Certbot challenge fails

voigtstr · January 24, 2022, 3:47am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: voigtstr.com

I ran this command: sudo certbot renew --dry-run
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/minecraft.voigtstr.com.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for minecraft.voigtstr.com
Waiting for verification...
Challenge failed for domain minecraft.voigtstr.com
http-01 challenge for minecraft.voigtstr.com
Cleaning up challenges
Attempting to renew cert (minecraft.voigtstr.com) from /etc/letsencrypt/renewal/minecraft.voigtstr.com.conf produced an unexpected error: Some challenges have failed.. Skipping.

Processing /etc/letsencrypt/renewal/music.voigtstr.com.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for music.voigtstr.com
Waiting for verification...
Challenge failed for domain music.voigtstr.com
http-01 challenge for music.voigtstr.com
Cleaning up challenges
Attempting to renew cert (music.voigtstr.com) from /etc/letsencrypt/renewal/music.voigtstr.com.conf produced an unexpected error: Some challenges have failed.. Skipping.

Processing /etc/letsencrypt/renewal/voigtstr.com.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for voigtstr.com
http-01 challenge for www.voigtstr.com
Waiting for verification...
Challenge failed for domain voigtstr.com
Challenge failed for domain www.voigtstr.com
http-01 challenge for voigtstr.com
http-01 challenge for www.voigtstr.com
Cleaning up challenges
Attempting to renew cert (voigtstr.com) from /etc/letsencrypt/renewal/voigtstr.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/minecraft.voigtstr.com/fullchain.pem (failure)
/etc/letsencrypt/live/music.voigtstr.com/fullchain.pem (failure)
/etc/letsencrypt/live/voigtstr.com/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/minecraft.voigtstr.com/fullchain.pem (failure)
/etc/letsencrypt/live/music.voigtstr.com/fullchain.pem (failure)
/etc/letsencrypt/live/voigtstr.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

3 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: minecraft.voigtstr.com
Type: connection
Detail: Fetching
http://minecraft.voigtstr.com/.well-known/acme-challenge/6DyXMRsfiGLE71-CGfMec7LXCugBLcYAD_EzY5JBfl0:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
The following errors were reported by the server:

Domain: music.voigtstr.com
Type: connection
Detail: Fetching
http://music.voigtstr.com/.well-known/acme-challenge/oyhrnFULPJul7zcxL6jTHLyWiKv8BSBh20QDNoe71TE:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
The following errors were reported by the server:

Domain: voigtstr.com
Type: connection
Detail: Fetching
http://voigtstr.com/.well-known/acme-challenge/3EIVpOR-2C_elNq4g1CMaWKHujRCHoODqdvcjCqgjMA:
Timeout during connect (likely firewall problem)

Domain: www.voigtstr.com
Type: connection
Detail: Fetching
http://www.voigtstr.com/.well-known/acme-challenge/vl-mmrcb4He7-DwvHvu-_DzT6N-MO-BT9hHFPVXmud8:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

My web server is (include version):
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2022-01-05T14:49:56

The operating system my web server runs on is (include version):
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal

My hosting provider, if applicable, is: self hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot)
certbot 0.40.0

A bit of background. I had the system working fine when I was on a static IP. We have since moved house and I'm now now on dynamic IP but have a dedicated IP through PUREVPN which is connected through PPTP. I've opened ports 80,465,587,443,143,993 so far on PUREVPN's portal and in my Asus router (although if data is coming through the PPTP tunnel then I probably just need the vpn ports open?)

What do I need to run next in terms of troubleshooting?

Cheers,
Simon

MikeMcQ · January 24, 2022, 4:08am

Welcome @voigtstr

First, make sure the public DNS has the right IP. It is currently set to 172.94.99.1

Second, use this site to help test changes you make. It uses some of the same techniques Let's Encrypt server is using. Failures are fairly well explained.

voigtstr · January 24, 2022, 4:29am

Hi Mike,
I'm using a company called melbourneit for DNS and on their portal I have 172.94.99.1 against the A records for voigtstr.com. and subdomains www,mail,minecraft,music,server1

Pinging voigtstr.com returns the same IP address. Pings are in the vicinity of 600ms due to geostationary satellite.

Let's debug is showing the correct IP.

