We were interested in turning on TLS on our EFA box (latest version). From reading on here, it seems I just needed to enable Let's Encrypt but ran into the problem below as the server is behind a firewall that only allows SMTP traffic through.
Would you like to Enable Let's Encrypt? [y/n/c]
y
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for efa4.xxxxxx.ie
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: efa4.xxxxxx.ie
Type: connection
Detail: aaa.bbb.ccc.ddd: Fetching http://efa4.xxxxxx.ie/.well-known/acme-challenge/THsxaWzFrLEV_agdoTpOdSMXvTjbS2OkFOCnBOLd5O0: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Error running Let's Encrypt, please correct the problem and try again.
I can't see myself ever getting the network guys to allow a http connection to the server, even https would be a push so wondering if there is any guide on how to do this manually?
Thanks for the suggestion, the chances of getting port 80 opened from the outside are zero!
After doing a bit of reading of postfix, I've enabled TLS manually using the SSL cert I already head for the web interface. Just means an extra step to remember next year when the cert needs to be replaced.
I'm in the same boat. I don't have 80 or 443 open to the EFA box (externally), but I am using Let's Encrypt for the internal side. I just put a calendar reminder to open those ports on my firewall, run the Let's Encrypt updater and then turn them back off. Good thing is, I'm a one man shop and I have access to my firewall...