Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:chambersign.demo.bpm.devcode.se
I ran this command:Not sure. Default settings in wacs client.
Create new certificate using IIS bindings, serving challenge from memory i think
It produced this output:
[DBUG] Scanning IIS bindings for hosts
[VERB] 14 named bindings found in IIS
[DBUG] Filtering based on binding type
[DBUG] Filtering by site(s) [13]
[VERB] 1 bindings remaining after site filter
[VERB] No host filter applied
[VERB] 1 matching binding found
[DBUG] Scanning IIS sites
[VERB] Targeted convert into 1 order(s)
[VERB] Checking [IIS] ChamberSign.Demo.bpm.devcode.se, (any host)
[VERB] Handle order 1/1: Main
[DBUG] Refreshing cached order
[DBUG] Refreshing order...
[DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/order/358883850/68684420460
[VERB] Request completed with status OK
[WARN] Cached order has status invalid, discarding
[VERB] Creating order for hosts: ["DnsName: chambersign.demo.bpm.devcode.se"]
[DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/new-order
[VERB] Request completed with status Created
[VERB] Order https://acme-v02.api.letsencrypt.org/acme/order/358883850/68684519290 created
[DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/authz-v3/84242917090
[VERB] Request completed with status OK
[VERB] Handle authorization 1/1
[INFO] [chambersign.demo.bpm.devcode.se] Authorizing...
[VERB] [chambersign.demo.bpm.devcode.se] Initial authorization status: pending
[VERB] [chambersign.demo.bpm.devcode.se] Challenge types available: ["http-01", "dns-01", "tls-alpn-01"]
[VERB] [chambersign.demo.bpm.devcode.se] Initial challenge status: pending
[INFO] [chambersign.demo.bpm.devcode.se] Authorizing using http-01 validation (SelfHosting)
[VERB] Starting commit stage
[VERB] Commit was succesful
[DBUG] [chambersign.demo.bpm.devcode.se] Submitting challenge answer
[DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/chall-v3/84242917090/qlUBKA
[VERB] Request completed with status OK
[VERB] SelfHosting plugin serving file /.well-known/acme-challenge/fdDjVFT3710UDsUo3UkIWNpbX3fFg3OwVa0WdLaPmfs
[DBUG] Refreshing authorization (1/15)
[DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/chall-v3/84242917090/qlUBKA
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (2/15)
[DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/chall-v3/84242917090/qlUBKA
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (3/15)
[DBUG] Send POST to https://acme-v02.api.letsencrypt.org/acme/chall-v3/84242917090/qlUBKA
[VERB] Request completed with status OK
[EROR] [chambersign.demo.bpm.devcode.se] Authorization result: invalid
[EROR] [chambersign.demo.bpm.devcode.se] {
"type": "urn:ietf:params:acme:error:connection",
"detail": "Fetching http://chambersign.demo.bpm.devcode.se/.well-known/acme-challenge/fdDjVFT3710UDsUo3UkIWNpbX3fFg3OwVa0WdLaPmfs: Timeout during connect (likely firewall problem)",
"status": 400
}
[VERB] Starting post-validation cleanup
My web server is (include version): IIS 10.0.177763.1
The operating system my web server runs on is (include version):Windows Server 2019
My hosting provider, if applicable, is:ElastX
I can login to a root shell on my machine (yes or no, or I don't know):yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):wacs version 2.1.20.1185
I'd might add that the same server where this validation failure is taking place is currently successfully hosting web sites on other domains, both http at port 80 and https at port 443 so the firewall shouldnt be the problem.
I get the same response as you do if i include the : char at the end (clicking the link in your response gives that response. My result was from copy pasting the link excluding the last : )
"Are you sure your firewall is not filtering stuff geographically"
That is not something I have heard of. The firewall is handled using Open stack hosting configuration rules.It is from what I can see in the cloud provider's dashboard allowing port 80 and 443 globaly
"So you are not blocking any country or subnets, like datacenters and the like?"
