Problems getting SSL certbot working during install [NAT]

I’m getting the following error when using the auto setup option for Let’s Encrypt:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: server.mydomain.com
Type: connection
Detail: 67.1.2.3: Fetching http://server.mydomain.com/.well-known/acme-challenge/NyAo2STnpnIn7blgAtzapgY7O3jcVgj0P3XOYI19y-E: Timeout during connect (likely firewall problem)

I’m running this on Rocky Linux 9.1 as VM on HyperV. Is there a doc on what firewall settings I need for this to work?

Hi @cwhitmore do you have port 80 open? Is ipv6 enabled/disabled?

Thanks Garrett. I did have to open port 80. Also, ipv6 is enabled. I’m guessing that needs to be disabled?

1 Like

I think it needs to be enabled.

Unfortunately, I’m still getting the same error. I did notice when it tried to generate the certificate that it said ports 80 and 443 were already opened.

Here is a portion of the log /var/log/letsencrypt/letsencrypt.log where it seems to have problems. (I changed the server name and WAN IP.)

2023-03-20 14:23:05,316:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/212519866957 HTTP/1.1" 200 1110
2023-03-20 14:23:05,317:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 20 Mar 2023 19:23:05 GMT
Content-Type: application/json
Content-Length: 1110
Connection: keep-alive
Boulder-Requester: 1018551267
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 327C0E4iO0uGSXork7bjnJtNRfIHrF_zo2VWjE7B2ytu6hA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "server.mydomain.com"
  },
  "status": "invalid",
  "expires": "2023-03-27T19:22:54Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "67.1.2.3: Fetching http://server.mydomain.com/.well-known/acme-challenge/RhiLenRrF8aaYP-Jd-rpWCmo0N63GRK7_B0hpUq2CGg: Timeout during connect (likely firewall problem)",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/212519866957/aa_qzQ",
      "token": "RhiLenRrF8aaYP-Jd-rpWCmo0N63GRK7_B0hpUq2CGg",
      "validationRecord": [
        {
          "url": "http://server.mydomain.com/.well-known/acme-challenge/RhiLenRrF8aaYP-Jd-rpWCmo0N63GRK7_B0hpUq2CGg",
          "hostname": "server.mydomain.com",
          "port": "80",
          "addressesResolved": [
            "67.1.2.3"
          ],
          "addressUsed": "67.1.2.3"
        }
      ],
      "validated": "2023-03-20T19:22:55Z"
    }
  ]
}

@cwhitmore I would next look at webserver config. If there is no handling of the /.well-known path that would be a 400.

This turned out to be a NAT issue.