172.94.99.1 is the dedicated IP provided by PureVPN over PPTP which currently says its connected.

ubuntu firewall wall has:

voigtstr@voigtstr-VirtualBox:~$ sudo ufw status
[sudo] password for voigtstr:
Status: active

To Action From

OpenSSH ALLOW Anywhere
Apache Full ALLOW Anywhere
20/tcp ALLOW Anywhere
21/tcp ALLOW Anywhere
40000:50000/tcp ALLOW Anywhere
990/tcp ALLOW Anywhere
25565 ALLOW Anywhere
Anywhere ALLOW 172.94.99.1/gre
OpenSSH (v6) ALLOW Anywhere (v6)
Apache Full (v6) ALLOW Anywhere (v6)
20/tcp (v6) ALLOW Anywhere (v6)
21/tcp (v6) ALLOW Anywhere (v6)
40000:50000/tcp (v6) ALLOW Anywhere (v6)
990/tcp (v6) ALLOW Anywhere (v6)
25565 (v6) ALLOW Anywhere (v6)

The Apache Full line would be opening 80 and 443 wouldn't it?

Cheers,
Simon

MikeMcQ · January 24, 2022, 4:39am

The only ports I see open at that IP are:

443/tcp  open  https
1723/tcp open  pptp

Consequently, requests to http times out but https connects. The cert sent does not have the domain names you show here but the connection succeeds. See the result here and note the names in the SAN list:

Best to use curl rather than ping such as: curl -I http://voigtstr.com

voigtstr · January 24, 2022, 4:49am

Actually just noticed that my ip address for the unix box at the end of the PPTP tunnel is 172.94.99.246

I'll disconnect and reconnect the pptp tunnel and see if I get the same address, and if I do I'll add that to the DNS portal and after propagation test letsdebug again

Cheers,
Simon

voigtstr · January 24, 2022, 4:51am

172.94.99.1 was the gateway for PPTP

MikeMcQ · January 24, 2022, 4:51am

Sounds good. These are useful commands too:

curl -4 ifconfig.co
curl -6 ifconfig.co

Will show the machines public IP for both IPv4 and IPv6, if present.
Cheers

rg305 · January 24, 2022, 5:26am

Then this is s fail:

and might better be set to:

That IP responds with:

curl -Ii 172.94.99.246
HTTP/1.1 200 OK
Date: Mon, 24 Jan 2022 05:24:19 GMT
Server: Apache/2.4.41 (Ubuntu)            <<<<<<<<<<<<<<<<<<<<<<<<<<
Last-Modified: Wed, 14 Jul 2021 22:44:06 GMT
ETag: "876-5c71d178881aa"
Accept-Ranges: bytes
Content-Length: 2166
Vary: Accept-Encoding
Content-Type: text/html

Which matches:

voigtstr · January 24, 2022, 6:12am

from a separate machine:
simonvoigt###acBook-Pro ~ % host voigtstr.com
voigtstr.com has address 172.94.99.246
voigtstr.com mail is handled by 1 mail.voigtstr.com.

back on ubuntu:
voigtstr#####gtstr-VirtualBox:~$ curl -4 ifconfig.co
172.94.99.246

let's Debug says
ANotWorking
ERROR
voigtstr.com has an A (IPv4) record (172.94.99.246) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
A timeout was experienced while communicating with voigtstr.com/172.94.99.246: Get "https://voigtstr.com/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
0ms: Making a request to http://voigtstr.com/.well-known/acme-challenge/letsdebug-test (using initial IP 172.94.99.246)
0ms: Dialing 172.94.99.246
1741ms: Server response: HTTP 301 Moved Permanently
1741ms: Received redirect to https://voigtstr.com/.well-known/acme-challenge/letsdebug-test
1741ms: Dialing 172.94.99.246
10000ms: Experienced error: context deadline exceeded

rg305 · January 24, 2022, 6:26am

The HTTP requests are being redirected to HTTPS [and there it fails].
Let's try dealing with the challenge requests in HTTP.
Show:
apachectl -t -D DUMP_VHOSTS

[while you ensure port 443 gets opened]

voigtstr · January 24, 2022, 6:27am

is this ok to do whilst using apache?

voigtstr · January 24, 2022, 6:28am

voigtstr@voigtstr-VirtualBox:/etc/apache2/sites-enabled$ apachectl -t
AH00526: Syntax error on line 9 of /etc/apache2/sites-enabled/minecraft.voigtstr.com-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/minecraft.voigtstr.com/fullchain.pem' does not exist or is empty
Action '-t' failed.
The Apache error log may have more information.

rg305 · January 24, 2022, 6:29am

Try:
apachectl -t -D DUMP_VHOSTS

voigtstr · January 24, 2022, 6:29am

voigtstr@voigtstr-VirtualBox:/etc/apache2/sites-enabled$ apachectl -t -D DUMP_VHOSTS
AH00526: Syntax error on line 9 of /etc/apache2/sites-enabled/minecraft.voigtstr.com-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/minecraft.voigtstr.com/fullchain.pem' does not exist or is empty
Action '-t -D DUMP_VHOSTS' failed.
The Apache error log may have more information.

rg305 · January 24, 2022, 6:30am

That's a buzz kill.

