Acme_tiny Validation Error on NGINX with Ubuntu - Could Not Connect


#1

Hello all. As of this morning I’m receiving a validation error when attempting to renew a certificate. The JSON response looks like this (after removing some private info):

{
‘url’: ‘http://redacted/.well-known/acme-challenge/redacted’,
‘hostname’: ‘redacted’,
‘addressUsed’: ‘redacted’,
‘port’: ‘80’,
‘addressesResolved’: [‘redacted’]}],
‘keyAuthorization’: ‘redacted’,
‘uri’: ‘https://acme-v01.api.letsencrypt.org/acme/challenge/redacted’,
‘token’: ‘redacted’,
‘error’: {
‘status’: 400,
‘type’: ‘urn:acme:error:connection’,
‘detail’: ‘Could not connect to redacted’
},
‘type’: ‘http-01’
}

I’ve checked my nginx access logs, and there is a request coming from the Let’s Encrypt validation server. This request has a 200 HTTP status, so it seems it was able to connect and obtain the information from the challenge URL. I also tried hitting my challenge URL on several machines outside of the network, all of which were able to retrive ths information, so it doesn’t seem to be a problem with it being served.

I was able to renew my certificate in this manner several times previously over the past year, and have only noticed the issue as of this morning. Is there anything else that a “Could not connect” error message may indicate, since it seems the Let’s Encrypt validation server is able to connect to my server (as seen in my nginx logs)? Thanks!


#2

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:

It produced this output:

My operating system is (include version):

My web server is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#3

My domain is:
roadsafety.gov.ph

I ran this command:
acme_tiny.py (passing in arguments for account-key, csr, and acme-dir)

It produced this output:
Output listed above. It’s a json response with status of “invalid” and an error status of “Could not connect”, even though I’m seeing the Let’s Encrypt validation server connect successfully to my server. I too am able to retrieve the information from my challenge URL using machines on several different networks.

My operating system is (include version):
Ubuntu 14.04.4 LTS

My web server is (include version):
nginx 1.10.0

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No


#4

Thanks for the extra information, @kshepard. Could you include the full error “detail” message too, and maybe an excerpt from your web server log where you see the validation server connect to you?


#5

Sure thing, thanks for looking into this!

The full response is:
{u’status’: u’invalid’, u’validationRecord’: [{u’url’: u’http://roadsafety.gov.ph/.well-known/acme-challenge/EBVMzoKiZdlgYwJdRnNENSrjCEX4IPojG6hUhDdrXj8’, u’hostname’: u’roadsafety.gov.ph’, u’addressUsed’: u’202.90.158.244’, u’port’: u’80’, u’addressesResolved’: [u’202.90.158.244’]}], u’keyAuthorization’: u’EBVMzoKiZdlgYwJdRnNENSrjCEX4IPojG6hUhDdrXj8.PrnadjKzrNyMrQq4pXwQWRFLh82EGTQBgnHVQYSHmMU’, u’uri’: u’https://acme-v01.api.letsencrypt.org/acme/challenge/zi-2pFWnPKxiXblIiqbPcoegKvPs35Jhc3Qp_0bLKWI/869902205’, u’token’: u’EBVMzoKiZdlgYwJdRnNENSrjCEX4IPojG6hUhDdrXj8’, u’error’: {u’status’: 400, u’type’: u’urn:acme:error:connection’, u’detail’: u’Could not connect to roadsafety.gov.ph’}, u’type’: u’http-01’}

And the webserver logs:
66.133.109.36 - - [25/Mar/2017:05:03:29 +0800] “GET /.well-known/acme-challenge/EBVMzoKiZdlgYwJdRnNENSrjCEX4IPojG6hUhDdrXj8 HTTP/1.1” 200 87 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”

This was from a fresh renewal request I just tried a minute ago. I’ve also tried several times throughout today and yesterday, all with the same results.


#6

@jsha, can Boulder really return such a generic ACME error detail as “Could not connect to [hostname]”? Don’t we typically get a more meaningful diagnostic back, like NXDOMAIN, SERVFAIL, TCP connection refused, HTTP errors, etc.?


#7

It definitely can in some situations. In particular I think we don’t usually do a great job of surfacing specific HTTP errors.

In this case the underlying error from the logs was:

net/http: request canceled (Client.Timeout exceeded while awaiting headers)


#8

Interesting! Thanks for looking that up, @jsha. I guess it would be great to surface a little more of that in the diagnostics, because those messages have usually been able to point us in the right direction to fix whatever went wrong.

@kshepard, this sounds to me like a network connectivity problem between you and the Let’s Encrypt CA, perhaps caused by a firewall or something interfering with inbound network connections. I can connect to your site just fine, but maybe that’s not true for the CA. Is there any chance a firewall is involved?

You can also use the DNS-01 method, if you can update the DNS zone file for your domain. This doesn’t require the CA to connect directly to your server at all (only to the authoritative name serves that serve its DNS zone).


#9

That is very interesting. There is not a firewall running, and I unfortunately don’t have access to any of the DNS settings in this infrastructure. It’s very strange that the Boulder machine is unable to connect given that both you, and I, and several other machines in various locations I’ve tested have not had problems. Also, this had been working fine for months without any configuration changes. Is there any chance some more further diagnosis can be done on why this is timing out? For instance, what is the timeout set to? This server is located in Asia, so it wouldn’t surprise me at all if there was some heavy latency.


#10

I’m not sure a random timeout is a likely explanation—for me, loading the ACME challenge URL from your site only takes about 0.5 seconds.


#11

@schoen / @jsha - Do you have any other guidance for diagnosing this issue? I’m at a loss for what to do, since everything looks fine on my end, and every machine I’ve tested is able to access the ACME challenge URL without error. I just don’t see what could be causing the timeout at Boulder, and would be grateful of any other information you can provide. I’ve been sporadically issuing the renew request ever since running into this issue, and I’ve received the same results each time.


#12

Alright, just installed Certbot, ran it and standalone mode, and it worked like a charm. Why the old setup wasn’t working will probably always be a great mystery to me (some kind of obscure Nginx issue, perhaps). But I’m happy to have a cert now and am ready to move on. Thanks for everyone’s help with this!


#13

Glad it worked! For standalone, you should be aware that you’ll probably need to temporarily stop the web server for renewals.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.