Hi folks,
I’m trying to go through this tuto and I get weird behaviors.
For the record, I spent 5 hours on it before posting here, not 5 minutes.
Please find my main files:
init-letsencrypt.sh
#!/bin/bash
if ! [ -x "$(command -v docker-compose)" ]; then
echo 'Error: docker-compose is not installed.' >&2
exit 1
fi
domains=(www.lorem.com)
rsa_key_size=4096
data_path="./data/certbot"
email="vivian@lorem.com" # Adding a valid address is strongly recommended
staging=1 # Set to 1 if you're testing your setup to avoid hitting request limits
if [ -d "$data_path" ]; then
read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
exit
fi
fi
if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
echo "### Downloading recommended TLS parameters ..."
mkdir -p "$data_path/conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
echo
fi
echo "### Creating dummy certificate for $domains ..."
path="/etc/letsencrypt/live/$domains"
mkdir -p "$data_path/conf/live/$domains"
docker-compose run --rm --entrypoint "\
openssl req -x509 -nodes -newkey rsa:1024 -days 1\
-keyout '$path/privkey.pem' \
-out '$path/fullchain.pem' \
-subj '/CN=localhost'" certbot
echo
echo "### Starting nginx ..."
docker-compose up --force-recreate -d nginx
echo
echo "### Deleting dummy certificate for $domains ..."
docker-compose run --rm --entrypoint "\
rm -Rf /etc/letsencrypt/live/$domains && \
rm -Rf /etc/letsencrypt/archive/$domains && \
rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
echo
echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
domain_args="$domain_args -d $domain"
done
# Select appropriate email arg
case "$email" in
"") email_arg="--register-unsafely-without-email" ;;
*) email_arg="--email $email" ;;
esac
# Enable staging mode if needed
if [ $staging != "0" ]; then staging_arg="--staging"; fi
docker-compose run --rm --entrypoint "\
certbot certonly --webroot -v --debug-challenges -w /var/www/certbot \
$staging_arg \
$email_arg \
$domain_args \
--rsa-key-size $rsa_key_size \
--agree-tos \
--force-renewal" certbot
echo
echo "### Reloading nginx ..."
docker-compose exec nginx nginx -s reload
docker-compose.yml
version: "3"
services:
nginx:
image: nginx:1.17
container_name: xxx-nginx
restart: unless-stopped
volumes:
- ./data/nginx:/etc/nginx/conf.d
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
ports:
- "80:80"
- "443:443"
command: '/bin/sh -c ''while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g "daemon off;"'''
certbot:
image: certbot/certbot
container_name: xxx-certbot
restart: unless-stopped
volumes:
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
nuxt:
build: ./app/
container_name: xxx-app
restart: always
ports:
- "3333:3333"
command: "npm run start"
nginx/default.conf
server {
listen 80;
server_name xxx.lorem.com;
server_tokens off;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name xxx.lorem.com;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/xxx.lorem.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxx.lorem.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://xxx.lorem.com;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
And perhaps the most importing file, my error log:
Existing data found for xxx.lorem.com. Continue and replace existing certificate? (y/N) y
### Creating dummy certificate for xxx.lorem.com ...
Generating a RSA private key
..........................................+++++
...............+++++
writing new private key to '/etc/letsencrypt/live/xxx.lorem.com/privkey.pem'
-----
### Starting nginx ...
Recreating xxx-nginx ...