Show:
ls -lR /etc/letsencrypt/live/
and
certbot certificates

voigtstr · January 24, 2022, 6:34am

voigtstr###oigtstr-VirtualBox:/etc/apache2/sites-enabled$ ls -lR /etc/letsencrypt/live/
ls: cannot open directory '/etc/letsencrypt/live/': Permission denied
voigtstr###oigtstr-VirtualBox:/etc/apache2/sites-enabled$ sudo ls -lR /etc/letsencrypt/live/
/etc/letsencrypt/live/:
total 16
drwxr-xr-x 2 root root 4096 Nov 17 22:05 minecraft.voigtstr.com
drwxr-xr-x 2 root root 4096 Nov 17 22:05 music.voigtstr.com
-rw-r--r-- 1 root root 740 Sep 21 2020 README
drwxr-xr-x 2 root root 4096 Nov 17 22:05 voigtstr.com

/etc/letsencrypt/live/minecraft.voigtstr.com:
total 4
lrwxrwxrwx 1 root root 46 Nov 17 22:05 cert.pem -> ../../archive/minecraft.voigtstr.com/cert8.pem
lrwxrwxrwx 1 root root 47 Nov 17 22:05 chain.pem -> ../../archive/minecraft.voigtstr.com/chain8.pem
lrwxrwxrwx 1 root root 51 Nov 17 22:05 fullchain.pem -> ../../archive/minecraft.voigtstr.com/fullchain8.pem
lrwxrwxrwx 1 root root 49 Nov 17 22:05 privkey.pem -> ../../archive/minecraft.voigtstr.com/privkey8.pem
-rw-r--r-- 1 root root 692 Sep 21 2020 README

/etc/letsencrypt/live/music.voigtstr.com:
total 4
lrwxrwxrwx 1 root root 42 Nov 17 22:05 cert.pem -> ../../archive/music.voigtstr.com/cert8.pem
lrwxrwxrwx 1 root root 43 Nov 17 22:05 chain.pem -> ../../archive/music.voigtstr.com/chain8.pem
lrwxrwxrwx 1 root root 47 Nov 17 22:05 fullchain.pem -> ../../archive/music.voigtstr.com/fullchain8.pem
lrwxrwxrwx 1 root root 45 Nov 17 22:05 privkey.pem -> ../../archive/music.voigtstr.com/privkey8.pem
-rw-r--r-- 1 root root 692 Sep 21 2020 README

/etc/letsencrypt/live/voigtstr.com:
total 4
lrwxrwxrwx 1 root root 36 Nov 17 22:05 cert.pem -> ../../archive/voigtstr.com/cert8.pem
lrwxrwxrwx 1 root root 37 Nov 17 22:05 chain.pem -> ../../archive/voigtstr.com/chain8.pem
lrwxrwxrwx 1 root root 41 Nov 17 22:05 fullchain.pem -> ../../archive/voigtstr.com/fullchain8.pem
lrwxrwxrwx 1 root root 39 Nov 17 22:05 privkey.pem -> ../../archive/voigtstr.com/privkey8.pem
-rw-r--r-- 1 root root 692 Sep 21 2020 README

voigtstr###oigtstr-VirtualBox:/etc/apache2/sites-enabled$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: minecraft.voigtstr.com
Domains: minecraft.voigtstr.com
Expiry Date: 2022-02-15 10:05:36+00:00 (VALID: 22 days)
Certificate Path: /etc/letsencrypt/live/minecraft.voigtstr.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/minecraft.voigtstr.com/privkey.pem
Certificate Name: music.voigtstr.com
Domains: music.voigtstr.com
Expiry Date: 2022-02-15 10:05:46+00:00 (VALID: 22 days)
Certificate Path: /etc/letsencrypt/live/music.voigtstr.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/music.voigtstr.com/privkey.pem
Certificate Name: voigtstr.com
Domains: voigtstr.com www.voigtstr.com
Expiry Date: 2022-02-15 10:05:56+00:00 (VALID: 22 days)
Certificate Path: /etc/letsencrypt/live/voigtstr.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/voigtstr.com/privkey.pem

rg305 · January 24, 2022, 6:37am

That's weird...

