Unraid Docker Certbot Firewall Issue

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: Traxson.net

I ran this command: Request New SSL Certificate

It produced this output: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

My web server is (include version): Swag (Latest)

The operating system my web server runs on is (include version): Unraid 6.9.2

My hosting provider, if applicable, is: Cloudflare

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I am running Nginx Proxy Manager on an Unraid server, trying to Proxy different dockers and a website. Using PFsense for a router /firewall,

Everything is port Forwarded correctly and Rules for port 80 and 443 are set to pass,
Using the built in Traceroute in PFsense I know my NPM Docker is accepting traffic on port 8080 and 4443 and the router is set to forward all incoming traffic from 80 -> 8080 and 443 -> 4443

I cant find any reason why im getting a firewall error like this with Certbot.

1 Like
2

Hi @Jomigo, welcome to the LE community forum :slight_smile:

There is one thing that might make this... complicated.

  1. Cloudflare

At a minimum, CF will likely be redirecting HTTP to HTTPS.
So if the challenge request is being expected in HTTP, it might not even be heard (there).
I would start by reviewing the webserver config, with:
sudo nginx -T
And also review the LE log file.

1 Like
3

okay, not sure exactly what i should be looking for in my Sudo Nginx -T tho,

after some tinkering this is the lastest error messages im getting now

2021-09-17 20:54:07,183:ERROR:certbot._internal.log:An unexpected error occurred:
2021-09-17 20:54:07,184:ERROR:certbot._internal.log:requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x14f259d554c0>: Failed to establish a new connection: [Errno -3] Try again'))

4

Then, can you show it here so that others may look for you?

1 Like
5

Here is the log file after the most recent attempt to get a letencrypt Cert. Hopefully this is what your asking for