Recreating xxx-nginx ... done
### Deleting dummy certificate for xxx.lorem.com ...
### Requesting Let's Encrypt certificate for xxx.lorem.com ...
Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator webroot and installer None
Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f4e79936e10>
Prep: True
Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f4e79936e10> and installer None
Plugins selected: Authenticator webroot, Installer None
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/11519950', new_authzr_uri=None, terms_of_service=None), 803e21903d9d8cfa20499d0bb2bd2586, Meta(creation_dt=datetime.datetime(2019, 11, 8, 15, 32, 18, tzinfo=<UTC>), creation_host='13b6b54e68c0'))>
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 724
Received response:
HTTP 200
Server: nginx
Date: Fri, 08 Nov 2019 16:33:48 GMT
Content-Type: application/json
Content-Length: 724
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"21IRDSaUJLI": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org/docs/staging-environment/"
},
"newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
Obtaining a new certificate
Generating key (4096 bits): /etc/letsencrypt/keys/0015_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0015_csr-certbot.pem
Requesting fresh nonce
Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
Received response:
HTTP 200
Server: nginx
Date: Fri, 08 Nov 2019 16:33:49 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002tUBK5GOg9sYqNGtZVk8sAu5CvI2kCg6CZ2ubFK7OzKU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Storing nonce: 0002tUBK5GOg9sYqNGtZVk8sAu5CvI2kCg6CZ2ubFK7OzKU
JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "xxx.lorem.com"\n }\n ]\n}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMTUxOTk1MCIsICJub25jZSI6ICIwMDAydFVCSzVHT2c5c1lxTkd0WlZrOHNBdTVDdkkya0NnNkNaMnViRks3T3pLVSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
"signature": "eUu7ijFJznEuhHIbsGZXEIFMVnVGQ7q3B_afLKLkdEeHreuggZq9GgBycDZrsbMHxojVkwwRdFV59tSL6uJ_PLYnsat9nsRgU9EDnFpCgUlXwvPiek43_yXVczB2VHtgYdx8bL1jxnAWUCwlJVmfMy-Y1Jptjn10-Jvolsemr5-jQrn5P7Be1-ibVqi7iqA8rYY8ZeWw7YJdpaF3lR_i1VBQsaLcnE4-fGIn7CTDMdOKqZGlTY4ac-41dDpHtzZ7yQV3yU6nBaXakenBoubInvctfc5T6jQ_HVchKW1R2Qoysy1Hki-j24t2cJaet7BZwyNV-mF3lN6-BGWfbz7qQzfPdoFFzDaPNmPBsnu1y1sBmtTBgHCJ1YjQQTbYmACwIvcTRzGTUbqLFS0avjCXvZOsK08j6yaDP3uSvpPCB9qaV2v_7_Lqlcir66i0--EiVHEKvXiFVe345EudGg6Q9_sjw93FqpMo3TAKpOuLYRZQIZJxfnpeCCTt8jCREcNUUFp05Q17pCf03pv25F2EK_g61HLdrDUQNva8IvtNMEzm6HQUE23HfNRyFHogYODUlAGMB2ygAdFUhje9SA4YgWXwCvDKSrct-EN4bODp8hfLjfhHbx1Gp5__-8IkKPNNyKAnxvggI9iJYSnazOwsog0gquCrljmjNzDwctZNsPI",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInByb2pvLm9jdXMuY29tIgogICAgfQogIF0KfQ"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 355
Received response:
HTTP 201
Server: nginx
Date: Fri, 08 Nov 2019 16:33:49 GMT
Content-Type: application/json
Content-Length: 355
Connection: keep-alive
Boulder-Requester: 11519950
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/11519950/60509153
Replay-Nonce: 0002d_thn50OPYUbaGIfCqJFbisnxyD1Hy19kLbjXooClNg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"status": "pending",
"expires": "2019-11-15T16:33:49.73815071Z",
"identifiers": [
{
"type": "dns",
"value": "xxx.lorem.com"
}
],
"authorizations": [
"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/19815850"
],
"finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/11519950/60509153"
}
Storing nonce: 0002d_thn50OPYUbaGIfCqJFbisnxyD1Hy19kLbjXooClNg
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/19815850:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMTUxOTk1MCIsICJub25jZSI6ICIwMDAyZF90aG41ME9QWVViYUdJZkNxSkZiaXNueHlEMUh5MTlrTGJqWG9vQ2xOZyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xOTgxNTg1MCJ9",
"signature": "KZ7llK_j4mZIYamX7xhVkHSUnavih30MWEY4Kl_mzcYdNHtOd_hGSNG0FFU3ZsVFuu4XIzmfUyIW3esdSIHllOM41DdC_HVe8d0sIxuN75V7cs59ltAPMCZoeiG64XBwxJDsBtDV2WdJ35DVv7UPqCfcX9Ntw0T9LkooCQaRGJCstAPlx2MiVb2uf6gJIPqY8-O4thKUA-_DbzMDeew0PDMtlHYHa_qQZOvaajgY4vTFtF188Q8DsfEyLASpkony3f_Hlw7S6IuDDrZhLUyAbvKgwJDeTkYOOyiizxzf8JnEvEG4JyKNZsfLhMCxst1W4dDYlbESYXAKQSY_bBhbFaDCzVAOQ_T5--Cc3iq8MSVITyB4h0vGq7dJHVJloobTBDg7azuNN3ERnsZLuIKO0_wFQ7HoGyFP_2AQ8VPKgCDP6MXf34Whv9O9InciBuAO8QKkNrpxBmLlrXD8ndcDQ53pD6gtlStvBIADHuee2L9zxoqIu5sOxmbmAWCHIPCQDYDIOTbad3WPYS6N6aiIdjoNwTbtN-bXys5CzYfeSw9nRugyWz9geTg9MhpYqo_HIWqFQfVMW-3ER2g7kwc-IYTb_jZt2MdE5IW_ydJEq7Q7M_vcEvGOLuYfpZjE74deaHl5NSiw2JUW6mYtSylWxXgxRVdChhRZtjh5UlspHWU",
"payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/19815850 HTTP/1.1" 200 810
Received response:
HTTP 200
Server: nginx
Date: Fri, 08 Nov 2019 16:33:50 GMT
Content-Type: application/json
Content-Length: 810
Connection: keep-alive
Boulder-Requester: 11519950
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002pQ68YQCYousjJoEJZ1sTVmzmaAAtuPCBHN7FLfOiQU4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "xxx.lorem.com"
},
"status": "pending",
"expires": "2019-11-15T16:33:49Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/PmKNmQ",
"token": "dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/xRpPTQ",
"token": "dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/-6VPpg",
"token": "dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U"
}
]
}
Storing nonce: 0002pQ68YQCYousjJoEJZ1sTVmzmaAAtuPCBHN7FLfOiQU4
Performing the following challenges:
http-01 challenge for xxx.lorem.com
Using the webroot path /var/www/certbot for all unmatched domains.