No, not on any level I have control over. Lets encrypt have been working flawlessly on the same server recent days. I am not aware of any changes made to our environment made recently.
So what I'm reading out of your response/questions and the error message itself is that one or more servers used by Lets encrypt in the validation process is unable to reach our server at 185.141.30.211 (on port 80 and/or 443)?
The domain was changed on our end like 4 hours ago (TTL for wild card is/Was 3600 seconds) . from only having a wildcard *.demo.bpm.devcode.se pointing to some other ip to also having a specific A-entry chambersign.demo.bpm.devcode.se pointing to currently used ip 185.141.30.211.
Maybe there is some kind of delay in the DNS updates?
I see a similar error on another of our servers (usuallly everything works just fine also on this server)
[DBUG] Scanning IIS site bindings for hosts
[VERB] 86 named bindings found in IIS
[DBUG] Filtering by site(s) [86]
[VERB] 1 bindings remaining after site filter
[VERB] No host filter applied
[VERB] 1 matching binding found
[DBUG] Scanning IIS sites
[VERB] Targeted convert into 1 order(s)
[VERB] Checking [IIS] ssm.accept.bpm.devcode.se, (any host)
[VERB] Handle order 1/1: Main
[VERB] Creating order for hosts: ["ssm.accept.bpm.devcode.se"]
[VERB] Loading ACME account signer...
[DBUG] Loading signer from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Signer_v2
[VERB] Constructing ACME protocol client...
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/directory
[VERB] Request completed with status OK
[DBUG] Send HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce
[VERB] Request completed with status OK
[VERB] Loading ACME account
[DBUG] Loading account information from C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Registration_v2
[VERB] ACME client initialized
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/new-order
[VERB] Request completed with status Created
[VERB] Order https://acme-v02.api.letsencrypt.org/acme/order/323659640/68712101090 created
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/84275820590
[VERB] Request completed with status OK
[VERB] Handle authorization 1/1
[INFO] [ssm.accept.bpm.devcode.se] Authorizing...
[VERB] [ssm.accept.bpm.devcode.se] Initial authorization status: pending
[VERB] [ssm.accept.bpm.devcode.se] Challenge types available: ["http-01", "dns-01", "tls-alpn-01"]
[VERB] [ssm.accept.bpm.devcode.se] Initial challenge status: pending
[INFO] [ssm.accept.bpm.devcode.se] Authorizing using http-01 validation (SelfHosting)
[VERB] Starting commit stage
[VERB] Commit was succesful
[DBUG] [ssm.accept.bpm.devcode.se] Submitting challenge answer
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/84275820590/lJU_dw
[VERB] Request completed with status OK
[VERB] SelfHosting plugin serving file /.well-known/acme-challenge/wqBMvgFMZleT5N0aSwB6IJMl9oXpAFwHDn41clKryRw
[DBUG] Refreshing authorization (1/15)
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/84275820590/lJU_dw
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (2/15)
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/84275820590/lJU_dw
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (3/15)
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/84275820590/lJU_dw
[VERB] Request completed with status OK
[EROR] [ssm.accept.bpm.devcode.se] Authorization result: invalid
[EROR] [ssm.accept.bpm.devcode.se] {
"type": "urn:ietf:params:acme:error:connection",
"detail": "Fetching http://ssm.accept.bpm.devcode.se/.well-known/acme-challenge/wqBMvgFMZleT5N0aSwB6IJMl9oXpAFwHDn41clKryRw: Timeout during connect (likely firewall problem)",
"status": 400
}
You should speak with whoever is managing your firewalls. Even if it's not blocking it intentionally, they might have some logs that can illuminate the issue.
Not sure what to make of that really. Something problematic with DNS at devcode.se level?
We received response from the cloud provider that they had received similar issues from other sources which they are looking into. They could see no immediate networking errors but would continue to look into possible DDOS:es
