The story behind moving to DO Droplet

Bogdan Tudorache
4 min readJan 4, 2023

--

This is actually the reason why I wrote this article: https://medium.com/@tudorache.a.bogdan/dns-for-digital-ocean-droplet-w-godaddy-86faa7882659

The Story

BerryNews.org has been down for almost 2 weeks now and I’ve been working with ChatGPT (with no result) to try and fix it, before moving to a Digital Ocean Droplet, but what happened?

The error of this adventure…

Detail: xx.xx.xx.xx: Fetching http://edu.berrynews.org/.well-known/acme-challenge/Jr9rRfCgeZOh10HZIEzugjiV_Sz7QDAJ0rX45sD9SZg: Error getting validation data

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Long story in detail:

  1. I knew my Let’s Encrypt free certificate would expire but I just discovered ChatGPT at the time and was using it to optimize and improve berrynews.org code and simply postponed the renewal till the very last moment
  2. Everything was fine and dandy, days before the cert would expire but when trying to remotely ssh into my raspberry pi server, I got a connection timed out and even was unable to ping.. my first thought: i was messing around with the code and forgot to turn on the process_killer.sh script -> server overloaded and is not accepting any ssh but not rebooting either.
  3. What had happened was that ISP (Internet Service Provider-Ziggo) changed the IP address of my home router, me not being nowhere near home I was left dumbstruck and investigated for a couple of days on “How to remotely log in when your server is not responding to ssh?” (the answer: it’s not possible)
  4. Finally someone from back home (after multiple ‘hardware resets’ unplug and plug back into the power) provided me the new IP address and I was able to ssh into my raspberry pi, but then I hit another issue, by this time site’s certificate expired and because I was blocking HTTP traffic the website was down
  5. Now to renew the certificate, tough luck Bogdan; you get the error and the HINT

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

2022-12-30 14:43:08,380:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2022-12-30 14:43:08,380:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-12-30 14:43:08,381:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-12-30 14:43:08,793:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 33, in <module>
sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1574, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1287, in run
new_lineage = _get_and_save_cert(le_client, config, domains,
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 133, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 459, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 389, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 439, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2022-12-30 14:43:08,797:ERROR:certbot._internal.log:Some challenges have failed.

6. Several days into troubleshooting the certbot error and extensive discussions with ChatGPT that made my wife jealous and the page cursor impossible to see.. I give up, I also remember that I’ve set only specific ports open on my home router and decide to Migrate to a droplet.

7. Creating a LAMP server was easy but how to set up the DNS?

That was easier than my other troubleshooting but almost impossible to find an accurate way of setting up a domain in Digital Ocean w/ GoDaddy, not to mention that everybody considers setting up A and CNAME records effortless and there is no accurate /r/explaintomelikeimfive article on how to set up a basic GoDaddy domain config.

Long story short: my web server is located behind a router which only allowed HTTPS (443 port) + 1 additional port traffic (for security reasons, ofc ); There is no way to fix this remotely, I would need access to the my home router, enable port 80 and then be able to download the new certificate, which as I have seen was not possible.

Additionally, on my linux server I also have installed enhanced FW/Port access rules such as

  1. iptables
  2. ufw
  3. clamAV
  4. fail2ban rules

Conclusion: it would have been impossible to log into my server remotely if the IP address changed; ChatGPT is good but not that good, it never suggested that the issue might be on my home router when you set too much security, a single point of failure and postpone certificare renewals stuff like this are bound to happen.

Bogdan Tudorache | Founder @ berrynews.org

If you like the article and would like to support me, make sure to:

👏 Clap for the story (50 Claps) to help this article be featured

🔔 Follow me Bogdan Tudorache

📰 Find more tech content in Tech & ML Articles

🔔 Connect w/ me: LinkedIn | Reddit

--

--

Bogdan Tudorache
Bogdan Tudorache

Written by Bogdan Tudorache

Consistency and Continuity. You can expect weekly tech articles from me. I am a developer, founder and integration engineer

No responses yet