Certbot: Standalone plugin ignores port I asked to be used

Created on 29 Aug 2018 · 3Comments · Source: certbot/certbot

If you're having trouble using Certbot and aren't sure you've found a bug or
request for a new feature, please first try asking for help at
https://community.letsencrypt.org/. There is a much larger community there of
people familiar with the project who will be able to more quickly answer your
questions.

My operating system is (include version):

Linux openvpn1.ismyservice.space 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

certbot 0.26.1

I installed Certbot with (certbot-auto, OS package manager, pip, etc):

Ubuntu package maanger

I ran this command and it produced this output:

sudo certbot certonly --standalone --non-interactive  --preferred-challenge http-01 
   --http-01-port 10000 --agree-tos 
   --email [email protected] --domains realtebo.example.com 
   --pre-hook 'sudo service webmin stop' 
   --post-hook 'sudo service webmin start' 
   --staging --dry-run

 Domain: realtebo.example.com
 Type:   connection
 Detail: Fetching
 http://realtebo.example.com/.well-known/acme-challenge/DbE18Iyfud0xBRtrfvz-ILifSzqV-7GoV5uRAyuNYRw:
 Timeout during connect (likely firewall problem)

Certbot's behavior differed from what I expected because:

Firewall is opened on port 10000. When certbot ends, it restart webmin, that is running on the same port. I can connect to webmin from outside using port 10000 without any problem
See the log in the following point; certbot is starting its standalone webserver on port 10000, and it's ok, but it is using port 80 for the challenge !

Here is a Certbot log showing the issue (if available):

Logs are stored in `/var/log/letsencrypt` by default. Feel free to redact domains, e-mail and IP addresses as you see fit.

2018-08-29 13:56:27,322:DEBUG:certbot.main:certbot version: 0.26.1
2018-08-29 13:56:27,322:DEBUG:certbot.main:Arguments: ['--standalone', '--non-interactive', '--preferred-challenge', 'http-01', '--http-01-port', '10000', '--agree-tos', '--email', '[email protected]', '--domains', 'realtebo.example.com', '--pre-hook', 'sudo service webmin stop', '--post-hook', 'sudo service webmin start', '--staging', '--dry-run']
2018-08-29 13:56:27,323:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-08-29 13:56:27,330:DEBUG:certbot.log:Root logging level set at 20
2018-08-29 13:56:27,331:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-08-29 13:56:27,332:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2018-08-29 13:56:27,540:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f3a5b6006d8>
Prep: True
2018-08-29 13:56:27,540:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f3a5b6006d8> and installer None
2018-08-29 13:56:27,541:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2018-08-29 13:56:27,544:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(terms_of_service=None, uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/6829761', new_authzr_uri=None, body=Registration(contact=(), status=None, terms_of_service_agreed=None, key=None, only_return_existing=None, agreement=None)), 79b142d506837dc821d95200358290de, Meta(creation_host='realtebo.example.com', creation_dt=datetime.datetime(2018, 8, 29, 11, 29, 47, tzinfo=<UTC>)))>
2018-08-29 13:56:27,545:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2018-08-29 13:56:27,547:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
2018-08-29 13:56:27,847:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 724
2018-08-29 13:56:27,848:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 724
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 29 Aug 2018 11:56:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 29 Aug 2018 11:56:27 GMT
Connection: keep-alive

{
  "drsHm9_JSMQ": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
2018-08-29 13:56:27,849:INFO:certbot.hooks:Running pre-hook command: sudo service webmin stop
2018-08-29 13:56:27,957:INFO:certbot.main:Obtaining a new certificate
2018-08-29 13:56:27,999:DEBUG:acme.client:Requesting fresh nonce
2018-08-29 13:56:28,000:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order.
2018-08-29 13:56:28,261:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-order HTTP/1.1" 405 0
2018-08-29 13:56:28,262:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 103
Allow: POST
Replay-Nonce: WnqBHl9ZAJ8NdQnttV0FJQHxefu-O3op92NR8uFoMtg
Expires: Wed, 29 Aug 2018 11:56:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 29 Aug 2018 11:56:28 GMT
Connection: keep-alive


2018-08-29 13:56:28,262:DEBUG:acme.client:Storing nonce: WnqBHl9ZAJ8NdQnttV0FJQHxefu-O3op92NR8uFoMtg
2018-08-29 13:56:28,263:DEBUG:acme.client:JWS payload:
b'{\n  "status": "pending",\n  "resource": "new-order",\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "realtebo.example.com"\n    }\n  ]\n}'
2018-08-29 13:56:28,266:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJub25jZSI6ICJXbnFCSGw5WkFKOE5kUW50dFYwRkpRSHhlZnUtTzNvcDkyTlI4dUZvTXRnIiwgImFsZyI6ICJSUzI1NiIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzY4Mjk3NjEiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIn0",
  "signature": "O_HrIU4h2mWDEOZJdvBdZLKBEkVSd2b3gj08iSImg6NSbu8N79ff75nksKnqeCr_vb1vPx-RPgsAU3B3P7gxilOV3kuGMHiA0kRIq36BiZeAm5Y4gQWGXAh263CBm5EZpGpUn5yx_MVLoy4mioZ-Tf8MLMYflKwTvtRre3xLjlZuXDlf1chGebgw9yXD_fJWsdzVR1jwv_JOtBAlTnHGHmfntlWPNuJqFCusdfSF9Itu2ttQBDbSLbi72yxqb1S9ZLD1XoQw_pkSI0VDRdhdcjamAfsomfueJ_kJvFV6rrS0OUUzXpPCprnyRFKljrHrco9Kn6VpxtK7qNK50E0BlQ",
  "payload": "ewogICJzdGF0dXMiOiAicGVuZGluZyIsCiAgInJlc291cmNlIjogIm5ldy1vcmRlciIsCiAgImlkZW50aWZpZXJzIjogWwogICAgewogICAgICAidHlwZSI6ICJkbnMiLAogICAgICAidmFsdWUiOiAidnBubWlya28uaXNteXNlcnZpY2Uuc3BhY2UiCiAgICB9CiAgXQp9"
}
2018-08-29 13:56:28,606:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 398
2018-08-29 13:56:28,607:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 398
Boulder-Requester: 6829761
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/6829761/6638025
Replay-Nonce: b-xmrBO3u6xWnQ3X-pjscz3-5UW-tY-cIy-rHHRFCjw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 29 Aug 2018 11:56:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 29 Aug 2018 11:56:28 GMT
Connection: keep-alive

{
  "status": "pending",
  "expires": "2018-09-05T11:56:28.394993245Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "realtebo.example.com"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/6829761/6638025"
}
2018-08-29 13:56:28,607:DEBUG:acme.client:Storing nonce: b-xmrBO3u6xWnQ3X-pjscz3-5UW-tY-cIy-rHHRFCjw
2018-08-29 13:56:28,608:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE.
2018-08-29 13:56:28,852:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE HTTP/1.1" 200 939
2018-08-29 13:56:28,853:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 939
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 29 Aug 2018 11:56:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 29 Aug 2018 11:56:28 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "realtebo.example.com"
  },
  "status": "pending",
  "expires": "2018-09-05T11:56:28Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854448",
      "token": "r_EGiMDAA18pVLDSiEqPUIQe57RTnH79YxN65ybsLHg"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854449",
      "token": "qDoGsuxMNdrihAuIbetnBFTSqz6uSyTYX-Jm_JW3xKc"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854450",
      "token": "nJANiwx4dXcJ5lnw-fVjdHyv7ZWop9GYf20pM7zl2ow"
    }
  ]
}
2018-08-29 13:56:28,854:INFO:certbot.auth_handler:Performing the following challenges:
2018-08-29 13:56:28,854:INFO:certbot.auth_handler:http-01 challenge for realtebo.example.com
2018-08-29 13:56:28,855:DEBUG:acme.standalone:Successfully bound to :10000 using IPv6
2018-08-29 13:56:28,855:DEBUG:acme.standalone:Certbot wasn't able to bind to :10000 using IPv4, this is often expected due to the dual stack nature of IPv6 socket implementations.
2018-08-29 13:56:28,859:INFO:certbot.auth_handler:Waiting for verification...
2018-08-29 13:56:28,859:DEBUG:acme.client:JWS payload:
b'{\n  "resource": "challenge",\n  "type": "http-01",\n  "keyAuthorization": "nJANiwx4dXcJ5lnw-fVjdHyv7ZWop9GYf20pM7zl2ow.RbQZDrhcRU5z3T8Ak72neNkXe8hh9D5yKNV-PomuANo"\n}'
2018-08-29 13:56:28,861:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854450:
{
  "protected": "eyJub25jZSI6ICJiLXhtckJPM3U2eFduUTNYLXBqc2N6My01VVctdFktY0l5LXJISFJGQ2p3IiwgImFsZyI6ICJSUzI1NiIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzY4Mjk3NjEiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGxlbmdlL0Iyc0kwSkFCbWd6VllFWURkOUNGbEZRTjNwWHRIaVBnMWtXYTFjZThnU0UvMTY0ODU0NDUwIn0",
  "signature": "db4xpVwufNdIrQ0jScXiOz4QZyHbtYvUAWiH91JSd4yhdjLHNyF80KQR71a9xkZy2F_dGfZWrPiJym7R9soQrMcSwlC6d2e-1nshJNrb7iLju2CfHBiDPK4LwD6epICxH-cgT4ANafTHEWJIUmnxUVLzfa9uZ1inUboMaZw6G9jCA_P7KKsPVaX76BF-laDi882knktzdOHe1o74bMdumgTwrfhHrFK2S6GP-ZHufdghShV71X7NhK0tJjpoDR09B8NTysCgkNg787i7rIfYbftrY_QESLjQxSsYHG6k3vqBeGWaJ-KBJkCvgU2jb8b8jJB43G9IUsXDQYDnkG9lcg",
  "payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiLAogICJrZXlBdXRob3JpemF0aW9uIjogIm5KQU5pd3g0ZFhjSjVsbnctZlZqZEh5djdaV29wOUdZZjIwcE03emwyb3cuUmJRWkRyaGNSVTV6M1Q4QWs3Mm5lTmtYZThoaDlENXlLTlYtUG9tdUFObyIKfQ"
}
2018-08-29 13:56:29,151:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854450 HTTP/1.1" 200 230
2018-08-29 13:56:29,151:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 230
Boulder-Requester: 6829761
Link: <https://acme-staging-v02.api.letsencrypt.org/acme/authz/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854450
Replay-Nonce: NNtlhuo7zvSfZnilaDdPb-CF7pWHLmSB-Dk6qloCttM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 29 Aug 2018 11:56:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 29 Aug 2018 11:56:29 GMT
Connection: keep-alive

