My domain is:
4skobo.openplanit.com
I ran this command:
sudo certbot certonly --cert-name '4skobo.openplanit.com' --email me@mydomain.com --http-01-address 127.0.0.1 --http-01-port 10081 --debug-challenge --dry-run --test-cert --debug -v
It produced this output:
Challenge failed for domain 4skobo.openplanit.com
http-01 challenge for 4skobo.openplanit.com
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: 4skobo.openplanit.com
Type: unauthorized
Detail: During secondary validation: 108.157.214.125: Invalid response from http://4skobo.openplanit.com/.well-known/acme-challenge/uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs: 403
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on 127.0.0.1:10081. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
File "/snap/certbot/3700/bin/certbot", line 8, in <module>
sys.exit(main())
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot/_internal/main.py", line 1894, in main
return config.func(config, plugins)
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot/_internal/main.py", line 1600, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot/_internal/main.py", line 131, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 399, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version):
haproxy 2.6.17-1ppa1~jammy
The operating system my web server runs on is (include version):
Ubuntu 22.04.4
My hosting provider, if applicable, is:
Haproxy is behind CloudFront
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.10.0
I run the command and choose 1 (standalone)
I am then given:
Plugins selected: Authenticator standalone, Installer None
Certificate is due for renewal, auto-renewing...
Simulating renewal of an existing certificate for 4skobo.openplanit.com
Performing the following challenges:
http-01 challenge for 4skobo.openplanit.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA.
The following URLs should be accessible from the internet and return the value
mentioned:
URL:
http://4skobo.openplanit.com/.well-known/acme-challenge/uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs
Expected value:
uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs.GZhXFAv_xm22ixmU1QStLTzOb-EfLkYyVnyB0PWSHok
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
At this point I am able to visit the URL given and can see the value
uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs.GZhXFAv_xm22ixmU1QStLTzOb-EfLkYyVnyB0PWSHok
I press enter and am given the error
After I press enter haproxy.log shows the challenge occurring so CloudFront is allowing the challenge through
Apr 17 11:38:48 ip-10-0-0-182 haproxy[77558]: 70.132.63.143:60068 [17/Apr/2024:11:38:48.953] default certbot/local 0/0/0/1/1 200 186 - - ---- 1/1/0/0/0 0/0 "GET /.well-known/acme-challenge/uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs HTTP/1.1" 0/-/-/-/0 -/-/-
Apr 17 11:38:48 ip-10-0-0-182 haproxy[77558]: 70.132.63.143:60068 [17/Apr/2024:11:38:48.953] default certbot/local 0/0/0/1/1 200 186 - - ---- 1/1/0/0/0 0/0 "GET /.well-known/acme-challenge/uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs HTTP/1.1" 0/-/-/-/0 -/-/-
Apr 17 11:38:55 ip-10-0-0-182 haproxy[77558]: 15.158.7.134:48008 [17/Apr/2024:11:38:55.063] default certbot/local 0/0/0/1/1 200 186 - - ---- 1/1/0/0/0 0/0 "GET /.well-known/acme-challenge/uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs HTTP/1.1" 0/-/-/-/0 -/-/-
Apr 17 11:38:55 ip-10-0-0-182 haproxy[77558]: 15.158.7.134:48008 [17/Apr/2024:11:38:55.063] default certbot/local 0/0/0/1/1 200 186 - - ---- 1/1/0/0/0 0/0 "GET /.well-known/acme-challenge/uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs HTTP/1.1" 0/-/-/-/0 -/-/-
letsencrypt.log
2024-04-17 11:38:37,525:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2024-04-17 11:38:37,868:DEBUG:certbot._internal.main:certbot version: 2.10.0
2024-04-17 11:38:37,868:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/3700/bin/certbot
2024-04-17 11:38:37,868:DEBUG:certbot._internal.main:Arguments: ['--cert-name', '4skobo.openplanit.com', '--email', 'me@mydomain.com', '--http-01-address', '127.0.0.1', '--http-01-port', '10081', '--debug-challenge', '--dry-run', '--test-cert', '--debug', '-v', '--preconfigured-renewal']
2024-04-17 11:38:37,868:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-04-17 11:38:37,888:DEBUG:certbot._internal.log:Root logging level set at 20
2024-04-17 11:38:37,889:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2024-04-17 11:38:37,890:DEBUG:certbot.plugins.util:Failed to find executable apache2ctl in PATH: /snap/certbot/3700/bin:/snap/certbot/3700/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
2024-04-17 11:38:37,890:DEBUG:certbot._internal.plugins.disco:No installation (PluginEntryPoint#apache): Cannot find Apache executable apache2ctl
Traceback (most recent call last):
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot/_internal/plugins/disco.py", line 112, in prepare
self._initialized.prepare()
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot_apache/_internal/configurator.py", line 358, in prepare
self._verify_exe_availability(self.options.ctl)
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot_apache/_internal/configurator.py", line 476, in _verify_exe_availability
raise errors.NoInstallationError(
certbot.errors.NoInstallationError: Cannot find Apache executable apache2ctl
2024-04-17 11:38:37,894:DEBUG:certbot._internal.plugins.disco:No installation (PluginEntryPoint#nginx): Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.
