On Tue, Feb 07, 2017 at 12:41:54PM -0500, Daniel Gnoutcheff wrote: > On 02/06/2017 11:15 PM, A. F. Cano wrote: > > Failed to obtain certificate for domain <domain>.freedombox.rocks: Failed > > authorization procedure. <domain>.freedombox.rocks (http-01): > > urn:acme:error:connection :: The server could not connect to the client > > to verify the domain :: Could not connect to <domain>.freedombox.rocks > > From this, it sounds like the HTTP server on <domain>.freedombox.rocks > is not reachable from the public Internet. It needs to be in order for > the "http-01" validation method to work [1]. > > What happens if you try to visit http://<domain>.freedombox.rocks/ in a > browser, preferably from a public Wifi network or some other independent > network?
Trying this from a real outside network will have to wait until saturday, but trying it from an inside machine it seems that DNS does its job and sends the packets to the right place. I get: Your connection is not secure The owner of <domain>.freedombox.rocks has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website. This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate. > What happens when you run > > getent ahosts <domain>.freedombox.rocks >From the same internal machine I get: 75.226.115.229 STREAM <domain>.freedombox.rocks 75.226.115.229 DGRAM 75.226.115.229 RAW This address is the same one that ifconfig reports on the freedombox for the ppp0 interface, which is the outside interface. So it seems to be working. > from a Linux workstation? > > Is the freedombox behind another router? If so, have we verified port No. The ppp connection is the outside interface, via a CDMA phone. > forwarding for tcp ports 80 and 443? > > > > Stopping orbot and disabling the firewall seem to not fix the issue. > > Right. I think we *also* need to fix certificate issue. I'll keep digging into the iptables rules. I have a lot to learn in this area so it might take a while. > > I don't see any packets going to/from the phone with wireshark, > > Are you running wireshark on the freedombox itself? If not, I'm not > sure I'd trust that packet dump. Capturing unicast traffic that doesn't I'm running wireshark on the machine that has the wifi interface to which the android phone connects (wlan0) and capturing the packets of that interface. This android phone is not the same one I use to connect to the internet via ppp. I'm also learning the many options of wireshark and I'm quite overwhelmed by the amount of packets wireshark is displaying. I've tried to restrict what gets displayed to what comes/goes from/to the android phone (static IP address), but I'm still getting flooded with MDNS packets. > involve the capturing host is tricky business [2]. Maybe try tcpdump on > the freedombox (via ssh)? > > [1] https://tools.ietf.org/html/draft-ietf-acme-acme-05#section-7.2 > > [2] https://wiki.wireshark.org/CaptureSetup/WLAN Thanks. I'll check this next but I wanted to send out what I can quickly. Augustine _______________________________________________ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss