Acme-challenge failed (solved)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dxq.duckdns.org

I ran this command:
sudo certbot certonly --manual --preferred-challenges=http-01 --dry-run
It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): dxq.duckdns.org
Simulating a certificate request for dxq.duckdns.org
Performing the following challenges:
http-01 challenge for dxq.duckdns.org


Create a file containing just this data:

nBXliU2lDp4nT2WnjXTSC-A6gWT03Todrzu33E3w9lc.4Q1D4DC5cB4wUfW4mFEllUPyhaU3CEbVp6LAaufdve0

And make it available on your web server at this URL:

http://dxq.duckdns.org/.well-known/acme-challenge/nBXliU2lDp4nT2WnjXTSC-A6gWT03Todrzu33E3w9lc


Press Enter to Continue
Waiting for verification...
Challenge failed for domain dxq.duckdns.org
http-01 challenge for dxq.duckdns.org
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: dxq.duckdns.org
    Type: connection
    Detail: Fetching
    http://dxq.duckdns.org/.well-known/acme-challenge/nBXliU2lDp4nT2WnjXTSC-A6gWT03Todrzu33E3w9lc:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version):
nginx/1.14.1
The operating system my web server runs on is (include version):
debian 9 4.19.0-0.bpo.9-amd64
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.15.0

1 Like

comments:
I have renewed my certificate several times for other domains and without any error.
And I try to renew it again, I met the time out error.
To avoid it's the limitation for my old domain and I try use the manual mode of certbot for the new domain dxq.duckdns.org.
It's obvious that the url
http://dxq.duckdns.org/.well-known/acme-challenge/nBXliU2lDp4nT2WnjXTSC-A6gWT03Todrzu33E3w9lc
can be accessed from the brower.
Don't know what's wrong there.
I changed nothing compare with the last several successfull renew.

1 Like

That doesn't load for me. I get a network timeout.

Some things to check:

  1. Port 80 is still port-forwarded on any modem/router, if this is a NAT/residential connection.
  2. You haven't closed port 80 on the firewall (Best Practice - Keep Port 80 Open - Let's Encrypt).
  3. Your ISP hasn't suddenly started blocking port 80.
  4. That 135.0.229.130 is the correct IP address
1 Like

Thank you _az,
You can't load the page, it's a very important information to me and I am surprise. I checked other items you listed and they seems not applicable to me except:
3. Your ISP hasn't suddenly started blocking port 80.
That's could be the reason because I changed the ISP in March.
If my ISP blocking port 80, there is other way to finish the acme challenge (I can't change dns record of my domain)?

1 Like

DuckDNS does let you modify the DNS.

You can set Certbot up to do DNS-based renewal with the instructions below. It will have the added benefit of being automatic.

  1. Create up the DuckDNS hook (make sure you edit the TOKEN line first to the token you see in your DuckDNS dashboard):
sudo sh -c '
cat <<EOF >/etc/letsencrypt/duckdns.sh
TOKEN="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
DOMAIN="dxq.duckdns.org"
curl "https://www.duckdns.org/update?domains=\$DOMAIN&token=\$TOKEN&txt=\$CERTBOT_VALIDATION&verbose=true"
EOF
chmod 0700 /etc/letsencrypt/duckdns.sh
'
  1. Then try renew the certificate:

    sudo certbot renew --cert-name dxq.duckdns.org --manual \
    --preferred-challenges dns --manual-auth-hook /etc/letsencrypt/duckdns.sh
    

Finally, there are some other ACME clients which support DuckDNS natively: dnsapi · acmesh-official/acme.sh Wiki · GitHub)

