Failed Let's Encrypt standalone authorization procedure

0
votes

First, thanks to all who may or may not try to help me. My Problem: I'm trying to create an ssl certificate with Let's Encrypt. Already installed everything mentioned in the documentation. I decided to use certbot / since it seemed to be the easiest way for me to fulfill my needs.

We have freed both ports 80 and 443 and every request that comes to one of these ports are redirected to my Ubuntu 18.04 machine's internal IP address.

There are no configurations on this machine, so nothing listens on port 80 or 443, as you can see on my netstat command:

tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      895/systemd-resolve 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1211/sshd           
tcp6       0      0 :::22                   :::*                    LISTEN      1211/sshd

After creating the certificate I'll run a spring boot application, which should use the certificate.

As far as I understood from the documentation, it isn't required to have running applications listening on these ports. It ought be possible to create the certificate by using the standalone parameter. So I guess certbot creates a small application listening to one of these ports on it's own to verify that I'm the one, who I claim to be. Right?

placeholder.example.com is as you will assume a placeholder. I think it's obvious why I'm not publishing my domainname, when having port 80 & 443 opened.

root@urlaub:/# certbot certonly --standalone --preferred-challenges http -d placeholder.example.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for placeholder.example.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. placeholder.example.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://placeholder.example.com/.well-known/acme-challenge/jCJ4waxV0aYPxjqDI3OcBXXPReNSrse1kd6piK9Dwdo: Connection refused

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: placeholder.example.com
   Type:   connection
   Detail: Fetching
   http://placeholder.example.com/.well-known/acme-challenge/jCJ4waxV0aYPxjqDI3OcBXXPReNSrse1kd6piK9Dwdo:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

EDIT: I've had tried this a lot of times, without success. Now there are 13 .pem files in /etc/letsencrypt/keys Can I convert them to .p12 file to use it in an spring boot application?

2
springspring-bootssllets-encrypt
"placeholder.mydomain.com is as you will assume a placeholder." then use placeholder.example.com, as mydomain.com is certainly not a placeholder, it exists online. - Patrick Mevzek
Edited. Don't understand what was odd to use placeholder.mydomain.com though. - Sercan Samet Savran
Simple: do you think mydomain.com exist today on Internet and is used actively by someone? If no, please double check. If yes, is this your domain? If it isn't, imagine what is happening for the true owner. For all details, please have a read at RFC 2606: rfc-editor.org/rfc/rfc2606.txt For another example: the .MAIL TLD will never exist for real just because it has been (ab)used by numerous documentations which renders it now impossible to use without breaking many people configurations. - Patrick Mevzek
"I think it's obvious why I'm not publishing my domainname" this is security by obscurity (which does not work) : besides making troubleshooting more complicated for anyone, do you know that the list of domain names, specifically .COM ones, is public data, so anyone can at some point find yours... - Patrick Mevzek

2 Answers

1
votes

It was an issue with the redirection to my server machine. So the above used command works properly and I was able to create a certificate. If anyone wants to use it: go for it.

My intent was to use it in a spring boot application and needed a pkcs12 file. I was able to convert the .pem files created by certbot to a .p12 file by using following command:

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name tomcat -CAfile chain.pem -caname tomcat

In your application.properties you've to put following:

server.port: PORTNUMBER
server.ssl.key-store:/etc/letsencrypt/live/<YOURDOMAIN>/keystore.p12
server.ssl.key-store-password: <PASSWORD YOU WERE PROMPTED WHEN CREATING THE CERTIFICATE>
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: tomcat
0
votes

With Let's Encrypt if you use HTTP validation, you will need a server serving requests on port 80 (HTTP) for placeholder.mydomain.com so that the Let's Encrypt server can download the file .well-known/acme-challenge/jCJ4waxV0aYPxjqDI3OcBXXPReNSrse1kd6piK9Dwdo. This is how Let's Encrypt validates that you have control over the domain. Note: That filename is generated dynamically and will be different each time you attempt validation.

Another option that I use is to use DNS validation and then create the special record in my DNS server. You can then create the certificates on your desktop for any service that requires SSL for that domain name.