Can't generate production certs

Im successful generating staging certs, what when i remove the certs and change to the production directory CA=“https://acme-v02.api.letsencrypt.org/directory” and execute /usr/bin/dehydrated -c i receive the challenge invalid error and it it times out.

Below is the status from the staging directory CA=“https://acme-stagging-v02.api.letsencrypt.org/directory

processing gregofamily.org with alternative names: www.gregofamily.org

  • Creating new directory /etc/dehydrated/certs/gregofamily.org …
  • Signing domains…
  • Generating private key…
  • Generating signing request…
  • Requesting new certificate order from CA…
  • Received 2 authorizations URLs from the CA
  • Handling authorization for gregofamily.org
  • Handling authorization for www.gregofamily.org
  • 2 pending challenge(s)
  • Deploying challenge tokens…
  • Responding to challenge for gregofamily.org authorization…
  • Challenge is valid!
  • Responding to challenge for www.gregofamily.org authorization…
  • Challenge is valid!
  • Cleaning challenge tokens…
  • Requesting certificate…
  • Checking certificate…
  • Done!
  • Creating fullchain.pem…
  • Done!

My domain is: gregofamily.org www.gregofamily.org

I ran this command: /usr/bin/dehydrated -c

It produced this output:

This is the out put from the production directory CA=“https://acme-v02.api.letsencrypt.org/directory

ERROR: Challenge is invalid! (returned: invalid) (result: {
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching https://www.gregofamily.org/.well-known/acme-challenge/8lHN_OPPX1W9mrGMNh_N98oCeMQT_StwjCY3IlTfaks: Timeout during connect (likely firewall problem)”,
“status”: 400

My web server is (include version): apache 2.4

The operating system my web server runs on is (include version): slackware current

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): dehydrated 0.6.5

1 Like

It is difficult to say with certainty, but I would not rule out:

  • staging environment is using a previously (cached) approved authorization.
  • LE prefers IPv6 when available; your name has IPv4 and IPv6 and there is a problem with IPv6.

I can’t test nor prove presumption #1, but for #2:

[IPv4 WORKS]
curl -Iki4 http://www.gregofamily.org/
HTTP/1.1 301 Moved Permanently
Date: Sun, 02 Feb 2020 03:38:07 GMT
Server: Apache/2.4.41 (Unix) OpenSSL/1.1.1d PHP/7.3.12
Location: https://www.gregofamily.org/
Content-Type: text/html; charset=iso-8859-1

[IPv6 FAILS]
curl -Iki6 http://www.gregofamily.org/
curl: (7) Failed to connect to www.gregofamily.org port 80: No route to host

[added note: HTTPS via IPv6 also FAILS - routing issue]
curl -Iki6 https://www.gregofamily.org/
curl: (7) Failed to connect to www.gregofamily.org port 443: No route to host

2 Likes

Hey RG305 i recreated the exact steps on how i managed to produce the staging certs. When I deleted the staging cert to produce the production certs I forgot to turn off the Apache SSL engine. Once i turned it off the production certs for gregofamily.org and www.gregofamily.org were both created successful.

I don’t understand how ip6 fails. Im pretty sure i have it turned on everywhere. Anyway, thanks for your quick response.

Sincerely, dave g.

3 Likes