2021-09-19 15:40:12,490:DEBUG:certbot._internal.main:certbot version: 1.19.0
2021-09-19 15:40:12,490:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2021-09-19 15:40:12,490:DEBUG:certbot._internal.main:Arguments: ['--non-interactive', '--config', '/etc/letsencrypt.ini', '--cert-name', 'npm-32', '--agree-tos', '--authenticator', 'webroot', '--email', 'traxsoninc@outlook.com', '--preferred-challenges', 'dns,http', '--domains', 'bitwarden.traxson.net']
2021-09-19 15:40:12,490:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-cloudflare,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-09-19 15:40:12,622:DEBUG:certbot._internal.log:Root logging level set at 30
2021-09-19 15:40:12,624:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2021-09-19 15:40:12,631:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: Authenticator, Plugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x1462a43e8b80>
Prep: True
2021-09-19 15:40:12,631:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x1462a43e8b80> and installer None
2021-09-19 15:40:12,632:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2021-09-19 15:40:12,639:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/201308930', new_authzr_uri=None, terms_of_service=None), f2a050da278cafcdd81ddfb7fb942486, Meta(creation_dt=datetime.datetime(2021, 9, 15, 5, 57, 53, tzinfo=<UTC>), creation_host='7a6b0d3039bf', register_to_eff=None))>
2021-09-19 15:40:12,640:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-09-19 15:40:12,662:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-09-19 15:40:13,012:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2021-09-19 15:40:13,013:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 19 Sep 2021 20:40:12 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert",
  "x24Z0Zyk4ks": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
}
2021-09-19 15:40:13,014:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for bitwarden.traxson.net
2021-09-19 15:40:13,016:DEBUG:certbot.crypto_util:Generating ECDSA key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
2021-09-19 15:40:13,051:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
2021-09-19 15:40:13,052:DEBUG:acme.client:Requesting fresh nonce
2021-09-19 15:40:13,052:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-09-19 15:40:13,112:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-09-19 15:40:13,113:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 19 Sep 2021 20:40:13 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001vzwr1B0Nu6bNEDseroLNQw7-JSddEuBUF7Rf5Vt1V_g
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2021-09-19 15:40:13,114:DEBUG:acme.client:Storing nonce: 0001vzwr1B0Nu6bNEDseroLNQw7-JSddEuBUF7Rf5Vt1V_g
2021-09-19 15:40:13,114:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "bitwarden.traxson.net"\n    }\n  ]\n}'
2021-09-19 15:40:13,116:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjAxMzA4OTMwIiwgIm5vbmNlIjogIjAwMDF2endyMUIwTnU2Yk5FRHNlcm9MTlF3Ny1KU2RkRXVCVUY3UmY1VnQxVl9nIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "M4zHl3G3jKiSJTYH7wvOKjJig6dcnGaMOBGTSFb7PpR68kcrZYOnVRwlC3ClFgb9Q5F0HCeTyiaK9mF3AuR8LEmSUkYzYAd_bYqB_dFGDt2FsNKpf0SEpR0ddb_J6xccpU1umHriQgGyEeKcUD-ind2iC5RYnWoT1x--EU_ro7Bm4s1xHE7c7hzKzlGy1x8Avt2f65Fl9i5gltXE63gql1sUGpj_gf0o_91DX6UsENBbgW2lZKZ9Sc6AM7mfx3hlOX9oyknDgjX_bah2HPM_-N-OO4eagYqagVnv2WBx9I_iUPMwA4HMY0Cw5d9nWRAB9B7qDqiHqIOGq3Rh5WKwiA",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImJpdHdhcmRlbi50cmF4c29uLm5ldCIKICAgIH0KICBdCn0"
}
2021-09-19 15:40:13,217:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 344
2021-09-19 15:40:13,218:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Sun, 19 Sep 2021 20:40:13 GMT
Content-Type: application/json
Content-Length: 344
Connection: keep-alive
Boulder-Requester: 201308930
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/201308930/25709860080
Replay-Nonce: 0001TluIkqDpqA3VhWc2UokmkZbeYKn0qEpDho-DagPv7VU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2021-09-26T20:40:13Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "bitwarden.traxson.net"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/32528097390"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/201308930/25709860080"
}
2021-09-19 15:40:13,218:DEBUG:acme.client:Storing nonce: 0001TluIkqDpqA3VhWc2UokmkZbeYKn0qEpDho-DagPv7VU
2021-09-19 15:40:13,219:DEBUG:acme.client:JWS payload:
