Unable to use Certbot with Google Subdomain


#1

Hi, I am new to Certbot. I wish to install it on my Raspberry Pi3, which is accessible via a Google Subdomain.

My domain is: pi.eazyigz.com

I ran this command: sudo certbot --apache

It produced this output:
Failed authorization procedure. pi.eazyigz.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 74.68.41.104:443 for TLS-SNI-01 challenge
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: pi.eazyigz.com
Type: connection
Detail: Failed to connect to 74.68.41.104:443 for TLS-SNI-01
challenge

My operating system is (include version): Raspberry Pi3 Debian 8

My web server is (include version): Google Subdomain

My hosting provider, if applicable, is: Google

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): domains.google.com


#2

As certbot tells you, it is a connection issue. I can’t connect to it either.

First, get to a point where someone outside your network can connect to your rpi on port 443 with a default/self-signed certificate. The latter will give a certificate warning, that is good indicator that things are set up correctly.

Right now, the connection times out. Once you have routing and firewalling configured correctly, but not yet started apache, the connection will reset immediately. When you then start apache with a self-signed cert, your external tester will get a certificate error.

Then use certbot to request the certificate.


#3

Setting up the server for https with self-signed cert is the part I was missing on my own “home box” system. Just decided to try that and was setting it up when I tripped over this post. Nice to know I was on the right path.

Knowledge shared is knowledge preserved. :smiley:


#4

Yes, as @kkp and @gypsypriest indicate you need to port forward 443 to your Raspberry Pi. On my Plusnet (UK) HubOne modem/router I used “Advanced”, “Firewall”, “Port forwarding” and assigned “HTTPS Server” to the internal IP of my Pi.


#5

How did you try to connect to 443? I mean, does an SSL endpoint have to be
created for that?


#6

No. Before the SSL handshake can take place, the TCP session has to be set up. I simply did:

telnet pi.eazyigz.com 443

telnet does nothing more than set up a TCP session. It sends a SYN packet towards your rpi, and waits for a SYNACK packet back. Now there are three different outcomes:

  • If the firewalling and routing is misconfigured, the packet never reaches the rpi, and the rpi never sends a SYNACK packet. My telnet will sit there, slowly transmitting SYN packets, and finally give up and time out. This is what happened here.(*)
  • If the packet reaches the rpi, and nothing is listening on port 443, the rpi will send an RST packet back. My telnet will print ‘connection refused’.
  • If the packet reaches the rpi, and something is listening on port 443, the rpi will send a SYNACK packet. My telnet will print ‘conntected’.

(*) misconfigured routing and firewalling on the outbound path will give the same result as misconfigured firewalling on the inbound path.


#7

Thank you for the explanation. Lastly, don’t I need a telnet server
listening on that port for it to work?


#8

Nope! telnet is able to connect to any sort of TCP server. You can see this with something like

telnet www.google.com 80 GET / HTTP/1.0

(It’s not very useful to use telnet to establish communications with an actual TLS service because you probably won’t be able to speak TLS, a binary protocol, very easily yourself.)


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.