Having troubles to create lets encrypt certificate

Hello Team;

i have look at the all solution you used to help the jitsi users during installation
i have an error when am creating let encrypt certificate.
when i run /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
i get below error

Using the webroot path /usr/share/jitsi-meet for all unmatched domains.
Waiting for verification…
Challenge failed for domain meeting.ricta.org.rw
http-01 challenge for xxxx.xxxx.xx.xx
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: xxxx.xxx.xxx.xx
    Type: connection
    Detail: Fetching
    http://xxxx.xx.x.xx/.well-known/acme-challenge/2Em0uryfEqwBqTGgc3vf7uLeW_c1UblwAHe8Kwol-PY:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

Hi @Richard, I am facing the same issue, probably this is some firewall issue. Was your problem resolved?

Are you installing on Ubuntu server? If so, what version?

Yes Ubuntu, version 16.04

I actually just read through your error message again. It’s not the issue I initially thought you might have (Ubuntu server 20.04 returns an error when trying to generate a letsencrypt certificate because of the absence of cerbot). In your case, you clearly have a firewall problem. Are you trying to install behind a NAT (behind a router)?

1 Like

Hello @Freddie, Thanks for your support. Yes, I think a NAT is involved but I am not sure as a client has provided the instance IP. I also checked the instance IP (ifconfig) which has a different IP address which proves that a NAT is involved which may have a firewall setting. Also, I tried to ‘telnet’ to the given instance IP which is giving me the timeout error. I just wanted to confirm this. Thanks for your help, Cheers!

@Giri-sh-irke,

Port 80 and 443 must be accessible from the internet for the Let’s Encrypt script to work properly. There is an incoming “challenge” that will fail without these ports open/forwarded to your server.

The process of forwarding the ports is different based on who your host/provider is.

Hi @corby & @Freddie, I just contacted the admin. According to him “Its just a VM in Azure, without any other config, the IP is the VM’s public IP.” and he sent me the port rules for the firewall, all seem to be open. Still facing the same issue. Is there still any middleware that I need to check?
Also, is there any firm way to check if the ports 80,443 are accessible from the internet. I am only verifying it using ‘telnet’ command.

@Giri-sh-irke, if you’re unable to successfully trace the server through telnet, it usually means the port is closed or that the remote server is not listening on the supplied port. No additional tests will prove otherwise. I think that’s really where your problem is - you have to establish successful access to the ports before you can successfully generate a Letsencrypt certificate (or even run Jitsi, certificate or not).

You can use this tool to check the ports: https://www.yougetsignal.com/tools/open-ports/ I can’t swear on its accuracy, but at least, it gives you a starting point, if anything:

Yes I have checked the port from the site that you have mentioned which shows status as ‘closed’. I don’t see any other problem from my end and will be communicating the port problem to the client. You guys have been very helpful @Freddie @corby