b''
2021-09-19 15:40:13,221:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/32528097390:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjAxMzA4OTMwIiwgIm5vbmNlIjogIjAwMDFUbHVJa3FEcHFBM1ZoV2MyVW9rbWtaYmVZS24wcUVwRGhvLURhZ1B2N1ZVIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8zMjUyODA5NzM5MCJ9",
  "signature": "H4QwjT8XHamepY9gTHkJcfbpY95VahB2tdBNmEbYsJ15DFPo4vUewvBzPIIXcKmFZtnSviyqhB9jAKw6phmqyZUQrbALmEAAKDpW6ZBU5bWl22K0HACylV9p_irQUptichSG8cQXI3SlsrfB62bgK16Fh57j3BQevJVs0yIEhuEZiKQXvhOO-rQ1o18Zm2JhSigZvHtH3r6s5fTdzlOP9LPTaZBjAMUBWzo-qOEFEfp4XuPbY9RIM_XS-oLykSWVN74dcnEBZVrSX70B65txdcIGdrMJDQhHmMkTXdpzUinkI-k4W9UWzCBocfZGRK9mXy1R89XKuPSVqDkQC5qaTQ",
  "payload": ""
}
2021-09-19 15:40:13,311:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/32528097390 HTTP/1.1" 200 802
2021-09-19 15:40:13,312:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 19 Sep 2021 20:40:13 GMT
Content-Type: application/json
Content-Length: 802
Connection: keep-alive
Boulder-Requester: 201308930
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002lkWAHcrT6_hzJdrf-j-tRasLa8ou81h0QuxW1sDyC7g
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "bitwarden.traxson.net"
  },
  "status": "pending",
  "expires": "2021-09-26T20:40:13Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/32528097390/lPJIvQ",
      "token": "Z2DZTUcIfRgZiBCc35O7PFITgRqVI_jz66Fm_VO0ZbM"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/32528097390/ZLnMTQ",
      "token": "Z2DZTUcIfRgZiBCc35O7PFITgRqVI_jz66Fm_VO0ZbM"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/32528097390/rpN-LA",
      "token": "Z2DZTUcIfRgZiBCc35O7PFITgRqVI_jz66Fm_VO0ZbM"
    }
  ]
}
2021-09-19 15:40:13,313:DEBUG:acme.client:Storing nonce: 0002lkWAHcrT6_hzJdrf-j-tRasLa8ou81h0QuxW1sDyC7g
2021-09-19 15:40:13,314:INFO:certbot._internal.auth_handler:Performing the following challenges:
2021-09-19 15:40:13,314:INFO:certbot._internal.auth_handler:http-01 challenge for bitwarden.traxson.net
2021-09-19 15:40:13,314:INFO:certbot._internal.plugins.webroot:Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
2021-09-19 15:40:13,315:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /data/letsencrypt-acme-challenge/.well-known/acme-challenge
2021-09-19 15:40:13,317:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /data/letsencrypt-acme-challenge/.well-known/acme-challenge/Z2DZTUcIfRgZiBCc35O7PFITgRqVI_jz66Fm_VO0ZbM
2021-09-19 15:40:13,318:DEBUG:acme.client:JWS payload:
b'{}'
2021-09-19 15:40:13,319:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/32528097390/lPJIvQ:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjAxMzA4OTMwIiwgIm5vbmNlIjogIjAwMDJsa1dBSGNyVDZfaHpKZHJmLWotdFJhc0xhOG91ODFoMFF1eFcxc0R5QzdnIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8zMjUyODA5NzM5MC9sUEpJdlEifQ",
  "signature": "GpW0YIzN3suGXMfMvOQRdgEWv5vZLqg8bNa4N_h15927g3A9Syrvy30DF3kY0yi1kBCEXlVgILbRxGGlONJhWKK_A3qPMQjv73JQp7Dd5pSM-Ofg8e2-FprV6o2ajzv8HRymUHQfHgORq9F9ajfNjjGinU7Ca38zJT3E0mg6F4W4JYD13UF8Z9XLJeaZSTTRnOL8taQiNmdc7rvPr77vl_AC37YKgMDPdyy-EurdhI-RBqyZc8BG3-G_sEU0kcnCriH5-7LVp9CInlJQtxjLOTjyvbi-7UdNlBfjUY-o6wXKlqeKNkaXldGcDFVTaj5gXNSz291v0aoOV4fVS9UBow",
  "payload": "e30"
}
2021-09-19 15:40:13,413:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/32528097390/lPJIvQ HTTP/1.1" 200 186
2021-09-19 15:40:13,414:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 19 Sep 2021 20:40:13 GMT
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 201308930
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/32528097390>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/32528097390/lPJIvQ
Replay-Nonce: 0002DFB80-BV79jL1dNmbnVg2GC_p11CXoNmynI9yq-rQp4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/32528097390/lPJIvQ",
  "token": "Z2DZTUcIfRgZiBCc35O7PFITgRqVI_jz66Fm_VO0ZbM"
}
2021-09-19 15:40:13,414:DEBUG:acme.client:Storing nonce: 0002DFB80-BV79jL1dNmbnVg2GC_p11CXoNmynI9yq-rQp4
2021-09-19 15:40:13,415:INFO:certbot._internal.auth_handler:Waiting for verification...
2021-09-19 15:40:14,417:DEBUG:acme.client:JWS payload:
b''
2021-09-19 15:40:14,419:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/32528097390:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjAxMzA4OTMwIiwgIm5vbmNlIjogIjAwMDJERkI4MC1CVjc5akwxZE5tYm5WZzJHQ19wMTFDWG9ObXluSTl5cS1yUXA0IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8zMjUyODA5NzM5MCJ9",