Creating root challenges validation dir at /var/www/certbot/.well-known/acme-challenge
Attempting to save validation to /var/www/certbot/.well-known/acme-challenge/dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U
Waiting for verification...
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
JWS payload:
b'{\n "resource": "challenge",\n "type": "http-01"\n}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/PmKNmQ:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMTUxOTk1MCIsICJub25jZSI6ICIwMDAycFE2OFlRQ1lvdXNqSm9FSloxc1RWbXptYUFBdHVQQ0JITjdGTGZPaVFVNCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8xOTgxNTg1MC9QbUtObVEifQ",
"signature": "FDYkuxb4R5dc1ZBRJfezgMw2D_OSt7y4nAqoplXs4F0D2N8Esvnl9hiVFhd3MlbbYLdsVz-_EQ1vbnc0NPUzVVK1MtFI_w-3aMNuIJnGIAgn1coIffZZKfha8mQD9gRffhuIFUP8xVDMNR8rcpsN9WNiHnDeuz_pUJqOGGDiqGy0-SITfiCff9cTKqYOykbgsPsfBO4taY1KHq1nGP2H6pQvlboEu4_ALKzH7UUP3UaHxejq5FLLrHYLqHMsVqLSegJU4OjxrxCMl3g6_ygrNunrO36ctgiIgN9WNgld4I5mOOEGkfz6UVjvmfGmKwlWl7fcqsGyy-9jBgG_bgvPbBFX7YRsahdBvlb7nJaLNs5lBqFWUCgnGLO0PuMbDgVTqFUwrcGM91UerwV66GK2AItNxvV9DAcXRGorVnYEindt22p7OsbXA8iO50X-Hegp0ficXfLuBKnbc5IxW0R_o5ew8eU3nQ27170DpEE5wh65exlQJgm1-XYItbDL00XdpxkVcGkvE3jhQpuvwSWv1MGgxkuVU2uV3eSPw6wB0iQxHHzk6vl5kD9GbtC7Lqx9TaadkLHWQm1rl7PjHjJS5O5cYvIWqlUaDFVOfyABub-J5Dd_FHIWHjKNZz8hFIW8AyNOsxP50VotU9xN5ypc5m4OkLfJWFuXSuOCBqwRdp0",
"payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiCn0"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/19815850/PmKNmQ HTTP/1.1" 200 191
Received response:
HTTP 200
Server: nginx
Date: Fri, 08 Nov 2019 16:35:08 GMT
Content-Type: application/json
Content-Length: 191
Connection: keep-alive
Boulder-Requester: 11519950
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/19815850>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/PmKNmQ
Replay-Nonce: 0002uVhZwVzdVbFWDpcL52c_gOmusK7spQSTfRTrB1N4I9o
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"type": "http-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/PmKNmQ",
"token": "dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U"
}
Storing nonce: 0002uVhZwVzdVbFWDpcL52c_gOmusK7spQSTfRTrB1N4I9o
JWS payload:
b''
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/19815850:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMTUxOTk1MCIsICJub25jZSI6ICIwMDAydVZoWndWemRWYkZXRHBjTDUyY19nT211c0s3c3BRU1RmUlRyQjFONEk5byIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xOTgxNTg1MCJ9",
"signature": "EIKVD-rBIyCXBwsMk-w7Ejs_VgAbcp5ry2oKvSFKnP9T6ze66aq-rk-SAMZAWyrOObarYAB7jMZGNCJzk2-ODIIVQBACY2LXxvwfWj42IItIf77NyFc6dIUgw17r-3fPLMpWCR7meTyzTVDzVjzqJsn5bQw4pGTlXvAPl_6BtH8MB4d9qKokOYWd19qVSRRFpygm6ITLCTaqryl-t-lb5XFRFVrYtkChRetdyhr8WXHgEbO8D59wuoYYLN_W3R2MOlbb_qBKYmTs6ekxH00ofD-nx13HHi-lqskbFT0sjG6Mtqe8yM4ui8KWGipG5Gacwme3_YW_Lf2cJDgHStSyVJacegDQa05fePwYEiZfHCEw6fkChNyxT0iGKDOdTUIf7tYLpMFIBi341zjdN5qEAShqx4hFoqSlYHv0K1OWvKgv5S4DvJXPwH2zMKIVJDIGFI6J69HH-Hjru_XhLp9mN62LLaeRsVyfiiRgT5PKwo7uLm_mRiysa_m9BwciCalZKEhQlMoswiUOkCnSJaeXTEGdJtdE-VWk7uPblNQUTgL-yM7x_tAuftiwNbZCi56jHXjeVkEEx_NKfptihb_hkjAj_C0D6IX3G0d_8alwnl9BtwsJgPAhHx5s349nQ8B3oX808cEIkeSZPixKY3KIYCc1wtYE99kUCq1BDroZqlE",
"payload": ""
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/19815850 HTTP/1.1" 200 1407
Received response:
HTTP 200
Server: nginx
Date: Fri, 08 Nov 2019 16:35:10 GMT
Content-Type: application/json
Content-Length: 1407
Connection: keep-alive
Boulder-Requester: 11519950
