Page 1 of 1

xxxmyownb3.com with letsencrypt

Posted: 09 Mar 2019, 10:04
by Puma
I use for a long time the excito dynamic dns and am happy with it.
However I like to use letsencrypt.
After installation of certbot etc I still get an error when I run:

sudo certbot certonly --agree-tos --email xyz@xyz.xx --webroot -w /var/lib/letsencrypt/ -d xxxx.myownb3.com

See error below, does anyone runs letencrypt in combination with myownb3.com?

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xyz.myownb3.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. xyz.myownb3.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://xyz.myownb3.com/.well-known/acme-challenge/xyz: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: xyz.myownb3.com
Type: connection
Detail: Fetching
http://xyz.myownb3.com/.well-known/acme-challenge/Xxxx
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

Re: xyx.myownb3.com with letsencrypt

Posted: 10 Mar 2019, 04:42
by fredrikj
As you state myownb3.com is just a dynamic DNS provider. This allows you to focus entirely on the error message from certbot. I assume you've search for a solution already?

https://duckduckgo.com/?q=certbot+%22Ti ... roblem)%22

Connect timeout means that the letsencrypt service tried to connect from the internet to your b3 server using http, but your b3 server did not respond. Does your ISP allow incoming http traffic to the ip number of your b3? Have you configured your b3 firewall to permit incoming traffic from the internet on port 80? Do you have a http server listening on port 80 on the b3? Does the specified acme-challenge url work in your browser?

One basic way to see if your b3 is properly configured to allow incoming http traffic from the internet would be to enter the url for your server in the browser on your phone and see if it works. Make sure to have wifi disabled, so the connection is made over your mobile provider's 3G/LTE network. When it works on your phone, it should work for certbot too.

If you want more help, the easiest for us would be if you'd post the real hostname you've registered for with myownb3.com.

Re: xxxmyownb3.com with letsencrypt

Posted: 11 Mar 2019, 17:08
by Puma
fredrikj,

Thanks for your reply.
It's working now, port 80 was not open for LetsEncrypt servers. (only for known ip addresses).
Would like to open port 80 only for LetsEncrypt (forwarding in my router) but can't due to the fact LetsEncrypt does not publish IP addresses for validating certificates. So port 80 and 443 should be open....

Puma

Re: xxxmyownb3.com with letsencrypt

Posted: 12 Mar 2019, 03:27
by fredrikj
Good to hear that you solved the problem, Puma.

The fact that Letsencrypt does not publish the ip-numbers of their validation hosts is a security feature. It makes man in the middle attacks of the validation process harder.

If you want certificates for hosts that you really do not want to expose to the internet, Letsencrypt also offers DNS-based validation. But that assumes that you can control the dns-records of your domain, so it is quite a bit more involved than simple http based validation. And I assume it is not an option at all for myownb3.com hosts.

Re: xxxmyownb3.com with letsencrypt

Posted: 15 Mar 2019, 23:14
by MouettE
fredrikj wrote: 12 Mar 2019, 03:27 But that assumes that you can control the dns-records of your domain, so it is quite a bit more involved than simple http based validation. And I assume it is not an option at all for myownb3.com hosts.
You assume right :)