Certbot failed to authenticate some domains (authenticator: nginx)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: clubhouse.svarc.us

I ran this command:

It produced this output:

My web server is (include version): nginx/1.14.2

The operating system my web server runs on is (include version): raspi pi buster

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.29.0

We migrated to a new ISP provider and have a static address. The certs started failing. Looking at the log I think I found where it fails.

2022-08-08 04:05:17,395:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/139656354706:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTAzOTEwOTkyIiwgIm5vbmNlIjogIjAwMDFLb29iRHl0VllhbnZhWk91T0dmY1ZxeFB0SUh1QUpHRmV5b0U5dlBZcE9vIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xMzk2NTYzNTQ3MDYifQ",
  "signature": "Kakka0yRaAe_K3W7CyUda64urIEV-wmFZyFFOw5sEmZ1xW8hRqE9sdjuOqzIBeIkbAmy17uykaf7Pnw_H2L5WDgPBmmqx1XwFGZgIeQv8stYh1tkr9kZzFjXizxATuFzU7QGeYzcgexL3LdAZGjKKuHZxVl2s9vJCDGNdO-JqFlyLiJbgmooIvaqEKxcTYlOR3D8BZkvcly0WA5eNMiDeerPEa18w_Mam4DcS0cndvLzuNdO1ftBcmo6kyAnuba3NBZLszdQE0uRqFuhGbqdQYVKXIuaCxHpfk15sCKXMKQ82jGmRdniYGOH8ra7O_DATCw0lRMLMHP2PTv2VrCB5Q",
  "payload": ""
}
2022-08-08 04:05:17,477:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/139656354706 HTTP/1.1" 200 1076
2022-08-08 04:05:17,478:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 08 Aug 2022 08:05:17 GMT
Content-Type: application/json
Content-Length: 1076
Connection: keep-alive
Boulder-Requester: 103910992
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002-UNiszwlBgrLOz2_n5VMAgsHlzN-VibvSYfZmKHy4UI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "clubhouse.svarc.us"
  },
  "status": "invalid",
  "expires": "2022-08-15T08:05:05Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "204.111.163.141: Fetching http://clubhouse.svarc.us/.well-known/acme-challenge/MxLM6BEzRmGKZseuL3XzLa5n8OLitxAN0pPh262QXYQ: Timeout during connect (likely firewall problem)",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/139656354706/WvUqTA",
      "token": "MxLM6BEzRmGKZseuL3XzLa5n8OLitxAN0pPh262QXYQ",
      "validationRecord": [
        {
          "url": "http://clubhouse.svarc.us/.well-known/acme-challenge/MxLM6BEzRmGKZseuL3XzLa5n8OLitxAN0pPh262QXYQ",
          "hostname": "clubhouse.svarc.us",
          "port": "80",
          "addressesResolved": [
            "204.111.163.141"
          ],
          "addressUsed": "204.111.163.141"
        }
      ],
      "validated": "2022-08-08T08:05:07Z"
    }
  ]
}
2022-08-08 04:05:17,479:DEBUG:acme.client:Storing nonce: 0002-UNiszwlBgrLOz2_n5VMAgsHlzN-VibvSYfZmKHy4UI
2022-08-08 04:05:17,480:INFO:certbot._internal.auth_handler:Challenge failed for domain clubhouse.svarc.us
2022-08-08 04:05:17,480:INFO:certbot._internal.auth_handler:http-01 challenge for clubhouse.svarc.us
2022-08-08 04:05:17,480:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: clubhouse.svarc.us
  Type:   connection
  Detail: 204.111.163.141: Fetching http://clubhouse.svarc.us/.well-known/acme-challenge/MxLM6BEzRmGKZseuL3XzLa5n8OLitxAN0pPh262QXYQ: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

I ran a tcp dump and examined the data in wireshark. The only connection issue I find is a failed ICMP and I am not sure this is relative.

image1230×56 6.13 KB

I have examined NGINX and can't find any issues. If it is a firewall issue ( i am betting on it). I don't which protocol/port from the logs or trace

Thanks in advance

That's someone trying to connect to the SSH port, unsuccesfully, as it seems there is no SSH running.

Anyway, you have port 80 filtered, probably a firewall or something similar like a missing NAT portmap. Port 80 (HTTP) should be open for the http-01 challenge to work.

Thanks for the reply. SSH is running so not sure why that error is being thrown. We installed a Juniper router and the guy who put it in tells me that port 80 is open every where. Since I am running the trace on the PI, if the post was timing out I realized I would never see it where I am capturing the data. I thought about deleting the cert and building a new one. It will expire soon when it does I can go down that road.

Update --- The Juniper guy found the issue in the FW and corrected it. The cert loaded. Thanks to Lets Encrypt team.

Regards

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.