Another "The Certificate Authority failed to verify ..."

cleblond · May 4, 2022, 8:13pm

My certificates were up for renewal and it failed with similar error below. I reinstalled apache, certbot but it always seems to hang at validating.

I've setup let encrypt successfully in past. I can access a test file http://openochem.org/.well-known/acme-challenge/test.txt

Not sure what I'm doing wrong this time.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: openochem.org

I ran this command: sudo certbot --apache --test-cert -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: openochem.org

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for openochem.org
Performing the following challenges:
http-01 challenge for openochem.org
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain openochem.org
http-01 challenge for openochem.org

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: openochem.org
Type: connection
Detail: 144.80.194.122: Fetching http://openochem.org/.well-known/acme-challenge/U5VRkbINtniXvH4xPa6LcCV4w_qaAFA3cB1BeyaBQ68: Timeout after connect (your server may be slow or overloaded)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache2 Ubuntu 20

The operating system my web server runs on is (include version): Ubuntu 20

My hosting provider, if applicable, is:
NA
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
route 53 for dns records
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.27

MikeMcQ · May 4, 2022, 8:34pm

Welcome to the community @cleblond

Something is blocking attempt of the ACME http challenge URL. We have seen similar failures caused by a recent change to Palo Alto brand firewalls. They changed a default setting to start blocking acme challenge requests. See more info here

Your symptom is different in that the problem is a timeout rather than "reset by peer" or in some cases a 503 error. These are my test requests to your server. See the problem? While the symptom is different it is worth checking if you have Palo Alto firewall.

(note this has no trailing slash and redirects like other http requests)
curl -I -m10 http://openochem.org/.well-known/acme-challenge
HTTP/1.1 301 Moved Permanently
Date: Wed, 04 May 2022 20:29:58 GMT
Server: Apache/2.4.41 (Ubuntu)
Location: http://openochem.org/.well-known/acme-challenge/
Content-Type: text/html; charset=iso-8859-1

Adding a slash or the Challenge Token results in timeout
curl -I -m10 http://openochem.org/.well-known/acme-challenge/
curl: (28) Operation timed out after 10001 milliseconds with 0 bytes received

curl -I -m10 http://openochem.org/.well-known/acme-challenge/ChallengeFile1
curl: (28) Operation timed out after 10001 milliseconds with 0 bytes received

cleblond · May 4, 2022, 11:02pm

Thanks for the rapid reply!

Yes I suspected something was blocking. I see the same response as you unless I'm behind the VPN. Within the VPN the curl tests work fine.

MikeMcQ · May 5, 2022, 12:47am

You know the Let's Encrypt server needs to reach you via the public internet - right?

Something is specifically blocking just the acme challenge URLs (while also allowing those URLs via your VPN)

rg305 · May 5, 2022, 5:23am

I'm immediately reminded of the Palo Alto issue...
But this is somewhat different and yet similar.

system · June 4, 2022, 5:23am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot certificate failed Help	2	471	September 25, 2022
Acme Challenge issue-Certbot Apache Help	4	279	June 17, 2024
Certbot certonly failed to issue Help	34	2390	December 11, 2021
Certificate Authority failed Help	8	1045	July 11, 2022
Certificate Failed Help	3	456	February 28, 2024

Another "The Certificate Authority failed to verify ..."

Related topics