Hello, I face a difficulty with one website SSL creation. To debug, I force "skip LE check" on my server. when running /usr/local/ispconfig/server/server.sh it says ; Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for mysite.domain.tld Waiting for verification... Challenge failed for domain mysite.domain.tld http-01 challenge for mysite.domain.tld Cleaning up challenges Some challenges have failed. 16.10.2024-21:13 - WARNING - Let's Encrypt SSL Cert for: mysite.domain.tld could not be issued. 16.10.2024-21:13 - WARNING - /bin/certbot certificates --domains mysite.domain.tld finished server.php. At the same time LE log says Code: { "identifier": { "type": "dns", "value": "mysite.domain.tld" }, "status": "pending", "expires": "2024-10-23T19:13:36Z", "challenges": [ { "type": "dns-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/417134584347/ZnStkg", "status": "pending", "token": "TyIugTZqLy3nSo9qPcOOkHvDR2EMVaWjhLAu6LdULRE" }, { "type": "http-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/417134584347/cV1kEw", "status": "pending", "token": "TyIugTZqLy3nSo9qPcOOkHvDR2EMVaWjhLAu6LdULRE" }, { "type": "tls-alpn-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/417134584347/mSPqNw", "status": "pending", "token": "TyIugTZqLy3nSo9qPcOOkHvDR2EMVaWjhLAu6LdULRE" } ] } 2024-10-16 21:13:36,819:DEBUG:acme.client:Storing nonce: lTIH_r581VtUF6yE-sROSuHsnkso99oVRrzjcYWxoz9HP6CI_Fg 2024-10-16 21:13:36,820:INFO:certbot.auth_handler:performing the following challenges: 2024-10-16 21:13:36,820:INFO:certbot.auth_handler:http-01 challenge for mysite.domain.tld 2024-10-16 21:13:36,820:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /usr/local/ispconfig/interface/acme/.well-known/acme-challenge 2024-10-16 21:13:36,826:DEBUG:certbot.plugins.webroot:Attempting to save validation to /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/TyIugTZqLy3nSo9qPcOOkHvDR2EMVaWjhLAu6LdULRE 2024-10-16 21:13:36,826:INFO:certbot.auth_handler:Waiting for verification... 2024-10-16 21:13:36,826:DEBUG:acme.client:JWS payload: b'{\n "resource": "challenge",\n "type": "http-01"\n}' 2024-10-16 21:13:36,835:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/417134584347/cV1kEw: { removed} 2024-10-16 21:13:36,985:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/417134584347/cV1kEw HTTP/1.1" 200 187 2024-10-16 21:13:36,985:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Wed, 16 Oct 2024 19:13:36 GMT Content-Type: application/json Content-Length: 187 Connection: keep-alive Boulder-Requester: 1408312516 Cache-Control: public, max-age=0, no-cache Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/417134584347>;rel="up" Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/417134584347/cV1kEw Replay-Nonce: lTIH_r58SEOBNRvCezkybwTyKML4EvYTH_eLiKv-_TmWFFwgSeQ X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 { "type": "http-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/417134584347/cV1kEw", "status": "pending", "token": "TyIugTZqLy3nSo9qPcOOkHvDR2EMVaWjhLAu6LdULRE" } 2024-10-16 21:13:36,985:DEBUG:acme.client:Storing nonce: lTIH_r58SEOBNRvCezkybwTyKML4EvYTH_eLiKv-_TmWFFwgSeQ 2024-10-16 21:13:37,987:DEBUG:acme.client:JWS payload: b'' 2024-10-16 21:13:37,996:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/417134584347: { removed } 2024-10-16 21:13:38,134:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/417134584347 HTTP/1.1" 200 1354 2024-10-16 21:13:38,134:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Wed, 16 Oct 2024 19:13:38 GMT Content-Type: application/json Content-Length: 1354 Connection: keep-alive Boulder-Requester: 1408312516 Cache-Control: public, max-age=0, no-cache Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" Replay-Nonce: lTIH_r58mqkct0YVWbn_e09nmDkEYEt1rBnr67QfFfa9SPb_k-w X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 { "identifier": { "type": "dns", "value": "mysite.domain.tld" }, "status": "invalid", "expires": "2024-10-23T19:13:36Z", "challenges": [ { "type": "http-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/417134584347/cV1kEw", "status": "invalid", "validated": "2024-10-16T19:13:36Z", "error": { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "hiddenipv6: Invalid response from http://mysite.domain.tld/.well-known/acme-challenge/TyIugTZqLy3nSo9qPcOOkHvDR2EMVaWjhLAu6LdULRE: \"\u003c!doctype html\u003e\u003chtml lang=\\\"en\\\" translate=\\\"no\\\"\u003e\u003chead\u003e\u003cmeta charset=\\\"utf-8\\\"/\u003e\u003cmeta http-equiv=\\\"X-UA-Compatible\\\" content=\\\"IE=edge\\\"/\"", "status": 403 }, "token": "TyIugTZqLy3nSo9qPcOOkHvDR2EMVaWjhLAu6LdULRE", "validationRecord": [ { "url": "http://mysite.domain.tld/.well-known/acme-challenge/TyIugTZqLy3nSo9qPcOOkHvDR2EMVaWjhLAu6LdULRE", "hostname": "mysite.domain.tld", "port": "80", "addressesResolved": [ "hiddenipv4", "hiddenipv6" ], "addressUsed": "hiddenipv6" } ] } ] } 2024-10-16 21:13:38,134:DEBUG:acme.client:Storing nonce: lTIH_r58mqkct0YVWbn_e09nmDkEYEt1rBnr67QfFfa9SPb_k-w 2024-10-16 21:13:38,135:WARNING:certbot.auth_handler:Challenge failed for domain mysite.domain.tld 2024-10-16 21:13:38,135:INFO:certbot.auth_handler:http-01 challenge for mysite.domain.tld 2024-10-16 21:13:38,135:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server: Domain: mysite.domain.tld Type: unauthorized Detail: hiddenipv6: Invalid response from http://mysite.domain.tld/.well-known/acme-challenge/TyIugTZqLy3nSo9qPcOOkHvDR2EMVaWjhLAu6LdULRE: "<!doctype html><html lang=\"en\" translate=\"no\ "><head><meta charset=\"utf-8\"/><meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\"/" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. 