Cannot create certificate on ec2


I’m having trouble creating a cert on EC2 with traefik.

Any one know of specific issues with Amazon limiting lets encrypt specific requests to they may have a connection problem, specifically with urn:ietf:params:acme:error:connection error?

I’ve posted in the traefik forum too, but haven’t gotten any insight. Please let me know if something jumps out at you :slight_smile:

ERRO[2020-06-23T06:10:04Z] Unable to obtain ACME certificate for domains "," : unable to generate a certificate for the domains []: error: one or more domains had a problem:
[] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching Connection refused, url:
[] failed to initiate challenge: acme: error: 400 :: POST :: :: urn:ietf:params:acme:error:malformed :: Unable to update challenge :: authorization must be pending, url:   providerName=mydomain-challenge.acme

Does this mean that traefik is not creating the challenge correctly?

Hi @pyramation

Not necessarily.
From the log you provided, it just means Let’s Encryt can’t connect to your server due to closed / filtered or whatever reasons so they can’t create the certificate.
Since you masked your domain, that’s all i know.

1 Like

So let’s encrypt cannot connect to the outside world from the ec2 box?

I just manually installed cerbot, so I can test it without traefik… and looks like “certbot doesn’t know how to configure a server on this system”.

ubuntu@ip-10-10-0-132:~/traefik$ sudo certbot Saving debug log to /var/log/letsencrypt/letsencrypt.log Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.

I just did a manual attempt via certbot certonly and got this:

   Type:   connection
   Detail: Fetching
   Connection refused
1 Like

That error message, as it described means port 80 of your EC2 machine are either not open or blocked. It might be a security group settings, or a setting on your EC2 VM’s firewall.


Thanks for helping out by the way :slight_smile:

Here’s a snapshot of the security group:

Screen Shot 2020-06-23 at 5.51.05 PM

Is it possible that lets encrypt (certbot) needs permission to open a privileged port?

80/443 are definitely open, and I’ve tested they work.

1 Like


Before the last message i send, the port 80 and 443 were closed and now it’s open.
Can you try to issue the certificates again? (You can try to issue with traeflk)

Thank you

1 Like

Thanks again for your help. The ports were always open.

Seems like it’s probably a traefik issue, I’ve also put an issue in with traefik as of two days ago, waiting to hear back :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.