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854450",
  "token": "nJANiwx4dXcJ5lnw-fVjdHyv7ZWop9GYf20pM7zl2ow"
}
2018-08-29 13:56:29,152:DEBUG:acme.client:Storing nonce: NNtlhuo7zvSfZnilaDdPb-CF7pWHLmSB-Dk6qloCttM
2018-08-29 13:56:32,155:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE.
2018-08-29 13:56:32,387:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE HTTP/1.1" 200 939
2018-08-29 13:56:32,388:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 939
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 29 Aug 2018 11:56:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 29 Aug 2018 11:56:32 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "realtebo.example.com"
  },
  "status": "pending",
  "expires": "2018-09-05T11:56:28Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854448",
      "token": "r_EGiMDAA18pVLDSiEqPUIQe57RTnH79YxN65ybsLHg"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854449",
      "token": "qDoGsuxMNdrihAuIbetnBFTSqz6uSyTYX-Jm_JW3xKc"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854450",
      "token": "nJANiwx4dXcJ5lnw-fVjdHyv7ZWop9GYf20pM7zl2ow"
    }
  ]
}
2018-08-29 13:56:35,392:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE.
2018-08-29 13:56:35,666:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE HTTP/1.1" 200 939
2018-08-29 13:56:35,666:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 939
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 29 Aug 2018 11:56:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 29 Aug 2018 11:56:35 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "realtebo.example.com"
  },
  "status": "pending",
  "expires": "2018-09-05T11:56:28Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854448",
      "token": "r_EGiMDAA18pVLDSiEqPUIQe57RTnH79YxN65ybsLHg"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854449",
      "token": "qDoGsuxMNdrihAuIbetnBFTSqz6uSyTYX-Jm_JW3xKc"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854450",
      "token": "nJANiwx4dXcJ5lnw-fVjdHyv7ZWop9GYf20pM7zl2ow"
    }
  ]
}
2018-08-29 13:56:38,671:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE.
2018-08-29 13:56:39,216:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE HTTP/1.1" 200 939
2018-08-29 13:56:39,217:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 939
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 29 Aug 2018 11:56:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 29 Aug 2018 11:56:39 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "realtebo.example.com"
  },
  "status": "pending",
  "expires": "2018-09-05T11:56:28Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854448",
      "token": "r_EGiMDAA18pVLDSiEqPUIQe57RTnH79YxN65ybsLHg"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854449",
      "token": "qDoGsuxMNdrihAuIbetnBFTSqz6uSyTYX-Jm_JW3xKc"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854450",
      "token": "nJANiwx4dXcJ5lnw-fVjdHyv7ZWop9GYf20pM7zl2ow"
    }
  ]
}
2018-08-29 13:56:42,222:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE.
2018-08-29 13:56:42,462:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE HTTP/1.1" 200 1600
2018-08-29 13:56:42,463:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1600
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 29 Aug 2018 11:56:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 29 Aug 2018 11:56:42 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "realtebo.example.com"
  },
  "status": "invalid",
  "expires": "2018-09-05T11:56:28Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854448",
      "token": "r_EGiMDAA18pVLDSiEqPUIQe57RTnH79YxN65ybsLHg"
    },
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854449",
      "token": "qDoGsuxMNdrihAuIbetnBFTSqz6uSyTYX-Jm_JW3xKc"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching http://realtebo.example.com/.well-known/acme-challenge/nJANiwx4dXcJ5lnw-fVjdHyv7ZWop9GYf20pM7zl2ow: Timeout during connect (likely firewall problem)",
        "status": 400
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854450",
      "token": "nJANiwx4dXcJ5lnw-fVjdHyv7ZWop9GYf20pM7zl2ow",
      "validationRecord": [
        {
          "url": "http://realtebo.example.com/.well-known/acme-challenge/nJANiwx4dXcJ5lnw-fVjdHyv7ZWop9GYf20pM7zl2ow",
          "hostname": "realtebo.example.com",
          "port": "80",
          "addressesResolved": [
            "79.19.63.157"
          ],
          "addressUsed": "79.19.63.157"
        }
      ]
    }
  ]
}
2018-08-29 13:56:42,464:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: realtebo.example.com
Type:   connection
Detail: Fetching http://realtebo.example.com/.well-known/acme-challenge/nJANiwx4dXcJ5lnw-fVjdHyv7ZWop9GYf20pM7zl2ow: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2018-08-29 13:56:42,464:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. realtebo.example.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://realtebo.example.com/.well-known/acme-challenge/nJANiwx4dXcJ5lnw-fVjdHyv7ZWop9GYf20pM7zl2ow: Timeout during connect (likely firewall problem)

2018-08-29 13:56:42,464:DEBUG:certbot.error_handler:Calling registered functions
2018-08-29 13:56:42,464:INFO:certbot.auth_handler:Cleaning up challenges
2018-08-29 13:56:42,465:DEBUG:certbot.plugins.standalone:Stopping server at :::10000...
2018-08-29 13:56:42,887:INFO:certbot.hooks:Running post-hook command: sudo service webmin start
2018-08-29 13:56:45,631:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.26.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1254, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 120, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 391, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 334, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 370, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. realtebo.example.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://realtebo.example.com/.well-known/acme-challenge/nJANiwx4dXcJ5lnw-fVjdHyv7ZWop9GYf20pM7zl2ow: Timeout during connect (likely firewall problem)

Here is the relevant nginx server block or Apache virtualhost for the domain I am configuring:

I've nothing to write here

Source

realtebo

All 3 comments

This is a well-known, documented, behaviour. It's not a bug. I close.

realtebo on 29 Aug 2018

Hi @realtebo! Thanks for reporting :)

Let's Encrypt, by the ACME protocol, must perform validation over port 80 for the HTTP challenge. --http-01-port can't change which port LE expects to do validation over. As Brad mentions here:

All these flags allow you to do is control which ports Certbot listens on for plugins like standalone. This is useful if you're routing all port 80 traffic to port 8080 for example.

Going to close this issue for now, but feel free to ask me to re-open or create a new one if you find something wrong with Certbot!