Help with Let's Encrypt certificates

Is there anyone can help me wit the configuration of the firewall.
My network configuration is:
ISP router - IPFire box - server.
If I connect the server directly to the ISP router (obviously readdressing the network) I can get the certificates from Letsencrypt as well as the renewals.
When I leave the server behind the IPFire box I cannot get the certificates and not even the renewals.
Is there any special configuration that I shall do?
All the services behind the IPFire box work correctly: SSH, WEB, FTP, etc.
Only the certificates do not work.
By the way - it would be nice - even if the IPFire package would include the Let’s Encrypt certificates feature.
So not to have the browser that every time you access the IPFire interface informs you that the (self signed) certificate is invalid.
Thanks
Aldo

Have you forwarded port 80 (HTTP) to the server running certbot (updater)? Let’s encrypt use port 80 to verify the server. See Best Practice - Keep Port 80 Open - Let's Encrypt - Free SSL/TLS Certificates for an explantion.

@aldogiga1
Also verify that your ISP allows you to have port 80 open on your public IP.
(my ISP does not, I cannot have a web server on my public IP, port 80)

Port 80 is open and I can connect to the Apache Web Server.
Also port 443 is available.
Let’s Encrypt can store the challenge but it cannot retreive it.

@aldogiga1

I am using Lets Encrypt successfully for a couple of years and the communication goes through IPFire.

The only thing I needed to set up on IPFire was a Port Forward for HTTP (80) and HTTPS (443).

What error message do you get when Lets Encrypt is unable to retrieve the challenge.

Do you have Location Filters enabled? LE Servers are in the US and may be blocked due to your settings.

1 Like

Same thought here, I have already had this situation. Do not block US IPs if you have a Letsencrypt certificate! :slight_smile:

Hello, sorry for not answering before but my mail server delivered only today the update messages from you.

Relevant to the matter:

  1. the US IPs are not blocked.
  2. Port 80 of the server is open (forwarded) and you can reach it at giganetsrl.sytes.net it is also open 443 as well you can reach it.
  3. I attach the renewal command (history.out) and the output of the command (output.acme).
  4. Note: the first certificate was obtained disconnecting the firewall.data.zip (3.9 KB)

Addidionally I can say:

  1. challenge has been written to the destination directory.
  2. I can retrieve the challenge with the same request as the acme.sh.
    Attached the log of apache2 (20210308-access.log only the request line), the request URL (request.txt) and the output of the challenge request (challenge.txt).
    The challenge is still there since the --debug option prevents the deletion.
    data2.zip (948 Bytes)
    Thanks for any suggestion/help.

Hi @aldogiga1

In the output.acme there is the following line

[dom  7 mar 2021, 15.15.53, CET] giganetsrl.sytes.net:Verify error:Timeout during connect (likely firewall problem)

This is saying that the letsencrypt challenge timed out trying to access giganetsrl.sytes.net and it makes the suggestion that a firewall problem is the likely cause.

You say this site should be available but with both http and https I got a timed out error.

Can you show the port forward rules that you have created.

Thanks Adolf,
I checked newly the rules and found I had a location group in which there was USA as banned country.
I removed it and the renewal went OK.


Many thans for your time.
Aldo

Hi Aldo,

Glad you got it working.