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002m0OY7qa_ElRdf4p40LyJeqReobHWSx3G8FMn4I0ganA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "xxx.lorem.com"
},
"status": "invalid",
"expires": "2019-11-15T16:33:49Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "Fetching http://xxx.lorem.com/.well-known/acme-challenge/dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U: Connection refused",
"status": 400
},
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/PmKNmQ",
"token": "dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U",
"validationRecord": [
{
"url": "http://xxx.lorem.com/.well-known/acme-challenge/dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U",
"hostname": "xxx.lorem.com",
"port": "80",
"addressesResolved": [
"157.230.115.5"
],
"addressUsed": "157.230.115.5"
}
]
},
{
"type": "dns-01",
"status": "invalid",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/xRpPTQ",
"token": "dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U"
},
{
"type": "tls-alpn-01",
"status": "invalid",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/19815850/-6VPpg",
"token": "dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U"
}
]
}
Storing nonce: 0002m0OY7qa_ElRdf4p40LyJeqReobHWSx3G8FMn4I0ganA
Challenge failed for domain xxx.lorem.com
http-01 challenge for xxx.lorem.com
Reporting to user: The following errors were reported by the server:
Domain: xxx.lorem.com
Type: connection
Detail: Fetching http://xxx.lorem.com/.well-known/acme-challenge/dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U: Connection refused
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
Encountered exception:
Traceback (most recent call last):
File "/opt/certbot/src/certbot/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/opt/certbot/src/certbot/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
Calling registered functions
Cleaning up challenges
Removing /var/www/certbot/.well-known/acme-challenge/dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U
All challenges cleaned up
Exiting abnormally:
Traceback (most recent call last):
File "/usr/local/bin/certbot", line 11, in <module>
load_entry_point('certbot', 'console_scripts', 'certbot')()
File "/opt/certbot/src/certbot/main.py", line 1378, in main
return config.func(config, plugins)
File "/opt/certbot/src/certbot/main.py", line 1265, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/opt/certbot/src/certbot/main.py", line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/opt/certbot/src/certbot/client.py", line 417, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/opt/certbot/src/certbot/client.py", line 348, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/opt/certbot/src/certbot/client.py", line 396, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/opt/certbot/src/certbot/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/opt/certbot/src/certbot/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: xxx.lorem.com
Type: connection
Detail: Fetching
http://xxx.lorem.com/.well-known/acme-challenge/dkzqQxktAdggktPN5t4gT3ckwh70o3hmSc28g_yhE8U:
Connection refused
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
### Reloading nginx ...
2019/11/08 16:35:12 [notice] 10#10: signal process started
Before Press Enter to Continue I discovered that a file is written:
data/certbot/www/.well-known/acme-challenge/dvDDPLEGxXGzDcOMIp2mF-U6bH1u82te3wjysJebbU4
Is anyone has an idea/advice/suggestion?
At this stage, any help is more than welcome!
