Access log shows file correctly accessed, but I am getting error during secondary validation for subdomain

pratyushrathore · December 21, 2023, 3:13pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
test.tellect.in

I ran this command:
sudo certbot certonly --manual

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): test.tellect.in
Requesting a certificate for test.tellect.in

Create a file containing just this data:

aJ8XBDVEq0n3obGX5O3H_ApKy2qxMk_CjT9J1jSxv6A.EOxy35S9NIr1YH0Dx8G7u7742YpJNjjfxpfmvGIEo0Y

And make it available on your web server at this URL:

http://test.tellect.in/.well-known/acme-challenge/aJ8XBDVEq0n3obGX5O3H_ApKy2qxMk_CjT9J1jSxv6A

Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: test.tellect.in
Type: connection
Detail: During secondary validation: 103.107.97.225: Fetching http://test.tellect.in/.well-known/acme-challenge/aJ8XBDVEq0n3obGX5O3H_ApKy2qxMk_CjT9J1jSxv6A: Timeout after connect (your server may be slow or overloaded)

Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Apache2
Server version: Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Terminal

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.8.0

I can access the file myself and the apache2 server access log also shows error code 200.
23.178.112.106 - - [21/Dec/2023:20:36:03 +0530] "GET /.well-known/acme-challenge/aJ8XBDVEq0n3obGX5O3H_ApKy2qxMk_CjT9J1jSxv6A HTTP/1.1" 200 376 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

petercooperjr · December 21, 2023, 3:31pm

You should be seeing at least three requests, from various points around the world. So you presumably have a firewall that's blocking some of them. Maybe something geolocation-based?

jvanasco · December 21, 2023, 6:12pm

Adding:

Whenever possible, I like to use shell accounts on personal Cloud Servers to test the files are correctly served.

Often times there is some firewall or routing rule on the Server or within the Office that makes everything appear to work for everyone in an organization/office - but makes everything fundamentally broken for the public internet.

rg305 · December 21, 2023, 6:13pm

Your topic states "error during secondary validation".
That clearly implies that some IPs are unable to reach your web server.

Why?
I don't know enough about your systems to be sure.
It could be a routing problem, an IP blocking program/service, etc.
But I am sure about the lack of access.

Bruce5051 · December 22, 2023, 3:07am

Hello @pratyushrathore

Looks like Ports 80 & 443 are filtered; Best Practice - Keep Port 80 Open

$ nmap -Pn -p80,443 test.tellect.in
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-21 19:03 PST
Nmap scan report for test.tellect.in (103.107.97.225)
Host is up (0.45s latency).

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 1.44 seconds

Thus there is no way for anyone (including Let's Encrypt) to access

Do you have 1 or more firewalls, the each need let Port 80 to pass for the HTTP-01 challenge
"The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard."

pratyushrathore · December 22, 2023, 4:48am

Hi!

Thank you very much for your reply. Apparently, the server was being experimented upon last night. On restoring the server,

nmap -Pn -p80,443 test.tellect.in
Starting Nmap 7.80 ( https://nmap.org ) at 2023-12-22 04:46 UTC
Nmap scan report for test.tellect.in (103.107.97.225)
Host is up (0.041s latency).

PORT STATE SERVICE
80/tcp open http

pratyushrathore · December 22, 2023, 9:53am

This was as various posters suggested an issue with firewall. Thank you all for your valuable suggestions and time. Sincerest thanks.

system · January 21, 2024, 9:54am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot certonly failure. Just started Help	6	181	October 10, 2024
New to LetsEncrypt Help	34	2906	October 29, 2021
The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location Help	3	1510	July 24, 2022
Certbot invalid response from Help	6	2299	July 24, 2020
Some challenges have failed Help	6	3822	October 18, 2021

Access log shows file correctly accessed, but I am getting error during secondary validation for subdomain

Related topics