2024-10-16 21:13:38,135:DEBUG:certbot.error_handler:Encountered exception: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations self._poll_authorizations(authzrs, max_retries, best_effort) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations raise errors.AuthorizationError('Some challenges have failed.') certbot.errors.AuthorizationError: Some challenges have failed. 2024-10-16 21:13:38,135:DEBUG:certbot.error_handler:Calling registered functions 2024-10-16 21:13:38,135:INFO:certbot.auth_handler:Cleaning up challenges 2024-10-16 21:13:38,136:DEBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/TyIugTZqLy3nSo9qPcOOkHvDR2EMVaWjhLAu6LdULRE 2024-10-16 21:13:38,136:DEBUG:certbot.plugins.webroot:All challenges cleaned up 2024-10-16 21:13:38,136:DEBUG:certbot.log:Exiting abnormally: Traceback (most recent call last): File "/bin/certbot", line 11, in <module> load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')() File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main return config.func(config, plugins) File "/usr/lib/python3/dist-packages/certbot/main.py", line 1265, in certonly lineage = _get_and_save_cert(le_client, config, domains, certname, lineage) File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert lineage = le_client.obtain_and_enroll_certificate(domains, certname) File "/usr/lib/python3/dist-packages/certbot/client.py", line 417, in obtain_and_enroll_certificate cert, chain, key, _ = self.obtain_certificate(domains) File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names) File "/usr/lib/python3/dist-packages/certbot/client.py", line 396, in _get_order_and_authorizations authzr = self.auth_handler.handle_authorizations(orderr, best_effort) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations self._poll_authorizations(authzrs, max_retries, best_effort) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations raise errors.AuthorizationError('Some challenges have failed.') certbot.errors.AuthorizationError: Some challenges have failed. 2024-10-16 21:13:38,508:DEBUG:certbot.main:certbot version: 0.40.0 2024-10-16 21:13:38,508:DEBUG:certbot.main:Arguments: ['--domains', 'mysite.domain.tld'] 2024-10-16 21:13:38,509:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2024-10-16 21:13:38,517:DEBUG:certbot.log:Root logging level set at 20 2024-10-16 21:13:38,517:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
My DNS are correct. (https gives a cert from that same server) Everything happen as if http://mysite.domain.tld/.well-known/acme-challenge/TyIugTZqLy3nSo9qPcOOkHvDR2EMVaWjhLAu6LdULRE" didn't go to /usr/local/ispconfig/interface/acme/.well-known/acme-challenge (see : Detail: hiddenipv6: Invalid response from http://mysite.domain.tld/.well-known/acme-challenge/TyIugTZqLy3nSo9qPcOOkHvDR2EMVaWjhLAu6LdULRE: "<!doctype html><html lang=\"en\" translate=\"no\ "><head><meta charset=\"utf-8\"/><meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\"/") but stay to /var/www/mywebsite/web/.well-known/acme-challenge I try resync server but without any success... My vhost contains RewriteEngine on RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/ RewriteRule ^ - [END]
I have that apache directives ProxyPass / http://127.0.0.1:3010/ ProxyPassReverse / http://127.0.0.1:3010/ ProxyPreserveHost On ProxyRequests Off ServerName mywebsite.domain.tld It works with other website !?
It does not. When you ProxyPass like that you ProxyPass any incoming connection for that vHost to "http://127.0.0.1:3010/" even the validation attempt to ".well-known/acme-challenge/". You need to exclude that path from your ProxyPass to make the http-challenge work. Code: ProxyPass /.well-known/acme-challenge ! ProxyPass / http://127.0.0.1:3010/ ProxyPassReverse / http://127.0.0.1:3010/ ProxyPreserveHost On ProxyRequests Off ServerName mywebsite.domain.tld
I don't know why it doesn't work with... <LocationMatch well-known> RewriteEngine off </LocationMatch>
It is ".well-known" and not "well-known". Also, this is Apache proxy and not rewrite, so I'm not sure if switching off rewriting has any influence on proxy at all. But the correct solution has already been explained by @pyte.