  "signature": "v-bMRj58nMQx-FjXkieirD2QEE89ajIEVHdZRjNfUg8Yo18WgOT5DjwkvqxLN6DZJiZh-aIA9eqKOKRNrlv7iailfH0VRlnSpol_lmzMGbCHvzkePeiS8CsQ0hn4EKUwABKypjCe2KuCs9skIvmqvaoHSvD-P46yfYF0T3jFLSKImpZEj_LXgy0BYQ7vuVRebjAtzmiSxIuDN5kfHjE6DJLBdNr6wjQzk4hUxKA4fiTUwJkt9ZGK2X3B5QKGvabRN5ePjfM5olll0fA2zSlbzhDdD3APVtuKtg2iY4anCm8nymAomJPzXWnNYDr6VZ0NNmzpAK6chxHPoJUNKwM2ew",
  "payload": ""
}
2021-09-19 15:40:14,489:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/32528097390 HTTP/1.1" 200 802
2021-09-19 15:40:14,490:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 19 Sep 2021 20:40:14 GMT
Content-Type: application/json
Content-Length: 802
Connection: keep-alive
Boulder-Requester: 201308930
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002EHUl_O9AKdtnaBoQBmliuXPxAUpQyPIU6qJFij4BVM4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "bitwarden.traxson.net"
  },
  "status": "pending",
  "expires": "2021-09-26T20:40:13Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/32528097390/lPJIvQ",
      "token": "Z2DZTUcIfRgZiBCc35O7PFITgRqVI_jz66Fm_VO0ZbM"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/32528097390/ZLnMTQ",
      "token": "Z2DZTUcIfRgZiBCc35O7PFITgRqVI_jz66Fm_VO0ZbM"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/32528097390/rpN-LA",
      "token": "Z2DZTUcIfRgZiBCc35O7PFITgRqVI_jz66Fm_VO0ZbM"
    }
  ]
}
2021-09-19 15:40:14,490:DEBUG:acme.client:Storing nonce: 0002EHUl_O9AKdtnaBoQBmliuXPxAUpQyPIU6qJFij4BVM4
2021-09-19 15:40:17,494:DEBUG:acme.client:JWS payload:
b''
2021-09-19 15:40:17,496:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/32528097390:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjAxMzA4OTMwIiwgIm5vbmNlIjogIjAwMDJFSFVsX085QUtkdG5hQm9RQm1saXVYUHhBVXBReVBJVTZxSkZpajRCVk00IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8zMjUyODA5NzM5MCJ9",
  "signature": "Rerrf0Z3q8BvBmkQVq1z8jzY1GaNoro6lpfPDM2GF0-3MfMAK8UPrWimlLrAfv12jPfEz63IxM9HmbIzaiupA7Sa1fDh-vbipyknbwzm1TYgqfjRdNVafWrD7dom03pDLXBM_TJlqmN0YhEI8BSDIEEDDXLt-AI8Orw-HpABDSBbsuxuBE9GKXxXlAx6Hue7uJR0dfO98rfvb6vqogEvyH0FPga-P4po7IEACIgOOhyuyJJ-DkZDUnaKcpfSgkMljhgFyla0mtgMEAWRuh3IVsCnkwj0DpHwdRAR5yD8lN853MrbcLWNq3sWRw1AcnRBClN6bFzHsJOSctgYi40shw",
  "payload": ""
}
2021-09-19 15:40:17,570:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/32528097390 HTTP/1.1" 200 802
2021-09-19 15:40:17,571:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 19 Sep 2021 20:40:17 GMT
Content-Type: application/json
Content-Length: 802
Connection: keep-alive
Boulder-Requester: 201308930
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001HGz3n0PPfKui6roT0UA7KQNJj_hIRAnb--a4HBbh-og
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "bitwarden.traxson.net"
  },
  "status": "pending",
  "expires": "2021-09-26T20:40:13Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/32528097390/lPJIvQ",
      "token": "Z2DZTUcIfRgZiBCc35O7PFITgRqVI_jz66Fm_VO0ZbM"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/32528097390/ZLnMTQ",
      "token": "Z2DZTUcIfRgZiBCc35O7PFITgRqVI_jz66Fm_VO0ZbM"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/32528097390/rpN-LA",
      "token": "Z2DZTUcIfRgZiBCc35O7PFITgRqVI_jz66Fm_VO0ZbM"
    }
  ]
}
2021-09-19 15:40:17,571:DEBUG:acme.client:Storing nonce: 0001HGz3n0PPfKui6roT0UA7KQNJj_hIRAnb--a4HBbh-og
2021-09-19 15:40:20,575:DEBUG:acme.client:JWS payload:
b''
2021-09-19 15:40:20,578:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/32528097390:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjAxMzA4OTMwIiwgIm5vbmNlIjogIjAwMDFIR3ozbjBQUGZLdWk2cm9UMFVBN0tRTkpqX2hJUkFuYi0tYTRIQmJoLW9nIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8zMjUyODA5NzM5MCJ9",
  "signature": "bcy0ecHcIwwCRotynXm3l5m2O4iGSrgZ_JYhhMdDTu3kbqfyoDqg_KdYlmCcdl1AdyoW-8v4SpZOErZyCw4ifSG6oRUc62VLitEIlbW7WXmV8pbbyPg2b-0vYIPLBKJB8nQIHbMdJYcMjWTdmKlYqhNqFlGeAL8dk_7EEML2Ag0B7pN3ksSuyyzlY0izLQThHf-MtY7gOfE-6X7hXX3CTiM13XBjJ7JsMpaOcXj-rkxWHUOA3YVOGk0lzhgO5-De8WU3cMu0b2e3pJDdNwIL2_A-AH3lrgtMQSwM6vJqmbsHzy2Lr2RU3rNeuUWTHtbCKH4-hqUkGkJIzi2-u3mEvQ",
  "payload": ""
}
2021-09-19 15:40:20,653:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/32528097390 HTTP/1.1" 200 802
2021-09-19 15:40:20,654:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 19 Sep 2021 20:40:20 GMT
Content-Type: application/json
Content-Length: 802
Connection: keep-alive
Boulder-Requester: 201308930