2 Likes

Hi _az,
I would like to renew for the using cert/domains:
cert-name: rickdong.mynetgear.com
domains: rickdong.mynetgear.com, rickdong.duckdns.org
The domain dxq.duckdns.org is used for test and has no certificate yet.
I placed the duckdns.sh and the command as:
/etc/letsencrypt/duckdns.sh:
TOKEN="my duckdns token"
DOMAIN="rickdong.duckdns.org"
curl "https://www.duckdns.org/update?domains=$DOMAIN&token=$TOKEN&txt=$CERTBOT_VALIDATION&verbose=true"

command:
sudo certbot renew --cert-name rickdong.mynetgear.com --manual
--preferred-challenges dns --manual-auth-hook /etc/letsencrypt/duckdns.sh

the output:


Processing /etc/letsencrypt/renewal/rickdong.mynetgear.com.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator manual, Installer None
Renewing an existing certificate for rickdong.mynetgear.com and rickdong.duckdns.org
Performing the following challenges:
dns-01 challenge for rickdong.duckdns.org
dns-01 challenge for rickdong.mynetgear.com
Running manual-auth-hook command: /etc/letsencrypt/duckdns.sh
Output from manual-auth-hook command duckdns.sh:
OK
5dvgq_S9ozjtk2YB41cH4BUUr4OYXlyKi4LM1KdXxfI
UPDATED
Error output from manual-auth-hook command duckdns.sh:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 54 0 54 0 0 89 0 --:--:-- --:--:-- --:--:-- 89

Running manual-auth-hook command: /etc/letsencrypt/duckdns.sh
Output from manual-auth-hook command duckdns.sh:
OK
jySsBTT85Ja3lTpm46c4eYtpDeOUTNBB-o7UmfH6t_Y
UPDATED
Error output from manual-auth-hook command duckdns.sh:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 54 0 54 0 0 100 0 --:--:-- --:--:-- --:--:-- 100

Waiting for verification...
Challenge failed for domain rickdong.duckdns.org
Challenge failed for domain rickdong.mynetgear.com
dns-01 challenge for rickdong.duckdns.org
dns-01 challenge for rickdong.mynetgear.com
Cleaning up challenges
Failed to renew certificate rickdong.mynetgear.com with error: Some challenges have failed.


All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/rickdong.mynetgear.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: rickdong.duckdns.org
    Type: unauthorized
    Detail: Incorrect TXT record
    "jySsBTT85Ja3lTpm46c4eYtpDeOUTNBB-o7UmfH6t_Y" found at
    _acme-challenge.rickdong.duckdns.org

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

  • The following errors were reported by the server:

    Domain: rickdong.mynetgear.com
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.rickdong.mynetgear.com - check that a DNS record
    exists for this domain

how to correct it?

1 Like

OK.

What I posted is suitable for a single DuckDNS domain, but it's not going to work if you also need the the mynetgear.com domain on the same certificate. They use entirely different nameservers.

If you want both domains AND port 80 is blocked, then you're in a pretty tricky situation.

There is a less often used (because it's a pain in the ass) validation method called TLS-ALPN. It only needs port 443 to be open BUT you usually have to stop your webserver in order to use it.

Certbot doesn't support it, you'd need to use a program like acme.sh. What you would do is something like:

acme.sh --issue --alpn -d rickdong.duckdns.org -d rickdong.mynetgear.com \
--pre-hook "service nginx stop" --post-hook "service nginx restart"
1 Like

Thank you _az,
I will make some study on how to use acme.sh, but as you said it's a trouble to main 2 domains in one certificate.
So if I want one certificate that only contains one domain: rickdong.duckdns.org, can I request a new certificate? or I must concel the current certificate at first?
How to prepare the /etc/letsencrypt/duckdns.sh and command?

1 Like

Yeah, that should work just fine. (2 domains is actually fine, it's just that we don't have a DNS solution for the Netgear domain).

The command to create a second certificate is similar:

certbot certonly -d rickdong.duckdns.org --manual \
--preferred-challenges dns --manual-auth-hook /etc/letsencrypt/duckdns.sh

Everything the same as before, i.e. keep DOMAIN the same, change TOKEN:

2 Likes

Yes, it works!
Thank you so much @_az.
Will fight with the ISP tomorrow for unblocking 80

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.