Cannot create certificate on ec2

pyramation · June 23, 2020, 11:48pm

Hello,

I’m having trouble creating a cert on EC2 with traefik.

Any one know of specific issues with Amazon limiting lets encrypt specific requests to they may have a connection problem, specifically with urn:ietf:params:acme:error:connection error?

I’ve posted in the traefik forum too, but haven’t gotten any insight. Please let me know if something jumps out at you

ERRO[2020-06-23T06:10:04Z] Unable to obtain ACME certificate for domains "admin.mydomain.org,services.mydomain.org" : unable to generate a certificate for the domains [admin.mydomain.org services.mydomain.org]: error: one or more domains had a problem:
[admin.mydomain.org] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://admin.mydomain.org/.well-known/acme-challenge/HpuYRG-QtAtJbO5BJKo31uSIYa-AVI_W9oPLiE7wizo: Connection refused, url:
[services.mydomain.org] failed to initiate challenge: acme: error: 400 :: POST :: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/67923807/C_bkXA :: urn:ietf:params:acme:error:malformed :: Unable to update challenge :: authorization must be pending, url:   providerName=mydomain-challenge.acme

pyramation · June 23, 2020, 11:49pm

Does this mean that traefik is not creating the challenge correctly?

stevenzhu · June 24, 2020, 12:14am

Hi @pyramation

Not necessarily.
From the log you provided, it just means Let's Encryt can't connect to your server due to closed / filtered or whatever reasons so they can't create the certificate.
Since you masked your domain, that's all i know.

pyramation · June 24, 2020, 12:20am

So let’s encrypt cannot connect to the outside world from the ec2 box?

I just manually installed cerbot, so I can test it without traefik… and looks like “certbot doesn’t know how to configure a server on this system”.

ubuntu@ip-10-10-0-132:~/traefik$ sudo certbot Saving debug log to /var/log/letsencrypt/letsencrypt.log Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.

pyramation · June 24, 2020, 12:25am

I just did a manual attempt via certbot certonly and got this:

   Domain: basehash.com
   Type:   connection
   Detail: Fetching
   http://basehash.com/.well-known/acme-challenge/WV-xG7sVbn1RP-FZieROJrYjndD8rHpwXKw5aLriDR0:
   Connection refused

stevenzhu · June 24, 2020, 12:30am

That error message, as it described means port 80 of your EC2 machine are either not open or blocked. It might be a security group settings, or a setting on your EC2 VM’s firewall.

pyramation · June 24, 2020, 12:52am

Thanks for helping out by the way

Here’s a snapshot of the security group:

Screen Shot 2020-06-23 at 5.51.05 PM

Is it possible that lets encrypt (certbot) needs permission to open a privileged port?

80/443 are definitely open, and I’ve tested they work.

stevenzhu · June 24, 2020, 1:21am

Hi,

Before the last message i send, the port 80 and 443 were closed and now it’s open.
Can you try to issue the certificates again? (You can try to issue with traeflk)

Thank you

pyramation · June 24, 2020, 1:38am

Thanks again for your help. The ports were always open.

Seems like it’s probably a traefik issue, I’ve also put an issue in with traefik as of two days ago, waiting to hear back

system · July 24, 2020, 1:39am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.