Can't request certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: jabber.otr.im (https://crt.sh/?q=jabber.otr.im)

I ran this command: After a migration of a server from one provider to the other, I'm no longer able to renew any certificates, both with certbot nor with acme.sh

It produced this output:

root@jabber:/var/log/nginx# certbot --dry-run certonly --nginx --agree-tos -m drwhax@riseup.net --webroot-path /var/www/html/ -d jabber.otr.im
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for jabber.otr.im
Waiting for verification...
Challenge failed for domain jabber.otr.im
http-01 challenge for jabber.otr.im
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: jabber.otr.im
   Type:   connection
   Detail: Fetching
   http://jabber.otr.im/.well-known/acme-challenge/tUSJfx-vYdYcdWnAGae8bOs78WLBJ1Iwnd77c4Y2ccw:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Somehow, there's an 200, so the not being able to reach part doesn't seem true.

root@jabber:/var/log/nginx# grep -re tUSJfx-vYdYcdWnAGae8bOs78WLBJ1Iwnd77c4Y2ccw
access.log:52.58.118.98 - - [19/Jan/2021:18:51:13 +0000] "GET /.well-known/acme-challenge/tUSJfx-vYdYcdWnAGae8bOs78WLBJ1Iwnd77c4Y2ccw HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

My web server is (include version): I've tried with nginx, apache2 and with the standalone webserver

You'd think I run a firewall however..

root@jabber:/var/log/nginx# iptables -vn -L
Chain INPUT (policy ACCEPT 432K packets, 160M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 411K packets, 118M bytes)
 pkts bytes target     prot opt in     out     source               destination         

The operating system my web server runs on is (include version):

ii  nginx                          1.18.0-0ubuntu1                    all          small, powerful, scalable web/proxy server
ii  nginx-common                   1.18.0-0ubuntu1                    all          small, powerful, scalable web/proxy server - common files
ii  nginx-core                     1.18.0-0ubuntu1                    amd64        nginx web/proxy server (standard version)

My hosting provider, if applicable, is: Eclips.is

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.40.0, on ubuntu focal.

1 Like

Jo @jabber.otr.im

there

is your job: Letsencrypt can't check your domain, so it's impossible to validate your domain.

But:

http://jabber.otr.im/.well-known/acme-challenge/fMRSvBWjuPEsMmhfpezbkyEwVUYYmCzhIFdO-D6-tjM

works, I can open that url in my browser. Looks like you have a regional firewall that blocks. Open / remove that firewall / .htaccess / something else.

2 Likes

Hey! Thanks for replying I edited my post to clarify that I don't have any iptables or firewall running, nor my provider is running one anymore upstream. I have clarified that from them today.

So i'm not sure what else I can test, I have verified that i'm able to access a test file located here: http://jabber.otr.im/.well-known/acme-challenge/test

What I find strange is that in my nginx log file (access.log) i'm able to verify that I see an 200 request from an letsencrypt IP-address.

I would be greatful for any additional advice someone can give me as i'm confused.

Thanks!

2 Likes

If Letsencrypt sees that result (Timeout) and if I can load your site, you have something that blocks.

You have to find and remove that.

PS: There

you see the problem. A regional filter.

And curious: Berlin is red, but my connection from Berlin can connect your domain (may be different ISP).

2 Likes

Hm! curious, wondering what's happening here.

I kind of confirm what you mentioned, I was suspecting something like this so I went ahead and did a test using RIPE's Atlas probe: https://atlas.ripe.net/frames/measurements/28761020/#!probes (2 probes didn't manage to connect) I have another request scheduled: https://atlas.ripe.net/measurements/28762900/#probes

Thanks very much, will ask my provider if they can provide any insight into what's going on. Thanks very much for the assistance in this!

4 Likes

While we wait for an answer on that...
I'm a bit curious on what you're trying to accomplish with this command:

[I removed the irrelevant stuff and wrapped it around and reordered them for easier reading and added comments]

You should see that:

  1. If executed as requested, things would conflict and --nginx is being left with nothing to do.
  2. The --webroot parameter is missing half of the required parameters and might not be used at all.

In short, it's not (capable of) doing what you are asking it to do.
So...
What do you want it to do?

2 Likes

Following up with @rg305's observations, once you have managed to address what @JuergenAuer has discussed, you would probably be better off using this command to test:

certbot certonly --nginx -d "jabber.otr.im" --dry-run

1 Like

@JuergenAuer

Just as an observation, but did you notice this weirdness? The nginx installer got selected when using certonly!?

Maybe a certbot 0.40.0 oddity given the confusing parameters?

1 Like

And the webroot autthentication is overlooked as it wasn't used completely/correctly.

This looks like is was full --nginx at some point (originally maybe).
Then adjusted when didn't need cert installed: certonly
Then augmented when authentication problem arose and tried using: --webroot-path (to overcome it)
Then added...
Then tried...

Thus my question:

Right now.
Forget what it did, or can do, or should do, or didn't do.
What exactly do you want it to do right now?

2 Likes

Hey all, it was indeed a routing issue at the provider, they fixed it today and I have now a new certificate!

The webroot or the double dry-run wasn't the problem :wink:

Thanks all!

3 Likes

Ah, thanks, good to know. Thanks reporting back :+1:

Yep, the output of uptrends looked too curious.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.