Cannot Issue Cert for one domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ********

I ran this command: PFSENSE ISSUE

It produced this output:

Renewing certificateaccount: test
server: letsencrypt-staging

/usr/local/pkg/acme/ --issue -d ‘ipv4.**********.com’ --home ‘/tmp/acme//’ --accountconf '/tmp/acme//accountconf.conf’ --force --reloadCmd ‘/tmp/acme//’ --webroot pfSenseacme --log-level 3 --log '/tmp/acme//acme_issuecert.log’

[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[ftpserver] => ********
[username] => poo
[password] => 039VGAu00er0!JlUQxfp5Ja!HO
[folder] => /lets
[Fri Jan 19 19:27:37 EST 2018] Single domain=‘
[Fri Jan 19 19:27:37 EST 2018] Getting domain auth token for each domain
[Fri Jan 19 19:27:37 EST 2018] Getting webroot for domain='

[Fri Jan 19 19:27:37 EST 2018] Getting new-authz for domain='
[Fri Jan 19 19:27:38 EST 2018] The new-authz request is ok.
[Fri Jan 19 19:27:38 EST 2018] Verifying:

[Fri Jan 19 19:27:38 EST 2018] Found domain http api file: /tmp/acme/********//httpapi/

challenge_response_put , ********
FOUND domainitemFTP
FTP Attempt Failed: Could not connect with to on port .
[Fri Jan 19 19:27:42 EST 2018] Found domain http api file: /tmp/acme/
[Fri Jan 19 19:27:42 EST 2018] :Verify error:Invalid response from http:///.well-known/acme-challenge/R4PkVNcwsqDs0KBCtYGdBX_lD8CiXjs9L5BSKO4wGzs:
[Fri Jan 19 19:27:42 EST 2018] Please check log file for more details: /tmp/acme/********/acme_issuecert.log

My web server is (include version):UNK

The operating system my web server runs on is (include version): Synology Latest

My hosting provider, if applicable, is: Google

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): PFSENSE

I am still new to LE and from what I can tell its erroring out with an HTTP error when I am trying to use FTP to validate ownership. HTTP is already in use on another server

Hi @gadgetusaf, are you saying that you can’t make port 80 of your public IP address point at the server that you’re trying to get the certificate for?

Hi @schoen I can but I would have to switch the routing. currently, port 80 is open to another server.

Well, the Let’s Encrypt CA is always going to connect to port 80 on your IP address. You can’t choose another port. If you want to do verification with an inbound connection, you’ll have to upload the challenge file to the other server (in the right location), or else change your configuration so inbound requests for at least reach the server where the challenge file is kept. The CA does not offer validation over FTP or another protocol or port, although there is an option to perform the validation by changing your DNS records.

switched to ftps from sfftp

I don’t really understand the nature and status of your problem at the moment. Could you clarify what’s going on and what you’re looking for?

Maybe a bit of “first principles” is in order. Before it will issue a certificate, Let’s Encrypt needs to validate that you own the hostname for which you’re seeking the cert. To do that, it needs to do one of two things: (1) be able to connect to http://requested_fqdn/.well-known/acme-challenge/randomfilename and see the correct contents, or (2) look for a DNS TXT record for _acme-challenge.fqdn, and see the correct contents. Let’s Encrypt doesn’t use FTP to validate; that’s a setup option in pfSense. If you’re using that option, the outcome needs to be that you can FTP the validation file to an appropriate host so that the first option above can be satisfied.

I got it working with sftp this afternoon, I have one domain that would validate via ftp only. Once I had made the change and opened port 22 in the firewall everything started working.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.