Let's Encrypt certificate! - fail

Support Installation
1

Hi, I am trying to set up a server for the first time.

Hardware: Raspberry Pi 3 at home

YunoHost version: 3.6.4.6 (stable).
I have access to my server : Through SSH and through Mozilla Firefox web browser on LAN

I have an active free domain to learn how things work before I rebuild the server for a small club of external users.

Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

I am trying to build a server to give secure access to plans and documents for a club of users external to my LAN. The server will reside either at my home or later at the club building which has internet access.

I can access the Yunohost server from any device on my LAN.
My Android phone with WIFI OFF - Web browser complains it is not safe and will not give access. I tried to launch Let’s Encrypt certificate!, but it fails.

I am doing something stupid, but I do not know where to start looking to correct it. Please can you provide some guidance?

Many thanks for such a great forum.

args:
force: false
no_checks: false
staging: false
ended_at: 2019-09-21 17:26:39.681618
error: 'Certificate installation for alctjpccgm.tk failed !

Exception: Signing the new certificate failed’
operation: letsencrypt_cert_install
related_to:

    • domain
    • alctjpccgm.tk
      started_at: 2019-09-21 17:26:11.892542
      success: false

============

2019-09-21 18:26:11,901: DEBUG - Nginx configuration file for ACME challenge already exists for domain, skipping.
2019-09-21 18:26:11,904: DEBUG - Making sure tmp folders exists…
2019-09-21 18:26:12,155: DEBUG - Could not get public IPv6 : Invalid url https://ip6.yunohost.org (does this site exists?)
2019-09-21 18:26:12,158: DEBUG - Prepare key and certificate signing request (CSR) for alctjpccgm.tk…
2019-09-21 18:26:22,934: DEBUG - Saving to /tmp/acme-challenge-private/alctjpccgm.tk.csr.
2019-09-21 18:26:22,936: DEBUG - Now using ACME Tiny to sign the certificate…
2019-09-21 18:26:22,937: INFO - Parsing account key…
2019-09-21 18:26:22,995: INFO - Parsing CSR…
2019-09-21 18:26:23,030: INFO - Found domains: alctjpccgm.tk
2019-09-21 18:26:23,032: INFO - Getting directory…
2019-09-21 18:26:23,418: INFO - Directory found!
2019-09-21 18:26:23,422: INFO - Registering account…
2019-09-21 18:26:24,321: INFO - Already registered!
2019-09-21 18:26:24,323: INFO - Creating new order…
2019-09-21 18:26:25,317: INFO - Order created!
2019-09-21 18:26:25,606: INFO - Verifying alctjpccgm.tk…
2019-09-21 18:26:39,144: ERROR - Challenge did not pass for alctjpccgm.tk: {u’status’: u’invalid’, u’challenges’: [{u’status’: u’invalid’, u’validationRecord’: [{u’url’: u’http://alctjpccgm.tk/.well-known/acme-challenge/9PMxvrpxtZ4D4LM9rd3Mj0d0vBcV4DD_M6vcxEFUS5M’, u’hostname’: u’alctjpccgm.tk’, u’addressUsed’: u’81.220.81.77’, u’port’: u’80’, u’addressesResolved’: [u’81.220.81.77’]}], u’url’: u’https://acme-v02.api.letsencrypt.org/acme/chall-v3/443646495/N2PBJw’, u’token’: u’9PMxvrpxtZ4D4LM9rd3Mj0d0vBcV4DD_M6vcxEFUS5M’, u’error’: {u’status’: 400, u’type’: u’urn:ietf:params:acme:error:connection’, u’detail’: u’Fetching http://alctjpccgm.tk/.well-known/acme-challenge/9PMxvrpxtZ4D4LM9rd3Mj0d0vBcV4DD_M6vcxEFUS5M: Timeout during connect (likely firewall problem)’}, u’type’: u’http-01’}, {u’status’: u’invalid’, u’url’: u’https://acme-v02.api.letsencrypt.org/acme/chall-v3/443646495/jjBEvg’, u’token’: u’9PMxvrpxtZ4D4LM9rd3Mj0d0vBcV4DD_M6vcxEFUS5M’, u’type’: u’dns-01’}, {u’status’: u’invalid’, u’url’: u’https://acme-v02.api.letsencrypt.org/acme/chall-v3/443646495/82nXTw’, u’token’: u’9PMxvrpxtZ4D4LM9rd3Mj0d0vBcV4DD_M6vcxEFUS5M’, u’type’: u’tls-alpn-01’}], u’identifier’: {u’type’: u’dns’, u’value’: u’alctjpccgm.tk’}, u’expires’: u’2019-09-28T17:26:25Z’}
2019-09-21 18:26:39,433: WARNING - Debug information:

  • domain ip from DNS 81.220.81.77
  • domain ip from local DNS 81.220.81.77
  • public ip of the server 81.220.81.77

2019-09-21 18:26:39,678: WARNING - Debug information:

  • domain ip from DNS 81.220.81.77
  • domain ip from local DNS 81.220.81.77
  • public ip of the server 81.220.81.77

2019-09-21 18:26:39,680: ERROR - Certificate installation for alctjpccgm.tk failed !
Exception: Signing the new certificate failed

2

Hmmmwell from my side, your domain correctly resolve to an IP (should be double checked if it’s indeed yours) but the IP doesn’t ping nor doesn’t answer http requests … So not sure how your smartphone does access any webpage at all, but my guess would be that you did not configure port forwarding (c.f. https://yunohost.org/isp_box_config ) ?

3

Yes. As @Aleks says. You need to have port 80 forwarded to your machine from the outside in your router so that Letsencrypt can do the challenge/response. Port 443 ist not enough.

You could do this in your router individually for every port forwarding or you could declare your Raspberry pi as an exposed host and all ports are forwarded through the NAT.

4

Hi Alex and Mad,

Great advice. I thought I had done this on my router. I will check during my coffee break and try again.
Many thanks

1 Like
5

Hi Alex and Mad
Here is the routing table
HTTP 80 80 Both 192.168.0.39
HTTPS 443 443 Both 192.168.0.39
SSH 22 22 Both 192.168.0.39
SMTP 25 25 TCP 192.168.0.39

I will take another look at my DNS entries. I have re-read information on this topic and while the entries were accepted, I am not sure if I made a mistake…
Many thanks again.
I will get back to you with the result

6

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.