Unable to get Let's Encrypt Certificates

pnemenz · December 8, 2024, 10:51am

On the Certificates page my Let’s Encrypt Certificates sits there in the State pending.

Invalid status, www.[private].at:Verify error detail:144.208.[private].[private]: Invalid response from http://www.[private].at/.well-known/acme-challenge/[private]: 404

I checktd the requirements for Let’s encrypt:

The firewall must be reachable from outside on port 80
The domains that you want the certificate for must be public domain

What else can I do now?

mrmarkuz · December 8, 2024, 11:14am

Is there an existing DNS entry for the wanted domain pointing to the public IP of your NethSecurity?

nslookup www.[private].at 8.8.8.8

transocean · December 8, 2024, 11:14am

Your public IP is dynamic or static?

pnemenz · December 8, 2024, 11:18am

I have a static IP and it has a existing DNS entry

transocean · December 8, 2024, 11:29am

And the test with nslookup also gives the right result?

mrmarkuz · December 8, 2024, 11:33am

Do you have a port forwarding configured for port 80 on the NethSecurity pointing to an internal device? If yes, please disable it.

pnemenz · December 8, 2024, 11:42am

this did it. but how will I be able to access the webserver?

mrmarkuz · December 8, 2024, 11:45am

By using a reverse proxy you can forward to the wanted webserver by domain instead of port, see also Certificates and reverse proxy — NethSecurity documentation

EDIT:

You could use DNS validation for Letsencrypt. In that case you won’t need an open port 80 for Letsencrypt so you could continue to use the port forwarding.

From https://docs.nethsecurity.org/en/latest/reverse_proxy.html:

Select DNS validation if your DNS provider supports API access. Choose the DNS provider from the drop-down menu and enter the API key and secret. Follow the acme.sh DNS providers documentation) to know which API key and secret are required for your DNS provider. The DNS validation is the only one supported for wildcard certificates.

pnemenz · December 8, 2024, 12:59pm

I think I’m to stupid for this.
Now I cant access the webserver nor the mailserver with my outlook mail client. in the lan I can accsess the mails with webmail, from outside I cant.
The old firewall worked much better for me.

mrmarkuz · December 8, 2024, 1:25pm

Is the web server on the NS8? If yes, you could just keep the port forwarding enabled and let NS8 do the cert management.

As regards access from WAN, are the ports to the mail server forwarded on NethSecurity? Does the mail server hostname resolve to the public IP?

As regards access from LAN, does the mailserver hostname resolve to the internal IP from the Client where you run Outlook? As you don’t use port forwarding anymore, the public IP won’t work.

nslookup mail.yourdomain.com

You may need to setup a DNS entry on NethSecurity for the mailserver hostname to be resolved to the internal IP instead of the external one. As you don’t use port forwarding anymore the external IP work.

Is port 443 still port forwarded to the NS8?
Just port 80 is needed for HTTP validation in Letsencrypt, the other ports still can be forwarded without issues.

mrmarkuz · December 8, 2024, 4:15pm

We solved it via telephone.
It was a wrong port forwarding and Outlook wanted to send via port 25 which isn’t allowed anymore.