Ubiquiti Unifi Dream Machine acting as a firewall, router, switch and access point, and have seen a couple of blocked request notifications in the last 24h, I imagine that it might be getting triggered. I'll have another look at that, I can confirm that my public IP is not accessible on port 80 from outside of the network (should have checked that earlier) so it must be something to do with my router's configuration.
I've seen others say that they have trouble with port forwarding port 80 on the UDM, but others say that it works without any problems, so I'm yet to understand what could be causing this - other ports forward just fine.
Alright turns out it wasn't the UDM either, I had moved houses since last time I needed to renew and despite staying with the same ISP, they had re-enabled port blocking rules. I've disabled that now and will report back.
