NetTalk Central

« previous next »
Pages: [1]

Author Topic: Let's Encrypt issues  (Read 28 times)

jking

  • Sr. Member
  • ****
  • Posts: 429
    • View Profile
    • Email
Let's Encrypt issues
« on: August 05, 2025, 10:29:05 AM »
Hello everyone,

     I moved a NT app (14.30) from an old server to a new Server 2024, Standard.  This is a virtual server hosted by our IT Dept. at a University. 

I keep getting "Challenge was invalid", here is the log:

[ 8/05/25-13:52:43]  Hostname resolved to: 131.247.221.208
[ 8/05/25-13:52:43]  Unable to get certificate - Challenge was invalid
[ 8/05/25-13:52:43]  Status: "invalid"
[ 8/05/25-13:52:43]  Get Authorize bcdb.usfbreastresearch.org
[ 8/05/25-13:52:43]  Checking Status
[ 8/05/25-13:52:33]  Status: "pending"
[ 8/05/25-13:52:32]  Get Authorize bcdb.usfbreastresearch.org
[ 8/05/25-13:52:32]  Checking Status
[ 8/05/25-13:52:32]  Notify Server Challenge is Ready: https://acme-staging-v02.api.letsencrypt.org/acme/chall/218067634/18813677063/luoqhA
[ 8/05/25-13:52:32]  LE Server will now fetch http://bcdb.usfbreastresearch.org:80/.well-known/acme-challenge/0XtYAnuLqEvkaYcPwYxNTwSqiGltTG172l_VnoY7Ac0
[ 8/05/25-13:52:32]  Challenge Token Saved D:\DCISionRT_DEV_AUS\web\.well-known\acme-challenge\0XtYAnuLqEvkaYcPwYxNTwSqiGltTG172l_VnoY7Ac0
[ 8/05/25-13:52:32]  HTTP Challenge will be used
[ 8/05/25-13:52:31]  Get Authorize bcdb.usfbreastresearch.org
[ 8/05/25-13:52:31]  Authorize Request bcdb.usfbreastresearch.org
[ 8/05/25-13:52:30]  Registering Account USFBreastResearch_2025 at  https://acme-staging-v02.api.letsencrypt.org/acme/new-acct
[ 8/05/25-13:52:29]  Time to update the certificate bcdb.usfbreastresearch.org
[ 8/05/25-13:52:29]  D:\DCISionRT_DEV_AUS\certificates\bcdb.usfbreastresearch.org.crt does not exist
[ 8/05/25-13:52:29]  Setting Folders for Domain [bcdb.usfbreastresearch.org]
[ 8/05/25-13:52:29]  Created D:\DCISionRT_DEV_AUS\certificates\bcdb.usfbreastresearch.org.csr.der
[ 8/05/25-13:52:29]  Setting Folders for Domain [bcdb.usfbreastresearch.org]


     I suspect the ports on the new server (80 and 443) are not configured properly at the institution's firewall.  From an outside machine I did a port scan on my IP address and both come back as closed.  Is this the problem?  If not, anything else I should look at while waiting for these ports to be opened?

Thanks,

Jeff
     
Logged

Jane

  • Sr. Member
  • ****
  • Posts: 406
  • Expert on nothing with opinions on everything.
    • View Profile
    • Email
Re: Let's Encrypt issues
« Reply #1 on: August 05, 2025, 12:05:44 PM »
That's what it looks like to me, Jeff.
 
If you click the "Notify Server Challenge is Ready" link from your log https://acme-staging-v02.api.letsencrypt.org/acme/chall/218067634/18813677063/luoqhA

It says... 
  "error": {
    "type": "urn:ietf:params:acme:error:connection",
    "detail": "131.247.221.208: Fetching http://bcdb.usfbreastresearch.org/.well-known/acme-challenge/0XtYAnuLqEvkaYcPwYxNTwSqiGltTG172l_VnoY7Ac0: Timeout during connect (likely firewall problem)",
    "status": 400
Logged

rjolda

  • Sr. Member
  • ****
  • Posts: 381
    • View Profile
    • Email
Re: Let's Encrypt issues
« Reply #2 on: August 05, 2025, 12:09:26 PM »
Hi Jeff,
Yes, it is a problem. Lets encrypt writes to port 80 so that it can verify control of the machine.  Most commercial internet providers block port 80.  I suspect that your institution does as well.  The good news is that there is a work around using DNS.  So you are going to have to use an alternate method. Another thing is how are folks getting to your site?  Is it a University site?  If it is, then maybe you should be under their SSL certificate?  I purchase a SSL certificate for a domain that I own - yes, Lets Encrypt is free - but I have other reasons for purchasing this SSL Certificate.  With this SSL certificate, I can host my site on any machine and just plop in my SSL certificate and I am up and running.  So, maybe you want to purchase your own domain name and SSL and put it on your server and not have to fight with many many many many layers of bureaucracy....
Ron
Logged

jking

  • Sr. Member
  • ****
  • Posts: 429
    • View Profile
    • Email
Re: Let's Encrypt issues
« Reply #3 on: August 05, 2025, 12:38:15 PM »
Hi Jane,

     Thanks for teaching me something...I never thought to click on those links in the log.  I have a ticket in at the University to open ports 80 and 443...they were open on the old server so hopefully they will allow it on the new server.

Jeff
Logged

jking

  • Sr. Member
  • ****
  • Posts: 429
    • View Profile
    • Email
Re: Let's Encrypt issues
« Reply #4 on: August 05, 2025, 12:41:39 PM »
Hi Ron,

     I have been looking at possibly using the DNS method but it seems overly complicated.  Can you share instructions on how to set this up?  I have looked at the NetTalk docs but was not following too well.

Thanks,

Jeff
Logged

rjolda

  • Sr. Member
  • ****
  • Posts: 381
    • View Profile
    • Email
Re: Let's Encrypt issues
« Reply #5 on: August 05, 2025, 03:22:14 PM »
Hi Jeff,
You must carry some weight there- to ask them to open port 80!
I have switched my DNS provider to the one that Bruce mentions in his documents.  The DNS method needs to interact with the DNS record in order to "prove" that you have control over it. So, you have to be able to interact with the DNS host - so, you need one that allows interaction.   I was going to try the DNS method but as I mentioned, I have a fixed SSL certificate that I use for this server.  So, there is a webinar about this but I don't remember which one it is.  Perhaps search Clarion live for it. 
Ron
Logged
Pages: [1]
« previous next »