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001XIaZwp6LGLgvqsdABWS3NrCpjMqqY2WizQl3Mn0iYxg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "bitwarden.traxson.net"
  },
  "status": "pending",
  "expires": "2021-09-26T20:40:13Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/32528097390/lPJIvQ",
      "token": "Z2DZTUcIfRgZiBCc35O7PFITgRqVI_jz66Fm_VO0ZbM"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/32528097390/ZLnMTQ",
      "token": "Z2DZTUcIfRgZiBCc35O7PFITgRqVI_jz66Fm_VO0ZbM"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/32528097390/rpN-LA",
      "token": "Z2DZTUcIfRgZiBCc35O7PFITgRqVI_jz66Fm_VO0ZbM"
    }
  ]
}
2021-09-19 15:40:20,655:DEBUG:acme.client:Storing nonce: 0001XIaZwp6LGLgvqsdABWS3NrCpjMqqY2WizQl3Mn0iYxg
2021-09-19 15:40:23,659:DEBUG:acme.client:JWS payload:
b''
2021-09-19 15:40:23,662:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/32528097390:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjAxMzA4OTMwIiwgIm5vbmNlIjogIjAwMDFYSWFad3A2TEdMZ3Zxc2RBQldTM05yQ3BqTXFxWTJXaXpRbDNNbjBpWXhnIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8zMjUyODA5NzM5MCJ9",
  "signature": "dJb3QMsWHkHYtuYlNVd8lSzw9wdL1Gv3s7mpjwYU72eybMndBAeZaivWJXcytJn1k6Pfdll3TjXpjdHiPHX9xH5TzY9yCr_pV3ZjzfuPOBsCNNV5xXDnwkluLEj5JdcsXI15a1ExR4JDkwOLPVqRHm15tSNy5P8FCAu35d4vIiJJDpb43GVrhNCUJgkH800kCC1J_jTl3TLZxTpYgUVH0KyDfQnXIzigQHJJTjOe7tTjQzt1qn0BY1yDY7yXCkOSHK8rDs7CGHPi4FQOFiBQGPX053DEExLepXJhL8XFHRiNBOPsuOw5hbWmyOaXEiIIcT4ePgfojaNs5yjobmqLtg",
  "payload": ""
}
2021-09-19 15:40:23,733:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/32528097390 HTTP/1.1" 200 1068
2021-09-19 15:40:23,734:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 19 Sep 2021 20:40:23 GMT
Content-Type: application/json
Content-Length: 1068
Connection: keep-alive
Boulder-Requester: 201308930
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002CDUlmBpMiQak5tNManaQsFiEAE-SZpIWhj9Q2LIuBQw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "bitwarden.traxson.net"
  },
  "status": "invalid",
  "expires": "2021-09-26T20:40:13Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching http://bitwarden.traxson.net/.well-known/acme-challenge/Z2DZTUcIfRgZiBCc35O7PFITgRqVI_jz66Fm_VO0ZbM: Timeout during connect (likely firewall problem)",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/32528097390/lPJIvQ",
      "token": "Z2DZTUcIfRgZiBCc35O7PFITgRqVI_jz66Fm_VO0ZbM",
      "validationRecord": [
        {
          "url": "http://bitwarden.traxson.net/.well-known/acme-challenge/Z2DZTUcIfRgZiBCc35O7PFITgRqVI_jz66Fm_VO0ZbM",
          "hostname": "bitwarden.traxson.net",
          "port": "80",
          "addressesResolved": [
            "98.168.242.228"
          ],
          "addressUsed": "98.168.242.228"
        }
      ],
      "validated": "2021-09-19T20:40:13Z"
    }
  ]
}
2021-09-19 15:40:23,735:DEBUG:acme.client:Storing nonce: 0002CDUlmBpMiQak5tNManaQsFiEAE-SZpIWhj9Q2LIuBQw
2021-09-19 15:40:23,735:INFO:certbot._internal.auth_handler:Challenge failed for domain bitwarden.traxson.net
2021-09-19 15:40:23,736:INFO:certbot._internal.auth_handler:http-01 challenge for bitwarden.traxson.net
2021-09-19 15:40:23,736:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: bitwarden.traxson.net
  Type:   connection
  Detail: Fetching http://bitwarden.traxson.net/.well-known/acme-challenge/Z2DZTUcIfRgZiBCc35O7PFITgRqVI_jz66Fm_VO0ZbM: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2021-09-19 15:40:23,737:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2021-09-19 15:40:23,737:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-09-19 15:40:23,738:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-09-19 15:40:23,738:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/Z2DZTUcIfRgZiBCc35O7PFITgRqVI_jz66Fm_VO0ZbM
2021-09-19 15:40:23,738:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2021-09-19 15:40:23,739:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/lib/python3.8/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1572, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1432, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 133, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 454, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 384, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 434, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2021-09-19 15:40:23,741:ERROR:certbot._internal.log:Some challenges have failed.
1 Like
6

