What ports are needed to be open for _acme-challenge to access domain


#1

I am trying to issue a certificate using acme.sh alias mode. Using DNS challenge. What port should be opened so that my server communicates with Go Daddy and Lets Encrypt to get the certificate.

My domain is: ekicocvalidation

My web server is (include version): Apache 2.2

The operating system my web server runs on is (include version): RHEL

My hosting provider, if applicable, is: GoDaddy

I can login to a root shell on my machine (yes or no, or I don’t know): No


#2

Hi @Pradeep

if you use dns-01 - challenge, you need a dns-entry _acme-challenge.yourdomain.com. So no open port and no http service is required.

The communication with GoDaddy is local initiated, so that should not be a problem. There is only an outgoing connection required.


#3

This is the error I am getting though the domain is valid and I issued the certificates in a different server to different domain. So we requested access to lets encrypt and need the port that is needed to communicate


#4

Please add --debug or --log to see more details why this doesn’t work.


#5

Should port 53 be opened?


#6

What says curl.haxx.se about the error code? Please read your output.


#7

Thats an “error occured while SSL/TLS hand shake”.


#8

Testing

download https://api.godaddy.com/v1/domains/ekicocvalidation.com -h
SSL-Zertifikat is valide
Error (1): Der Remoteserver hat einen Fehler zurückgegeben: (401) Nicht autorisiert.
ProtocolError
401

says: 401 - not allowed, but no SSL-error. So it looks good.

Perhaps your local installation is broken. Or your domain is blocked. I don’t use GoDaddy.

Or your local machine has some broken ssl settings.

Using

https://api.godaddy.com/v1/domains/ekicocvalidation.com

per FireFox says:

{“code”:“MISSING_CREDENTIALS”,“message”:“Unauthorized : Credentials must be specified”}

which is ok, I don’t have credentials.


#9

My domain is blocked. That is the issue. in order for my server to communicate with DNS and validate the domain, which port should be opened?


#10

Your domain is parked.

http://ekicocvalidation.com/

Looking in the source code:

<!-- Server: P3PWFWD003 --><!DOCTYPE html><body style="padding:0; margin:0;"><html><body><iframe src="http://mcc.godaddy.com/park/pau2pTWjnJ55qaShM3MvLF5jLab=" style="visibility: visible;height: 100%; position:absolute" allowtransparency="true" marginheight="0" marginwidth="0" frameborder="0" width="100%"></iframe></body></html><!-- T: 2128 --><!-- Server: P3PWFWD003 -->

http://mcc.godaddy.com/park/

Then you can’t use the domain and can’t add/change your dns-settings.


#11

Thanks for the help. The domain ekicocvalidation is created to use it as a validation domain to generate certificates for out internal domains using acme DNS alias method. The screenshot I posted, I was trying to issue certificate from an integration server. However when I try to issue certificate from my qa domain, it is working fine. I just issued it. What do you think the issue is? Is it something to do with internal configuration?


#12

Can you point to the documentation for the “acme DNS alias method” that you are trying to use? Or a design document for how you are planning to create such a method? Without such documentation, we can only guess at the configuration you are trying to create, so it will be hard to come up with good answers.


#13

This is the method I used

Added cname records in the GoDaddy DNS for the validation domain and added there CNAME entries

exported Key and secret key. Used the below command to issue the certificate

./acme.sh --issue -d qa.backtoschoolimmunization.org --challenge-alias ekicocvalidation.com --dns dns_gd


#14

It seems curl (invoked by acme.sh) is failing to access a GoDaddy API URL, with some sort of SSL error. Perhaps you could try running curl directly (on your server) to see if you can get more information about what the error is?

curl -v https://api.godaddy.com/v1/domains/ekicocvalication.com

#15

Are you able to create manual a txt entry with the name _acme-challenge.ekicocvalidation.com and a value like “123456789”?


#16

This is what I gen when I curl -v https://api.godaddy.com/v1/domains/ekicocvalication.com


#17

I am not sure about that as I dont have access to modify entries in the DNS


#18

The curl: (35) TCP connection reset by peer is the core problem, and it’s a problem between your server and GoDaddy’s, not between your server and Let’s Encrypt.

I’m not sure what the root cause is in this case, but there’s a previous post in this forum suggesting there was a problem with a too-small MTU on some link: [solved] Probably my addresses was banned. There was another answer on Stack Exchange that suggested rebuilding their server with a fresh install. I think a fresh OS install or a new server is your best bet. If you do that, and you can successfully run that curl command, you have a winner.


#19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.