CA marked some of the authorizations as invalid


#1

Dear Community!

I’m new with let’s encrypt and try to sign my domain and have no idea what this output try to tell me or what actions I can take. Hope someone can spot some light into this.

Many thanks!

My domain is: international-flightcenter.com, www.international-flightcenter.com

I ran this command:
/app # ./letsencrypt_service

It produced this output:
/etc/nginx/certs/international-flightcenter.com /app
Creating/renewal international-flightcenter.com certificates… (international-flightcenter.com www.international-flightcenter.com)
2018-12-27 01:27:33,581:INFO:simp_le:1479: Generating new certificate private key
2018-12-27 01:27:39,309:ERROR:simp_le:1446: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Are all your domains accessible from the internet? Please check your domains’ DNS entries, your host’s network/firewall setup and your webserver config. If a domain’s DNS entry has both A and AAAA fields set up, some CAs such as Let’s Encrypt will perform the challenge validation over IPv6. If your DNS provider does not answer correctly to CAA records request, Let’s Encrypt won’t issue a certificate for your domain (see https://letsencrypt.org/docs/caa/). Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/hQ68TvQNReYzPk8z2MhfU3bBcQtQAt4ZXiXkWhTB16Y, https://acme-v01.api.letsencrypt.org/acme/authz/VMw7S1w21frhYkjn1AMCqWEHq4n3W6dakHqFGWivByI
Challenge validation has failed, see error log.

Debugging tips: -v improves output verbosity. Help is available under --help.
/app
Sleep for 3600s

My web server is (include version):
Server version: Apache/2.4.25 (Debian)
Server built: 2018-11-03T18:46:19

The operating system my web server runs on is (include version):
Linux 2d9fce6e0b15 4.15.0-1031-aws #33-Ubuntu SMP Fri Dec 7 09:32:27 UTC 2018 x86_64 GNU/Linux
PRETTY_NAME=“Debian GNU/Linux 9 (stretch)”
NAME=“Debian GNU/Linux”
VERSION_ID=“9”
VERSION=“9 (stretch)”

My hosting provider, if applicable, is: AWS I’m running https://gilyes.com/docker-nginx-letsencrypt/ and have a dedicate apache2 container with the corresponding domains. both containers share the cert NFS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I have received a new folder with json file in it but no cerificates:
/etc/nginx/certs # ls -lsah
total 28K
4.0K drwxr-xr-x 4 root root 4.0K Dec 27 00:27 .
4.0K drwxr-xr-x 5 root root 4.0K Dec 26 22:51 …
4.0K drwxr-xr-x 3 root root 4.0K Dec 27 00:27 accounts
4.0K -rw-r–r-- 1 root root 1.7K Dec 26 22:58 default.crt
4.0K -rw-r–r-- 1 root root 3.2K Dec 26 22:58 default.key
4.0K -rw-r–r-- 1 root root 424 Dec 26 22:58 dhparam.pem
4.0K drwxr-xr-x 2 root root 4.0K Dec 27 01:47 international-flightcenter.com


#2

The invalid authorization URLs seem to be saying they got “502 bad gateway” responses from your server. This usually means that a reverse proxy is unable to connect to something behind it. According to the page you linked, one of the docker containers you’re using is a reverse proxy, so maybe it’s somehow not correctly connected to the container behind it that’s supposed to be responding to the domain validation challenges?


closed #3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.