CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bakeitcookbook.com

I ran this command:

It produced this output:
> bash-4.4# ./letsencrypt_service
> /etc/nginx/certs/bakeitcookbook.com /app
> Creating/renewal bakeitcookbook.com certificates… (bakeitcookbook.com www.bakeitcookbook.com)
> 2019-01-17 17:43:29,864:INFO:simp_le:1479: Generating new certificate private key
> 2019-01-17 17:43:34,255:ERROR:simp_le:1446: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains’ DNS entries, your host’s network/firewall setup and your webserver config. If a domain’s DNS entry has both A and AAAA fields set up, some CAs such as Let’s Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let’s Encrypt won’t issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/u262oPuF63ueRkW9IzuQXfHsa2rZhciM_URqR-Fux58
Challenge validation has failed, see error log.

My web server is (include version): Centos 7 + Nginx Docker Reverse Proxy + LetsEncrypt Docker Container + Blog docker container

The operating system my web server runs on is (include version): Centos 7

My hosting provider, if applicable, is: Google Domains

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


#2

I am not familiar with the letsencrypt_service software.
But in general, LE validations are now done over http.
So you will need to allow access to http://your.fqdn/.well-known/acme-challenge/some-random-challege-file.
If your ISP blocks port 80, then this will fail.
If your firewall blocks port 80, then this will fail.
If your web service doesn’t use port 80, then this will fail.
If your web service “mishandles” the port 80 challenge request, then this will fail.

So, can the Internet reach a test file located at http://your.fqdn/.well-known/acme-challenge/1234 ?
[this is the first test I would ensure your system can pass before continuing]


#3

Hi @brandex007

you want a certificate with both domain names - non-www and www. But your www has ( https://check-your-website.server-daten.de/?q=bakeitcookbook.com ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
bakeitcookbook.com A 24.218.106.111 yes 1 0
AAAA yes
www.bakeitcookbook.com A 0.0.0.0 yes 1 0
AAAA yes

0.0.0.0 as ip address. Which is wrong. Change your www-address to the 24.218.106.111

Your Auth says the same:

https://acme-v01.api.letsencrypt.org/acme/authz/u262oPuF63ueRkW9IzuQXfHsa2rZhciM_URqR-Fux58

“No valid IP addresses found for www.bakeitcookbook.com


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.