[contradiction]

Show:
ls -ltr /etc/letsencrypt/archive/minecraft.voigtstr.com/

voigtstr · January 24, 2022, 6:39am

voigtstr@voigtstr-VirtualBox:/etc/apache2/sites-enabled$ ls -ltr /etc/letsencrypt/archive/minecraft.voigtstr.com/
ls: cannot access '/etc/letsencrypt/archive/minecraft.voigtstr.com/': Permission denied

voigtstr@voigtstr-VirtualBox:/etc/apache2/sites-enabled$ sudo ls -ltr /etc/letsencrypt/archive/minecraft.voigtstr.com/
total 144
-rw------- 1 root root 1704 Sep 21 2020 privkey1.pem
-rw-r--r-- 1 root root 3574 Sep 21 2020 fullchain1.pem
-rw-r--r-- 1 root root 1647 Sep 21 2020 chain1.pem
-rw-r--r-- 1 root root 1927 Sep 21 2020 cert1.pem
-rw------- 1 root root 1708 Nov 21 2020 privkey2.pem
-rw-r--r-- 1 root root 3578 Nov 21 2020 fullchain2.pem
-rw-r--r-- 1 root root 1647 Nov 21 2020 chain2.pem
-rw-r--r-- 1 root root 1931 Nov 21 2020 cert2.pem
-rw------- 1 root root 1704 Jan 20 2021 privkey3.pem
-rw-r--r-- 1 root root 3448 Jan 20 2021 fullchain3.pem
-rw-r--r-- 1 root root 1586 Jan 20 2021 chain3.pem
-rw-r--r-- 1 root root 1862 Jan 20 2021 cert3.pem
-rw------- 1 root root 1704 Mar 22 2021 privkey4.pem
-rw-r--r-- 1 root root 3448 Mar 22 2021 fullchain4.pem
-rw-r--r-- 1 root root 1586 Mar 22 2021 chain4.pem
-rw-r--r-- 1 root root 1862 Mar 22 2021 cert4.pem
-rw------- 1 root root 1704 May 21 2021 privkey5.pem
-rw-r--r-- 1 root root 5612 May 21 2021 fullchain5.pem
-rw-r--r-- 1 root root 3750 May 21 2021 chain5.pem
-rw-r--r-- 1 root root 1862 May 21 2021 cert5.pem
-rw------- 1 root root 1704 Jul 20 2021 privkey6.pem
-rw-r--r-- 1 root root 5612 Jul 20 2021 fullchain6.pem
-rw-r--r-- 1 root root 3750 Jul 20 2021 chain6.pem
-rw-r--r-- 1 root root 1862 Jul 20 2021 cert6.pem
-rw------- 1 root root 1704 Sep 18 18:17 privkey7.pem
-rw-r--r-- 1 root root 5612 Sep 18 18:17 fullchain7.pem
-rw-r--r-- 1 root root 3750 Sep 18 18:17 chain7.pem
-rw-r--r-- 1 root root 1862 Sep 18 18:17 cert7.pem
-rw------- 1 root root 1704 Nov 17 22:05 privkey8.pem
-rw-r--r-- 1 root root 5612 Nov 17 22:05 fullchain8.pem
-rw-r--r-- 1 root root 3750 Nov 17 22:05 chain8.pem
-rw-r--r-- 1 root root 1862 Nov 17 22:05 cert8.pem

rg305 · January 24, 2022, 6:40am

Look like it's there to me!

Show:
cat /etc/letsencrypt/live/minecraft.voigtstr.com/fullchain.pem

[never show *key* files - fullchain is public info]

voigtstr · January 24, 2022, 6:45am

voigtstr@voigtstr-VirtualBox:/etc/apache2/sites-enabled$ cat /etc/letsencrypt/live/minecraft.voigtstr.com/fullchain.pem
cat: /etc/letsencrypt/live/minecraft.voigtstr.com/fullchain.pem: Permission denied

so sudo again...
voigtstr@voigtstr-VirtualBox:/etc/apache2/sites-enabled$ sudo cat /etc/letsencrypt/live/minecraft.voigtstr.com/fullchain.pem

Topic		Replies	Views
Failed to renew - Some challenges have failed Help	3	620	January 9, 2022
Certbot Renew Challenge failed Help	14	2365	December 15, 2022
Certbot renew fails Help	17	901	April 16, 2022
Challenge keeps failing Help	5	983	August 28, 2020
Some challenges are failed Help	17	260	August 5, 2024

Certbot challenge fails

Related topics