Challenge failed for domain – Certbot error – How to fix?
I was setting up letsencrypt certificates to enable SSL on one of my ubuntu servers. I mapped a domain (zumpdo.xyz) to my server, installed nginx and I ran the certbot certificate generator using the following command.
sudo certbot --nginx -d zumpdo.xyz -d www.zumpdo.xyz
I got this error.
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Obtaining a new certificate Performing the following challenges: http-01 challenge for www.zumpdo.xyz http-01 challenge for zumpdo.xyz Waiting for verification... Challenge failed for domain www.zumpdo.xyz Challenge failed for domain zumpdo.xyz http-01 challenge for www.zumpdo.xyz http-01 challenge for zumpdo.xyz Cleaning up challenges Some challenges have failed. IMPORTANT NOTES: - The following errors were reported by the server: Domain: www.zumpdo.xyz Type: connection Detail: Fetching http://www.zumpdo.xyz/.well-known/acme-challenge/_HsorBSWytofXEPBUOifaF8JC6DmWN2FE1zzUjh9zlk: Timeout during connect (likely firewall problem) Domain: zumpdo.xyz Type: connection Detail: Fetching http://zumpdo.xyz/.well-known/acme-challenge/qS6VsLSQQulJK_z1dq02XO5JqYAvdcZBZtaxzz97V10: Timeout during connect (likely firewall problem) To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
It gives a hint that it’s likely a firewall issue. The problem is http and https ports were not exposed from my server. I had to add a rule to allow inbound traffic to the port 80 for http and 443 for https.
I tried to create the certificates again and voila!
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Obtaining a new certificate Performing the following challenges: http-01 challenge for www.zumpdo.xyz http-01 challenge for zumpdo.xyz Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/default Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/default - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://zumpdo.xyz and https://www.zumpdo.xyz You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=zumpdo.xyz https://www.ssllabs.com/ssltest/analyze.html?d=www.zumpdo.xyz - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/zumpdo.xyz/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/zumpdo.xyz/privkey.pem Your cert will expire on 2021-04-25. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
