Unable to request certificate

Hello!

My domain is: pstn.pw

I ran this command: letsencrypt certonly -a webroot --webroot-path=/var/www/html -d pstn.pw --rsa-key-size 4096

I followed this guide : https://www.chasewright.com/lets-encrypt-and-nginx/

My site works though. Here are my records settings @ namecheap https://i.imgur.com/zmhgkkM.jpg

It produced this output:

Failed authorization procedure. pstn.pw (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://pstn.pw/.well-known/acme-challenge/BgsOYGB-84c8EMIL2IlwhJLtbSGzQpCh5DhYOQsl9Vs: Timeout

IMPORTANT NOTES:
_ - If you lose your account credentials, you can recover through_
_ e-mails sent to pstntas@protonmail.com._
_ - The following errors were reported by the server:_

_ Domain: pstn.pw_
_ Type: connection_
_ Detail: Fetching http://pstn.pw/.well-known/acme-challenge/BgsOYGB-_
_ 84c8EMIL2IlwhJLtbSGzQpCh5DhYOQsl9Vs: Timeout_

_ To fix these errors, please make sure that your domain name was_
_ entered correctly and the DNS A record(s) for that domain_
_ contain(s) the right IP address. Additionally, please check that_
_ your computer has a publicly routable IP address and that no_
_ firewalls are preventing the server from communicating with the_
_ client. If you’re using the webroot plugin, you should also verify_
_ that you are serving files from the webroot path you provided._
_ - Your account credentials have been saved in your Let’s Encrypt_
_ configuration directory at /etc/letsencrypt. You should make a_
_ secure backup of this folder now. This configuration directory will_
_ also contain certificates and private keys obtained by Let’s_
_ Encrypt so making regular backups of this folder is ideal._

My web server is (include version): tomcat/nginx

The operating system my web server runs on is (include version): debian 9

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

any ideas?

thank you

$ telnet pstn.pw 80
Trying 66.130.79.120…

At least from my internet connection it is not possible to connect to port 80 (http) on your machine. It looks like an upstream internet connection (modemcable120.79-130-66.mc.videotron.ca) so there might be a firewall at your provider which disables access to port 80. Try tls-sni-01 authentication.

1 Like

Thanks for answering,

if you don’t mind, I’m new to all this, how would I go about using tls-sni-01 authentication?

That guide is kind of old. You can pretty much replace it in its entirety with:

sudo apt-get install python-certbot-nginx
sudo certbot --nginx -d pstn.pw

This will automatically configure an SSL server for you, skipping most of the manual work in that guide. The only thing you may have to do is edit the nginx configration files automatically generated by certbot for Guacamole if you are using it.

If you really want to manually configure everything as that guide suggests, do this instead:

sudo certbot certonly -a nginx -d pstn.pw --rsa-key-size=4096
1 Like

Even then, @pstn requires a webserver which is reachable from the world wide web. Now, neither port 80 nor port 443 is accessible from my endpoint.

1 Like

Thank for your help guys, I spent the whole day on it and finally got it working (as pstn.fun this time), there’s only a small issue left. www.pstn.fun says “insecure connection” so I have to confirm an exception, then it’ll load but as insecure…

I did sudo certbot --nginx -d pstn.fun and did enable https redirection

any ideas?

thanks again

You need to get a new certificate valid for both names. (Or you could use two separate certificates, but that’s complicated.)

You can use sudo certbot --nginx -d pstn.fun -d www.pstn.fun to create it.

1 Like

Ah ok, will that command get a new one that’s valid for both? or is it to get two separate ones?

thanks

Yes, exactly - one certificate which contains both names.

2 Likes

thanks a lot for all your help guys, I really appreciate it!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.