Cloud C2 Cert Issues (lets encrypt)

[NooBody]

Hi Guys,

I've been running Cloud C2 for a while now in the Azure cloud since I have a paid subscription.  I've setup a VM with DNS alias from Azure to myserver.mycompany.com and opened all the relevant firewall ports from my ISP (limited for now).  Running the service now using systemctl and works fine using 8080 however when I try https/443 and try to connect I get the following error - 

2020/05/16 08:31:33 http: TLS handshake error from x.x.x.x:51597: acme/autocert: unable to satisfy "https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxxx" for domain "myserver.mycompany.co.uk": no viable challenge type found

Any ideas? Am thinking could be either IPv6, DNS or something Azure like casing the issues...

As I've done mine specifically to a host rather than just the Domain as Darren did recently on the show - 

myserver.mycompany.co.uk. 1799 IN CNAME cloudc2server.somewhere.cloudapp.azure.com.

cloudc2server.somewhere.cloudapp.azure.com. 9 IN A xx.xx.xx.xx

Cheers

Bob

[Void-Byte]

Hey NooBody,

Could you please run certbot manually and see if you can even request a certificate? If you can't then adjust your network settings.

[NooBody]

Hi Void-Byte,

Thanks for the quick response 🙂

So installed certbot and tested against my host.domain see below -

 

./certbot-auto certonly

Saving debug log to /var/log/letsencrypt/letsencrypt.log

 

How would you like to authenticate with the ACME CA?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: Spin up a temporary webserver (standalone)

2: Place files in webroot directory (webroot)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Plugins selected: Authenticator webroot, Installer None

Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'

to cancel): myserver.mydomain.co.uk

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for my server.mydomain.co.uk

Input the webroot for my server.mydomain.co.uk: (Enter 'c' to cancel): /tmp

Waiting for verification...

Challenge failed for domain my server.mydomain.co.uk

http-01 challenge for my server.mydomain.co.uk

Cleaning up challenges

Some challenges have failed.

 

IMPORTANT NOTES:

- The following errors were reported by the server:

 

   Domain: myserver.mydomain.co.uk

   Type:   connection

   Detail: Fetching

   http://myserver.mydomain.co.uk/.well-known/acme-challenge/ec9VwCSkBLAHDEBLAHETC ETC:

   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was

   entered correctly and the DNS A/AAAA record(s) for that domain

   contain(s) the right IP address. Additionally, please check that

   your computer has a publicly routable IP address and that no

   firewalls are preventing the server from communicating with the

   client. If you're using the webroot plugin, you should also verify

   that you are serving files from the webroot path you provided.

 

Now not sure if this is because I'm pointing directly to a server.domain rather that just a domain but didn't want to interfere with my company website...

Also a couple of things on the potential firewall issue here 

1. Is it really a firewall issue or more the fact the CloudC2 is using 8080 and not port 80 for the check?

2. Where is the check coming from Lets Encrypt or this machine I'm running it on?  If so I may just need to open the FW range up from my ISP to LetsEncrypt or wider...

Thanks for all your help with this!

Regards

B0b

[Void-Byte]

Hey NooBody,

Certbot requires either port 443 or 80 to verify the challenge. I'd recommend opening 80 to get your cert put back.