Acme challenge verification sent too late

#1

all my verification calls return a 404, looking at the logs I see that the verification is called after the local challenge no longer exists.
My domain is: apolloapi.borealisai.de

I ran this command: using nginx-ssl-proxy from https://github.com/DanielDent/docker-nginx-ssl-proxy

It produced this output:

13:10:10 Obtaining a new certificate
13:10:11 Performing the following challenges:
13:10:11 http-01 challenge for <MyDomaon>
13:10:11 Using the webroot path /usr/share/nginx/html for all unmatched domains.
13:10:11 Waiting for verification...
13:10:11 <IP> - - [11/Jan/2019:18:10:11 +0000] "GET /.well-known/acme-challenge/<ChallengeKey> HTTP/1.1" 404 162 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
13:10:58 Cleaning up challenges
13:10:58 Incomplete authorizations

My web server is (include version):
nginx

The operating system my web server runs on is (include version):
Linux e9a85a41e863 4.9.114-moby #1 SMP Wed Aug 22 17:42:16 UTC 2018 x86_64 GNU/Linux

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

#2

The FQDN resolves to three IPs:
Name: apolloapi.borealisai.de
Addresses: 52.207.58.120
54.86.249.220
18.232.199.168

As this is the first cert requested for this FQDN, you need to understand how cert authentication happens and how your setup would allow for it (to happen).
Or switch to a better suited authentication method (perhaps DNS auth).

I don’t use AWS for DNS, so I can’t guide you with that specifically.
But there should be a working DNS plugin for AWS.

#3

thank you @rg305! I’ve changed my DNS to resolve to a single IP, but I’m getting another error:
Failed authorization procedure. apolloapi.borealisai.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://apolloapi.borealisai.de/.well-known/acme-challenge/<ChallengeKey>: Timeout during connect (likely firewall problem)

I have a server listening at ports 80 and 443 at this address, am I missing anything else?

#4

Yes, AWS needs to allow port 80 also.

Connecting to apolloapi.borealisai.de (apolloapi.borealisai.de)|18.211.213.223|:80… failed: Connection timed out.

#5

makes sense :slight_smile: thank you so much!

#6

I see a new cert!:

1 Like
closed #7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.