Unable to install letsencrypt certificate (diagnosis seems OK)

Hi!

My YunoHost server

Hardware: Proxmox VM on Hetzner root server
YunoHost version: 11.2.14.1
I have access to my server : Through SSH, through the webadmin, direct access via keyboard / screen. (All of that).
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no
If yes, please explain:

Description of my issue

Tried to get Letsencrypt certificate for Yunohost with only one domain configured

  1. From ssh console with commands:
    yunohost domain cert-install maindomain.tld --no-checks --force
    and
    yunohost domain cert-install maindomain.tld --no-checks --debug
  2. From the web-interface.
  3. With different options: XMPP active/non-active, force HTTPS: YES and NO

Additional information

  • ā€œmaindomain.tldā€ is a third level domain name. The Registrar and DNS server provider is Hetzner.
  • I checked the availability of token files (like: http://muc.maindomain.tld/.well-known/acme-challenge/mmELVwwJg-aNKa-Z9IZE4styxW3NtSNoTihhrXcBlYI and so on) many times from different remote hosts in the Internet with ā€˜curlā€™ and ā€˜wgetā€™ commands. Every time I had fast and reliable access with no issues.
  • Yunohost VM is behind the IPFire NAT. IPS off. All ports are forwarding and tested.

System diagnosis log
Diagnosis

Certificate installation log
Install certificate


It seems like Iā€™m stuck here ((
Sincerely appreciate any help,
Thanks a lot for your time!

Fetching http://muc.maindomain.tld/.well-known/acme-challenge/xxxxxx: Timeout during connect (likely firewall problem)

Meh, if you did set up the corresponding DNS record for muc. then I donā€™t see why that would fail ā€¦ On the other hand, maybe if you donā€™t care about XMPP, just disable XMPP in the webadmin > Domains > yourdomain.tld > ā€œXMPPā€ toggle in the ā€œFeatureā€ thing

Aleks, thanks for the reply!

  1. Yes, the DNS record for name ā€˜muc.mydomain.ltdā€™ exists and i can receive token file with ā€˜wgetā€™ command from another servers.
  2. Iā€™ve tried to disable XMPP many times with no success ((
    Tried it again right now. You can see the Log below:
    Log with XMPP disabled

Did you check your firewalls logs for your manual test connections and the connection that is coming in for actual validation? Do they have the same entries? In case thereā€™s no difference: Does your firewall allow to capture connections? Can you find any differences between your testing connection and the incoming validation http request?

Thanks for the tip!
Iā€™ll see what I can squeeze out of it ))

1 Like

Thanks to all participants for their help!
Problem solved, certificate received ))
This was definitely an IPFire issue.
It turns out there are two main questions about Letā€™s encrypt and IPFire:

After disabling both, everything seems OK.

P.S. Should I edit my starter post and add [SOLVED] to the title?

To disable Reverse Path Filtering you should either use command line approach:
sysctl net.ipv4.conf.default.rp_filter=2
sysctl net.ipv4.conf.all.rp_filter=2
sysctl -w
or:
add (edit) those strings to /etc/sysctl.conf and reboot the IPFire host.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.