Certbot verification issues on webserver behind NAT

helloha · Oct 2, 2021, 7:33 PM

Hi all,

Switched to pfsense last week and things run fine. Have a small webserver that is reachable with a no-ip domain.

However now I have issues renewing my https certificate via the cerbot script.

Any idea what could cause this? It mentions the firewall but I can't turn it off on pfsense to test without disabling NAT?

Thx!

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Cert is due for renewal, auto-renewing...
Renewing an existing certificate for xxxx.ddns.net
Performing the following challenges:
http-01 challenge for xxxxx.ddns.net
Waiting for verification...
Challenge failed for domain xxx.ddns.net
http-01 challenge for xxx.ddns.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: xxxxx.ddns.net
   Type:   connection
   Detail: Fetching
   http://xxxxx.ddns.net/.well-known/acme-challenge/jQ0FAbIxSG49Zc0apfcfvPZLQARMAm-W_off0MvKF68:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Gertjan · Oct 4, 2021, 7:41 AM

@helloha said in Certbot verification issues on webserver behind NAT:

Any idea what could cause this?

The Most plausible issues are mentioned.

Do you know what NAT is ?
Did you test it ?

This :

http://xxxxx.ddns.net/

Does "xxxxx.ddns.net" resolve to your WAN IP ?
if so, traffic should hit your WAN interface. Did the traffic arrive at the WAN port ? Did it arrive at the web server ? Was the 'hidden' directory ".well-known" created in the server's web root ? was their a sub directory created, called acme-challenge ? Was their a file called jQ0FAbIxSG49Zc0apfcfvPZLQARMAm-W_off0MvKF68 ?

helloha · Oct 4, 2021, 3:34 PM

@gertjan

Thanks,

Got it fixed. I redirected port 80 to 443 because I didn't want to allow HTTP. I did not know that certbot and lets encrypt need port 80 for their verification...

Gertjan · Oct 5, 2021, 7:29 AM

@helloha said in Certbot verification issues on webserver behind NAT:

I redirected port 80 to 443

It can't work like that.
(any) http request (over port 80) will fail, as http - clear http requests - will not understand the TLS type reply coming from a typical TLS web server instance.

So port 80 redirects to the http instance of a web server.
Port 443 redirects to the https instance of a web server.
So, typically, you have always two instances of the web server running, one for each type.
The port 80 type is often redirecting all the traffic to the https version, only if (example) the requested file path doesn't contain ".well-known".

Details of the "http-01 challenge" challenge : https://letsencrypt.org/docs/challenge-types/
You'll discover that http://xxx.ddns.net:80 can get redirected to https://xxx.ddns.net:443, this is something else as mapping port 80 to 443.