ProScan: Secure HTTPS Web Server with Let's Encrypt Error Response

[rodentkj]

ProScan v23.5
Current Unsecure Web Server is up, running and accessible internal and external.
Now moving forward to add HTTPS support using Let's Encrypt.
No Antivirus and Windows firewall disabled.
In my router I Port forwarded 80. Confirmed it is open and can be contacted via DNS name.

In ProScan I provided an email address, DNS Domain name and selected the Secure (HTTPS) server type.
When I click the Get Certificate button, I received a generic error (sorry no screenshot) stating to check port 80.
Not knowing about the 5 attempt limit per hour, I now get this error. And will need to wait for a bit before I can try again.


Is there anything in the above error message that would provide a clue as to what the issue may be?
Or any other suggestion?

 

[rodentkj]

Here is the screenshot of the error message I am receiving when clicking the "Get Certificate" button.

 

[ProScan]

In my router I Port forwarded 80. Confirmed it is open and can be contacted via DNS name.

Are you using Open Port Check Tool -- Verify Port Forwarding on Your Router to confirm that port 80 is opened?
Can you try Certify The Web - ACME for Windows, simple free certificates for IIS and more, powered by Let's Encrypt and other ACME CAs and see if it does the same thing. That way ProScan is out of the picture

 

[rodentkj]

Are you using Open Port Check Tool -- Verify Port Forwarding on Your Router to confirm that port 80 is opened?

Yes, per the manual.
And I also used dnschecker.org to verify DNS was intact.

Can you try Certify The Web - ACME for Windows, simple free certificates for IIS and more, powered by Let's Encrypt and other ACME CAs and see if it does the same thing. That way ProScan is out of the picture

With regards to using the app Certify The Web.
I did install and test. And assuming that I setup things correctly in the app, it failed.
I am going to DM you the screenshot and log as for I don't want to put on public my IP or DNS name.

 

[ProScan]

Yes, per the manual.
And I also used dnschecker.org to verify DNS was intact.
View attachment 184059
View attachment 184060



With regards to using the app Certify The Web.
I did install and test. And assuming that I setup things correctly in the app, it failed.
I am going to DM you the screenshot and log as for I don't want to put on public my IP or DNS name.

Since Certify The Web Failed too. You may want to post the issue here Validation failed using Certify The Web or search for possible solutions.
{edit} When using Certify The Web, make sure ProScan server is not running on port 80.

 

[rodentkj]

The issue has something to do with my tp-link router not responding back correctly when I have HTTPS remote management enabled.
If I disable remote management, I can get the cert with both ProScan and Certify The Web.

When I enable remote management (it only allows https access) in the tp-link router, it asks for a port number to use.
As an example, I use port 6969.
When the router responds back during the process of getting the cert, it uses that https remote management port of 6969.
Not the expected port of 80.
And will not allow me to set it to port 80 for the remote management as for that port is already forwarded to the laptop running ProScan.

The router appears to redirecting port 80 to the 6969 port on its own.

 

[jjn555]

Please pardon my ignorance here, but I'm trying to understand/solve a related problem. I can connect to my SDS200 remotely just fine on my Android phone, but other people can't on their Android phones. I *THINK* it's because my computer that my SDS200 is 'connected to' is acting as an http server instead of https.
Is there some way within Proscan to allow those other phones to connect to my scanner using their browsers like I can do on my phone, or will I have to figure out how to configure this https stuff on the Secure (HTTPS) tab. I don't know enough yet to ask any detailed questions, but just trying at this point to get a general direction of what direction I should go.

 

[ProScan]

Please pardon my ignorance here, but I'm trying to understand/solve a related problem. I can connect to my SDS200 remotely just fine on my Android phone, but other people can't on their Android phones. I *THINK* it's because my computer that my SDS200 is 'connected to' is acting as an http server instead of https.

Is your phone using the WiFi data and not cell data? That would explain it. The WiFi is on the inside of the network.
Did you setup the router Port Forwarding so the server can be accessed from outside of your network.
Did you test your server using Open Port Check Tool -- Verify Port Forwarding on Your Router to see if the port forwarding is setup correctly and the server can be accessed from the outside?

Is there some way within Proscan to allow those other phones to connect to my scanner using their browsers like I can do on my phone

All phones browsers can connect now regardless if using http or https if the router port fowarding is setup correctly and your ISP supports port forwarding.

