Open in app

Sign in

Write

Sign in

The story behind moving to DO Droplet

Bogdan Tudorache
4 min readJan 4, 2023

--

This is actually the reason why I wrote this article: https://medium.com/@tudorache.a.bogdan/dns-for-digital-ocean-droplet-w-godaddy-86faa7882659

The Story

BerryNews.org has been down for almost 2 weeks now and I’ve been working with ChatGPT (with no result) to try and fix it, before moving to a Digital Ocean Droplet, but what happened?

The error of this adventure…

Detail: xx.xx.xx.xx: Fetching http://edu.berrynews.org/.well-known/acme-challenge/Jr9rRfCgeZOh10HZIEzugjiV_Sz7QDAJ0rX45sD9SZg: Error getting validation data

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Long story in detail:

  1. I knew my Let’s Encrypt free certificate would expire but I just discovered ChatGPT at the time and was using it to optimize and improve berrynews.org code and simply postponed the renewal till the very last moment
  2. Everything was fine and dandy, days before the cert would expire but when trying to remotely ssh into my raspberry pi server, I got a connection timed out and even was unable to ping.. my first thought: i was messing around with the code and forgot to turn on the process_killer.sh script -> server overloaded and is not accepting any ssh but not rebooting either.
  3. What had happened was that ISP (Internet Service Provider-Ziggo) changed the IP address of my home router, me not being nowhere near home I was left dumbstruck and investigated for a couple of days on “How to remotely log in when your server is not responding to ssh?” (the answer: it’s not possible)
  4. Finally someone from back home (after multiple ‘hardware resets’ unplug and plug back into the power) provided me the new IP address and I was able to ssh into my raspberry pi, but then I hit another issue, by this time site’s certificate expired and because I was blocking HTTP traffic the website was down
  5. Now to renew the certificate, tough luck Bogdan; you get the error and the HINT

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

2022-12-30 14:43:08,380:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2022-12-30 14:43:08,380:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-12-30 14:43:08,381:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-12-30 14:43:08,793:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1574, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1287, in run
    new_lineage = _get_and_save_cert(le_client, config, domains,
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 133, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 459, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 389, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 439, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2022-12-30 14:43:08,797:ERROR:certbot._internal.log:Some challenges have failed.

6. Several days into troubleshooting the certbot error and extensive discussions with ChatGPT that made my wife jealous and the page cursor impossible to see.. I give up, I also remember that I’ve set only specific ports open on my home router and decide to Migrate to a droplet.

7. Creating a LAMP server was easy but how to set up the DNS?

That was easier than my other troubleshooting but almost impossible to find an accurate way of setting up a domain in Digital Ocean w/ GoDaddy, not to mention that everybody considers setting up A and CNAME records effortless and there is no accurate /r/explaintomelikeimfive article on how to set up a basic GoDaddy domain config.

Long story short: my web server is located behind a router which only allowed HTTPS (443 port) + 1 additional port traffic (for security reasons, ofc ); There is no way to fix this remotely, I would need access to the my home router, enable port 80 and then be able to download the new certificate, which as I have seen was not possible.

Additionally, on my linux server I also have installed enhanced FW/Port access rules such as

  1. iptables
  2. ufw
  3. clamAV
  4. fail2ban rules

Conclusion: it would have been impossible to log into my server remotely if the IP address changed; ChatGPT is good but not that good, it never suggested that the issue might be on my home router when you set too much security, a single point of failure and postpone certificare renewals stuff like this are bound to happen.

Bogdan Tudorache | Founder @ berrynews.org

If you like the article and would like to support me, make sure to:

👏 Clap for the story (50 Claps) to help this article be featured

🔔 Follow me Bogdan Tudorache

📰 Find more tech content in Tech & ML Articles

🔔 Connect w/ me: LinkedIn | Reddit

DNS
Digital Ocean Droplet
Troubleshooting

--

--

Bogdan Tudorache

Written by Bogdan Tudorache

79 Followers

Consistency and Continuity. You can expect weekly tech articles from me. I am a developer, founder and integration engineer

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams