Posted: Wed Apr 21, 2021 15:11 Post subject: Let's Encrypt is looking for acme-challenge on port 80
Thank you for proposal, but my final goal is to allow my server to get Let's Encrypt certificate. My server's client for Let's Encrypt put verification hashes in .well-known/acme-chanllenge and it accessible only on plain http.
BTW I start tcpdump on external interface on the router and try with mobile internet to request my URL - it gets requests, so the hypothesis with ISP block is not proved.
I need some advice how to trace these requests to the host in LAN zone.
what are your firewall/port forwarding rules... maybe you made a mistake there? But if you did put it in dmz then it makes me think that something else is wrong.
Do you mind posting pictures of your port forwarding or your iptables firewall output?
You have 8 hits on tcp 80 and 14 on tcp:443, so it mlight be on your machine...
Could you also post the result of iptables -t nat -vnL
*1* Note: you have both dmz and port forwarding enabled, this is probably a conflict and I do not know which takes priority... so either use one or the other.
The only other thing is, is the machine that you want at that ipaddress.
Just out of curiosity, is this a Linux box running Apache? Have you tried killing the apache process when you run certbot? I have had a number of arguments with the certbot fanboyz over on their forum. They swear that certbot sends apache a signal or some such rot and can coexist with it. However I have not found that to be true. I always have to shut down apache, run certbot, then restart apache.
The LetsEncrypt people have complete blinders on about this 3 month certificate expiration business. There is no fragging reason they cannot do what everyone else in the industry does and set the cert expiration to a year out and every time you bring this issue up they have a whole load of baloney reasons like "we wanna force automation so that everyone will use LetsEncrypt" I privately believe there is some sort of political horsecrap going on between the LetsEncrypt people and the rest of the commercial certificate industry. I suspect the rest of the CA's have all gotten together and told LetsEncrypt that if they do 1 year certs and go up against the CAs, that the CA's will all smoosh them. Because after all, why would anyone pay money for a commercial cert when they can get exactly the same thing for free. So, the LetsEncrypt people take pains to make sure their certs ARE NOT exactly the same - instead they have a hamstrung expiration and a hack-and-a-half to get the cert. It's sufficiently trouble-prone, as you are discovering, that most people will just buy the commercial cert.
Posted: Fri Apr 23, 2021 15:43 Post subject: Linux box
oh yes, it's linux box. I love the SMEServer contribution (https://wiki.koozali.org) - based on CentOS (ergo Red Hat EE).
I did tcpdump on LAN interface of the router and in parallel on "WAN" interface on the server. On the server side there wasn't any packets arriving.
I start do doubt VMWare Worstation Bridge driver and Symantec Endpoint Protection Client. Stopped SEP and then I realize that my windows firewall is not switched off. I did it in past, and hope that SEP as taking the role for firewall will also turn it off. I went to control panel and stop windows firewall.
Now the chain from internet to my SMEServer is clear and I managed to issue Let's Encrypt certificate.
Thank you everyone for helping me and sorry to bother you.