Stuck on Let's Encrypt certificate issuance due to firewall issue even after opening necessary ports
Hello everyone,
I've been trying to set up a Mumble voice chat server on my home network using a Debian server. As part of the setup process, I need to obtain an SSL certificate from Let's Encrypt for secure HTTPS access to the server. However, I'm encountering an error when running the Certbot client to request the certificate.
I've checked my firewall rules and confirmed that I've opened port 80 as required for the Let's Encrypt verification process. Here's the relevant rule in my ufw configuration:
80/tcp ALLOW Anywhere
Despite this, I'm still getting the timeout error. Has anyone else encountered this issue before? What steps should I take to troubleshoot further?
Since this is on a home network, have you also forwarded port 80 from your router to your machine running certbot?
This is one of the reasons I use the DNS challenge instead... Then you don't have to route all these Let's Encrypt challenges into your internal network.
This is the answer. Pretty much every ISP blocks 80
They say it is because worms use it blah blah but it is exactly what you think. They don't want you running a web server. You're probably going to have to do the DNS challenge instead.
are you actually running a web server on that host? iirc, certbot will place a temporary token to be served by your web server (Apache, etc.) to show that you actually control the domain you are requesting a cert for.
I switched to DNS based retrieval as soon as let's encrypt offered it, so its been years since I retrieved certs via http.
if you are using http cert retrieval, certbot needs a place put the temp. token to authenticate your contrrol of the domain your are creating a certificate for. usually that will be the same webserver you want to serve the certificate from.
if you are not running an actual weberver on port 80 that certbot can insert a token for, certbot cannot complete.
this is, of course, in addition to other possible issues such as ISP port blocking - but without a web server listening on TCP/80, you will have to use other authorization methods (like DNS) to generate a cert.
Sounds like you have nothing listening on port 80 that resolves for your domain for Let'sEncrypt to verify that you own the domain. You need a webserver listening on port 80 and that Certbot can access if you're using the http method.
Basically you're forwarding traffic to port 80 but there's nothing on port 80.
Ah, certbot might be a little different then my system. Mine begins the process of renewing the let's encrypt cert on port 80 and switches to 443 to finish. I have to have both open.
Check that your ISP doesn't block inbound connections on port 80. In the US, there is a growing trend of residential providers blocking those and other common service-hosting connections upstream unless you change to a "business" account. You may also be behind a CGNAT ISP, unless you have successfully gotten external port-forwards working in the past. The second is much less likely, and I have only seen it from the new, smaller fiber startups popping up who were not around when the Class A Subnets were allocated...
There is another way, I thought. Seem to recall certbot offering it when failing here. If you want more details I can dig into it but it has you create a file in a .well-known and it'll go check for it there.
Edit: as others mentioned the prerequisite here is that you're also listening on port 80 somewhere.
Also, don't forgot let's encrypt will time you out if you ping too often.