That all boils down to this:

2021-09-19 15:40:13,314:INFO:certbot._internal.auth_handler:http-01 challenge for bitwarden.traxson.net
2021-09-19 15:40:13,314:INFO:certbot._internal.plugins.webroot:Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
2021-09-19 15:40:13,315:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /data/letsencrypt-acme-challenge/.well-known/acme-challenge
2021-09-19 15:40:13,317:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /data/letsencrypt-acme-challenge/.well-known/acme-challenge/Z2DZTUcIfRgZiBCc35O7PFITgRqVI_jz66Fm_VO0ZbM
        "detail": "Fetching http://bitwarden.traxson.net/.well-known/acme-challenge/Z2DZTUcIfRgZiBCc35O7PFITgRqVI_jz66Fm_VO0ZbM: Timeout during connect (likely firewall problem)",
          "addressUsed": "98.168.242.228"

Which has as its' primary (possibly only) problem:
Timeout during connect (likely firewall problem)

That seems to indicate that port 80 (HTTP) is unable to reach your system.
You must have a functional HTTP site before you can secure it (via HTTP authentication).

1 Like
7

thats the part i dont fully understand because i have all my port forwards set right on my Pfsense router, but you are correct something is still blocking it, i should be able to get to the nginx basic congratulations page if i just enter my basic IP address in the adress bar of any web browser but i can not

1 Like
8

Just adding a tidbit ... I can reach bitwarden.traxson.net using port 443. curl says it is a self-signed cert but at least it reached bitwarden. I timeout trying port 80 just like you (and Cloudflare).

This puts the focus purely on port 80. I am new here but have seen a couple cases where the internet service provider blocked that port - could that be possible with your cox connection? Mind, this is very speculative on my part.

Here was my curl to 443:

curl -v https://bitwarden.traxson.net
*   Trying 98.168.242.228:443...
* Connected to bitwarden.traxson.net (98.168.242.228) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.se/docs/sslcerts.html

As noted, a similar request using http just times out.

2 Likes
9

Cox specifically documents that they block port 80 on residential connections.

3 Likes
10

i just talked to cox and they confirmed that they are not blocking any ports to my network.
I especially confirmed that port 80 and 443 was not blocked to my house

3 Likes
11

You said if all was working right you should see a 'Congrats' page. When I used curl to try port 443 I got an empty response - not a congrats page.

You can use your browser to see this too if you prefer
https://98.168.242.228
My browser issued a warning about 'unsafe cert' but we know that is your self-signed cert (from my prior curl) so we can ignore that helpful warning in this special case. My browser then said 'empty response' - same as if I did curl -k (target)

It seems to me if you could get your expected Congrats response thru 443 it might give a clue as to port 80. You have a number of 'moving parts' (unraid, docker, nginx, pfsense) to evaluate - the more clues the better.

2 Likes
12

so then it has to be something with my firewall blocking it? I use PFsense and I port forward port 80 and 443 the same as all the other ports for my game servers and stuff & they all work just fine. maybe I need to have someone take a look at my router and see if there is anything messed up with it.

2 Likes
13

If your router configuration for 80 and 443 are identical, and 443 works but 80 does not, and you're on a residential Cox connection, then my guess would be that the documentation page from Cox that I linked is correct (that they do in fact block port 80), and that whomever you spoke with at Cox was misinformed. There are a lot of conditions I put in that sentence, though.

2 Likes
14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.