 

[jjn555]

Is your phone using the WiFi data and not cell data? That would explain it. The WiFi is on the inside of the network.
Did you setup the router Port Forwarding so the server can be accessed from outside of your network.
Did you test your server using Open Port Check Tool -- Verify Port Forwarding on Your Router to see if the port forwarding is setup correctly and the server can be accessed from the outside?

Good questions...
I always used the cell towers to access my scanner when not at home because I know those work and I have no idea what nearby WiFi networks I may be able to use at a given time do as far as protections.

I just ran that CanYouSeeMe.org test and it said that my external IP address (which was reported correctly) timed out with an error message of:

Error: I could not see your service on 98.xxx.xxx.xxx on port (80)
Reason: Connection timed out

Then I went to my router and forwarded port 80 (I already had port 5000 forwarded properly). I ran that test again, and THIS time, the error message said:

Error: I could not see your service on 98.xxx.xxx.xxx on port (80)
Reason: Connection refused

My ISP is Spectrum, and I found a blurb on one of the Spectrum web pages that Spectrum DOES NOT block any ports, for what it's worth.

I didn't reboot my router, but that's probably the next step. I figure 'something' changed if I got a different error message, but maybe that's not enough. I'll keep looking. Thanks.

 

[ProScan]

I would use port 5000 for now. Ensure the server is set to 5000 and the router is using 5000.
A common mistake in the port fowarding is using the scanner IP address. You want to use the computer(running the ProScan server) IP address.

 

[jjn555]

I would use port 5000 for now. Ensure the server is set to 5000 and the router is using 5000.
A common mistake in the port fowarding is using the scanner IP address. You want to use the computer(running the ProScan server) IP address.

Yes, I know that the first time I set it up a few years ago, I was slightly confused, but I got it straightened out and it generally works just perfectly fine from MY phone when I'm away from home. The Local IPv4 field on the Web Server --> Main tab is my desktop PC (192.168.0.11). I have always had Port 5000 forwarded ever since I first set it up maybe 2 years ago at my house. I never had port 80 forwarded until after my first post on this thread.

The current things I haven't yet figured out are:
1) Why that utility says that my port 80 can't be seen.
2) Why other Android phones cannot connect to my Proscan web server any longer (although I think it has to do with http vs https).
3) How to get the https version of the server working on my SDS200.
4) Possibly related/possibly not: I've noticed that sometime within the past few months, when I have it in control mode on my phone, I have to 'press a key' on the GUI when I'm away from home twice to get anything to happen. The first time depresses it on the phone's screen, and the second press causes the key to 'bounce back' to not being pressed on the phone's screen and it is at this moment where the action of the key seems to actually cause the SDS200 to do something. I have no idea yet if that's something in my router, something in new SDS firmware, something in my phone, or something in a recent Proscan update that is causing this, but it's always the case.
5) Something is causing the SDS200 to pause when I connect to it on my Android and the screen saver goes on.

Right now, my main focus is on item #3 with the hopes that the other things will be resolved once I figure #3 out.

 

[ProScan]

The current things I haven't yet figured out are:
1) Why that utility says that my port 80 can't be seen.

3) How to get the https version of the server working on my SDS200.

The screenshot of the Port Forwarding looks good. You're on the right track. You want to get port 80 seen from the outside for #3. For a test, start the ProScan Web Server using port 80. If your web server is currently live then use another instance of ProScan installed in another folder. Now see if it can be seen from the outside. If it still can't be seen then temporarily disable any internet security/firewalls/anti-virus software then check again

 

[jjn555]

The screenshot of the Port Forwarding looks good. You're on the right track. You want to get port 80 seen from the outside for #3. For a test, start the ProScan Web Server using port 80. If your web server is currently live then use another instance of ProScan installed in another folder. Now see if it can be seen from the outside. If it still can't be seen then temporarily disable any internet security/firewalls/anti-virus software then check again

Thank you for the specific guidance.
I think I see what you're getting at here, but just to confirm, you're suggesting I change my currently working (http) setup to use port 80 instead of port 5000, and then try to connect using my android phone's browser and type in the external IP address that my ISP provides followed by ":80" instead of ":5000", right?
I just tried that and my 'normal' saved bookmark on my phone with :5000 didn't work, but :80 worked. The audio works, but item #4 in my list is still present. At least this seems to prove that my port 80 can be seen from the outside.

 

[ProScan]

Thank you for the specific guidance.
I think I see what you're getting at here, but just to confirm, you're suggesting I change my currently working (http) setup to use port 80 instead of port 5000,

No. I'm not suggesting that at all on a production system. You're trying to get port 80 to be seen from the outside so the let's encrypt process will work. Part of getting a port to be seen from the outside is that a server needs to be running on a specific port. In this case, port 80.

