Let's Encrypt not creating /.well-known/acme-challenge

Discussion in 'Installation/Configuration' started by Don Gould YourNet, Apr 17, 2020.

  1. Don Gould YourNet

    Don Gould YourNet New Member

    I'm going around in circles with Let's Encrypt.
    First I found my server was failing to resolve acme-v02.api.letsencrypt.org so I added another dns entry.
    I then discovered it's failed to create the .well-known/acme-challenge folders in the clients web folder and I don't understand why, so I just created some manually and set the permissions to the same as the client.
    Then I told it to "SSL" but it still didn't mail the files. I had tail running on the log file so I can see it 'trying', but it just returns the following errors that I don't fully understand other than I can see it's failing to authenticate the challenge.
    Some pointers would be welcomed! :)
    D

    2020-04-17 15:47:25,770:DEBUG:certbot.error_handler:Calling registered functions
    2020-04-17 15:47:25,771:INFO:certbot.auth_handler:Cleaning up challenges
    2020-04-17 15:47:25,771:DEBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/Gzhuc-WEbBzk7wXclLXn2wry7cVBdT3ZGjFG9MTIF0s
    2020-04-17 15:47:25,771:DEBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/szp5oWigN0zVokULQIN6f46U6LTElQZQwsx6IeD5_iI
    2020-04-17 15:47:25,772:DEBUG:certbot.plugins.webroot:All challenges cleaned up
    2020-04-17 15:47:25,772:DEBUG:certbot.log:Exiting abnormally:
    Traceback (most recent call last):
    File "/usr/bin/letsencrypt", line 11, in <module>
    load_entry_point('certbot==0.28.0', 'console_scripts', 'certbot')()
    File "/usr/lib/python3/dist-packages/certbot/main.py", line 1340, in main
    return config.func(config, plugins)
    File "/usr/lib/python3/dist-packages/certbot/main.py", line 1225, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
    File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
    File "/usr/lib/python3/dist-packages/certbot/client.py", line 392, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
    File "/usr/lib/python3/dist-packages/certbot/client.py", line 335, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
    File "/usr/lib/python3/dist-packages/certbot/client.py", line 371, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
    File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
    File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 161, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
    File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 232, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
    certbot.errors.FailedChallenges: Failed authorization procedure. www.oursocialhousing.nz (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: During secondary validation: Fetching http://www.oursocialhousing.nz/.wel...e/szp5oWigN0zVokULQIN6f46U6LTElQZQwsx6IeD5_iI: Timeout during connect (likely firewall problem)
     
    Don Gould YourNet, Apr 17, 2020
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    .well-known/acme-challenge is a global alias, so there should not be a folder with that name in a website. So this is not the reason for your problem.

    The error message mentions what's the likely reason "Timeout during connect (likely firewall problem)". Check dns setup again to ensure that the domain points to the right server and check any firewall that you might use to ensure that it does not block requests from LE servers.

    Please follow the steps from let's encrypt FAQ one by one to find out why it fails.

    https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
     
    till, Apr 17, 2020
    #2
  3. Don Gould YourNet

    Don Gould YourNet New Member

    UPDATE: FIXED
    You were quite right, I'm running a set of Firehol rules on my router and they're clearly blocking some, but not all of the servers involved in Let's Encrypt.
    I added a rule to whitelist my server and things just sprang into life. That domain now has a cert, thanks! :)

    Would have been helpful if that was documented somewhere I'd looked, but to be honest, I'm not very sure where I might have looked.

    Thanks for the pointer to this. I had seen it posted somewhere else and had worked through the list. What I wasn't sure about is how to prove I've installed everything certbot requires. Clearly I have, because it's working, but I spent some time just scratching my head. Some of the error messages I was getting suggested to me that I'd over looked something, clearly I hadn't, I was just being over confident that my firewall wasn't the problem when clearly it was.

    No response is required here, I'm simply attempting to make notes for the next poor sole who ventures this and comes across my post, though if you care to venture how to prove that you have all the bits Certbot requires with Debian/Apache stack, that might be helpful for the next poor fool :) :) :)
     
    Don Gould YourNet, Apr 18, 2020
    #3

Share This Page