[URGENT] Unable to obtain a certificate via certbot

Oh, sorry, I forgot the certonly in the command. It should be this (and do keep the --dry-run)

certbot certonly --standalone --dry-run --debug-challenges -v -d de2.azurware.fr

You should see something like below. When it says "Press Enter to Continue" do not do that. Leave it paused and test it as I described. Or, post the URL here

Performing the following challenges:
http-01 challenge for de2.azurware.fr


Challenges loaded. Press continue to submit to CA.

The following URLs should be accessible from the internet and return the value
mentioned:

URL:
http://de2.azurware.fr/.well-known/acme-challenge/YX-2D1i-dspL69smknvumu-SlM0ip0SD5HthzkvbjaI
Expected value:
YX-2D1i-dspL69smknvumu-SlM0ip0SD5HthzkvbjaI.mgHwhToeOgo6Nr4Ly01jMHNVpII2Pw3tUlsjR3uYyAc


Press Enter to Continue

5 Likes

Thank you !

It seems to be loaded. There is the URL (I thnik that it's her) : http://de2.azurware.fr/
I'm not going to lie to you that I don't understand it at all so I don't know how to do it. All I can say is that the URL is accessible with a message "ACME client standalone challenge solver". I tested it on my computer and on my phone, activating only 4G.

Thanks !

1 Like

So, does your cert request work then?

If not, I suspect something is blocking only some requests. That's why I asked you to post the URL while paused so I could fully evaluate access to your server. It would go quicker if you just followed instructions.

3 Likes

I don't think I understand everything, I just gave you the URL I was given...

This is what I am told in the console:

root@de2:~# certbot certonly --standalone --dry-run --debug-challenges -v -d de2.azurware.fr
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Account registered.
Simulating a certificate request for de2.azurware.fr
Performing the following challenges:
http-01 challenge for de2.azurware.fr


Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.

Press Enter to Continue

So I guess the URL is de2.azurware.fr?
I'm trying to follow what you're telling me, but I have the impression that we're not seeing the same thing.

Huh. We are not. See my post #4 for what I see. I am using the latest Certbot version 2.6 but your 1.21 is not all that old. Yours doesn't seem to recognize the -v though since it suggests you include it.

Well, leave it paused and just let us know when it is paused. I can try something else even without the full URL

(upgrading is described at https://certbot.eff.org)

Update: I just checked and see the -v flag was only supported starting 1.24.0. So, I can work without it just let me know when paused

3 Likes

I'm really sorry for the confusion. I never touch this stuff so the slightest hiccup or technical word confuses me! Thanks for your time!

This is currently on pause.

1 Like

OK. You have a firewall setting that is blocking certain requests. Requests that look like they are from a "normal" browser work. But, other requests are blocked which include the kind that the Let's Encrypt server uses.

I say this because I can see your domain just fine from many points around the globe so a geographic based firewall is not involved.

And, then I saw this

(a plain curl request.  that is, not a browser)
curl -I http://de2.azurware.fr
curl: (56) Recv failure: Connection reset by peer

(mimic a browser, this 501 error is actually a successful test)
curl -I http://de2.azurware.fr -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.55"
HTTP/1.0 501 Unsupported method ('HEAD')
Server: BaseHTTP/0.6 Python/3.10.6

NOTE: Did you just fix this because as I am posting the symptom looks different?

4 Likes

Thank you for this crucial information!

No, I haven't done anything, he is still in pause

Edit: It's true that it's very strange from what I understand...

1 Like

OK. It isn't related to the user-agent of the request. But, you do have some odd firewall setting.

I started a fresh test server which had a new IP address. When I tried reaching you the first request failed but then they worked. I'm not sure what to suggest other than review all your network config for any kind of firewalls and turn them off.

The Let's Encrypt servers will often be different IP addresses as they change frequently.

Use the --dry-run while testing because too many failed requests to production will get you blocked for an hour. So, test with this

certbot certonly --standalone --dry-run -d de2.azurware.fr

Here's what I just saw from a fresh test server and new IP

(first request)
curl -I http://de2.azurware.fr
curl: (56) Recv failure: Connection reset by peer

(all after)
curl -I http://de2.azurware.fr
HTTP/1.0 501 Unsupported method ('HEAD')
Server: BaseHTTP/0.6 Python/3.10.6
Date: Sun, 25 Jun 2023 15:45:43 GMT

curl -I http://de2.azurware.fr
HTTP/1.0 501 Unsupported method ('HEAD')
Server: BaseHTTP/0.6 Python/3.10.6
6 Likes

This is what I am seeing, in addition to your findings:

PORT    STATE  SERVICE
80/tcp  open   http
443/tcp closed https
4 Likes

That's what I'd expect to see when --standalone is paused.

Both those ports were closed when --standalone is not running (many other ports are open though - like all of them!)

5 Likes

That's interesting, thank you once again!

From what I can see there's no firewall active on the server, so I'll contact them and have a closer look.

2 Likes

Firewalls come in many forms and can be enabled at many places.

@MikeMcQ Doesn't this look like those pesky Alto Paulo firewalls to you perhaps?

5 Likes

Not any of the usual symptoms. I was getting "reset" using just the domain (no URI) in the HTTP request.

It reminds me of another thread though but I can't recall enough details for a productive search.

They now have nginx listening on port 80 so that's easier. But, I still see a "reset" on a fresh request. The new info is that it isn't just the first http request from a new IP. It's the first http request always (or very often anyway). After the reset you can make a number of successful requests. But, if you don't make any requests for some minutes you will get a reset again followed by successful. This repeats.

The number of "some minutes" in this case is around 5. Not sure what that other thread was but it had the same pattern of: reset, success, success, wait X minutes, reset, success ...

curl -I http://de2.azurware.fr
curl: (56) Recv failure: Connection reset by peer

curl -I http://de2.azurware.fr
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 25 Jun 2023 16:57:32 GMT

curl -I http://de2.azurware.fr
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 25 Jun 2023 16:57:34 GMT

curl -I http://de2.azurware.fr
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 25 Jun 2023 16:58:16 GMT

(5 minutes later)
curl -I http://de2.azurware.fr
curl: (56) Recv failure: Connection reset by peer

curl -I http://de2.azurware.fr
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 25 Jun 2023 17:04:11 GMT
4 Likes

Perhaps some anti-hacking firewall which assumes any port-scanner/hacking tools tries once and ignores the host if it sees a Connection reset by peer that first time?

4 Likes

Everything is back to normal, everything works. I'm told it was a CIDR problem on my host's machine.

I sincerely thank you all for your help and your time!

2 Likes

I beg to differ but if you are happy I am happy. I just tried this again and ...

curl -I http://de2.azurware.fr
curl: (56) Recv failure: Connection reset by peer

curl -I http://de2.azurware.fr
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 25 Jun 2023 17:19:35 GMT
4 Likes

Probably just tried to get a cert within 5 minutes and got lucky :rofl:

4 Likes

I found the threads I was thinking of with a similar pattern of failure. Not sure it's helpful unless this hosting company is GoDaddy or GoDaddy owned.

These failures weren't a reset but same pattern of one fail, some work, then fail again if wait too long. These were both GoDaddy issues apparently. In one case they resolved talking with GoDaddy but the other didn't.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.