Probably the easiest way is using another instance of ProScan installed in another folder and run the Web Server on port 80 then try Open Port Check Tool -- Verify Port Forwarding on Your Router

Another way is using the 'Certify The Web' (HTTP-01 validation method) to obtain the cert. The problem with this method is when troubleshooting, the internal server in Certify the Web may not be on enough time to troubleshoot the port 80 not seen from the outside issue.

 

[ProScan]

At least this seems to prove that my port 80 can be seen from the outside.

If your phone is using cell data or a public WiFi network then your phone is connected from the outside and port 80 is seen from the outside.
If your phone is using your private WiFi network then your phone is on the inside of your network and port 80 may or may not be seen from the outside

I would use Open Port Check Tool -- Verify Port Forwarding on Your Router as that will be a better test

 

[jjn555]

If your phone is using cell data or a public WiFi network then your phone is connected from the outside and port 80 is seen from the outside.
If your phone is using your private WiFi network then your phone is on the inside of your network and port 80 may or may not be seen from the outside

I would use Open Port Check Tool -- Verify Port Forwarding on Your Router as that will be a better test

Yes, I understand that part.

If your phone is using cell data or a public WiFi network then your phone is connected from the outside and port 80 is seen from the outside.
If your phone is using your private WiFi network then your phone is on the inside of your network and port 80 may or may not be seen from the outside

I would use Open Port Check Tool -- Verify Port Forwarding on Your Router as that will be a better test

Hi.

I haven't spent much time on this effort recently, but I haven't forgotten about it. Thank you again for providing me guidance on getting the HTTPS working on my side. You mentioned a 'production system'. My server address is not published. I want to keep it semi-private for my own use. I always use the cell towers when I'm away from home, never internal Wi-Fi from a company.

I think it's best if I send you a few screenshots. Basically, I'm pretty sure I have port 80 working properly as far as Proscan is concerned because I can hear and control my SDS200 with my phone and my desktop when I'm connected to the external address I have been assigned by my ISP. I punched in this URL to both my Android phone and my desktop PC and it works fine:

http://98.144.xxx.xxx:80

Previously, I had been using this URL to reach my SDS200 and aside from the issues I mentioned earlier, I am still able to hear my SDS200 on port 5000.

http://98.144.xxx.xxx:5000

The screenshots might be better than my word description. I'm thinking that maybe my Norton AV is causing me trouble in this effort. I've not yet tried disabling it for this test.

 

[ProScan]

It appears that port 80 can be seen from the outside so here's what I would do:
1. Stop the server if using port 80
2. Try obtaining a cert with ProScan
If it fails then
3. Disable any internet security/ antivirus software then try step 2 again
4. If it still fails then use Open Port Check Tool -- Verify Port Forwarding on Your Router then try step 2 again
5. If it still fails then then try Certify The Web - ACME for Windows, simple free certificates for IIS and more, powered by Let's Encrypt and other ACME CAs using HPPP-01 validation

 

[ndebaggis]

Here's a simplified version of my network and ProScan configuration with WAN and TLS Let's Encrypt enabled. Maybe it'll help, maybe not...

 

[jjn555]

Here's a simplified version of my network and ProScan configuration with WAN and TLS Let's Encrypt enabled. Maybe it'll help, maybe not...

View attachment 186013

Thank you. This is great stuff. Despite me being reasonably competent with radio and networks, it's frustrating in that I know that it's likely one basic thing I have wrong in my setup.
I had an idea after looking at some of your screenshots that might be the root cause of my problem. I don't have a domain name registered to me. I'm only a guy who is a customer of an ISP (www.spectrum.com). I'm not a business that has a URL such as 'www.radioreference.com'. Is THAT what's needed for all this to work? Do I need to somehow visit godaddy.com and get something like "www.wisconsin-jim-makes-great-homebrew-beer.com"?

 

[jjn555]

It appears that port 80 can be seen from the outside so here's what I would do:
1. Stop the server if using port 80
2. Try obtaining a cert with ProScan
If it fails then
3. Disable any internet security/ antivirus software then try step 2 again
4. If it still fails then use Open Port Check Tool -- Verify Port Forwarding on Your Router then try step 2 again
5. If it still fails then then try Certify The Web - ACME for Windows, simple free certificates for IIS and more, powered by Let's Encrypt and other ACME CAs using HPPP-01 validation

Thanks for confirming and giving me a path forward. I'm thinking it's your item #3 that's causing my problems. I'll try your steps and report back soon.