Traceback (most recent call last):
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot/_internal/plugins/disco.py", line 112, in prepare
self._initialized.prepare()
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 204, in prepare
raise errors.NoInstallationError(
certbot.errors.NoInstallationError: Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.
2024-04-17 11:38:37,897:DEBUG:certbot._internal.plugins.selection:Multiple candidate plugins: * standalone
Description: Runs an HTTP server locally which serves the necessary validation files under the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP server already running. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='standalone', value='certbot._internal.plugins.standalone:Authenticator', group='certbot.plugins')
Initialized: <certbot._internal.plugins.standalone.Authenticator object at 0x7fe175967e50>
Prep: True
* webroot
Description: Saves the necessary validation files to a .well-known/acme-challenge/ directory within the nominated webroot path. A seperate HTTP server must be running and serving files from the webroot path. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='webroot', value='certbot._internal.plugins.webroot:Authenticator', group='certbot.plugins')
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7fe175967c70>
Prep: True
2024-04-17 11:38:40,152:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.standalone.Authenticator object at 0x7fe175967e50> and installer None
2024-04-17 11:38:40,152:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2024-04-17 11:38:40,653:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/98108904', new_authzr_uri=None, terms_of_service=None), d634ebfab19ad8ea8c9e29ce1873daa2, Meta(creation_dt=datetime.datetime(2023, 4, 14, 11, 10, 7, tzinfo=<UTC>), creation_host='ip-10-0-0-182.eu-west-1.compute.internal', register_to_eff=None))>
2024-04-17 11:38:40,653:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2024-04-17 11:38:40,655:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
2024-04-17 11:38:41,058:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 821
2024-04-17 11:38:41,059:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 17 Apr 2024 11:38:41 GMT
Content-Type: application/json
Content-Length: 821
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"NDaEQz3yTiM": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf",
"website": "https://letsencrypt.org/docs/staging-environment/"
},
"newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
"renewalInfo": "https://acme-staging-v02.api.letsencrypt.org/draft-ietf-acme-ari-02/renewalInfo/",
"revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
2024-04-17 11:38:41,071:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2024-04-17 11:38:41,086:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2024-04-17 11:38:41,087:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/4skobo.openplanit.com/cert7.pem is signed by the certificate's issuer.
2024-04-17 11:38:41,091:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/4skobo.openplanit.com/cert7.pem is: OCSPCertStatus.GOOD
2024-04-17 11:38:41,094:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2024-05-15 08:22:24 UTC.
2024-04-17 11:38:41,094:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2024-04-17 11:38:41,095:DEBUG:certbot._internal.display.obj:Notifying user: Simulating renewal of an existing certificate for 4skobo.openplanit.com
2024-04-17 11:38:41,097:DEBUG:acme.client:Requesting fresh nonce
2024-04-17 11:38:41,097:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
2024-04-17 11:38:41,230:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2024-04-17 11:38:41,230:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 17 Apr 2024 11:38:41 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 456DJV3nYfz6DG7LEqeSKl9pNLMRgNiihRiepEFhtQ0CMgB9VB4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
2024-04-17 11:38:41,231:DEBUG:acme.client:Storing nonce: 456DJV3nYfz6DG7LEqeSKl9pNLMRgNiihRiepEFhtQ0CMgB9VB4
2024-04-17 11:38:41,231:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "4skobo.openplanit.com"\n }\n ]\n}'
2024-04-17 11:38:41,262:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85ODEwODkwNCIsICJub25jZSI6ICI0NTZESlYzbllmejZERzdMRXFlU0tsOXBOTE1SZ05paWhSaWVwRUZodFEwQ01nQjlWQjQiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIn0",
"signature": "JTM4rKyWmhUiy8zSVVfuadb_oH_v0yih6NmfucDNITx8rUb6gyeSnDx-DxamiIgoNzD0w8uIklU_XulsPBGotTm9G8c1NSZAPMbEXLJdom-YJ6rthre18WAys280utuxD5HHNypuxPB3Ttyvmd_D1QKzWC4XzApmM2wszTA7TOxbKkH4pmdtuPbRhaKUasIJ3wDP3eYsl0idJFi6fPGh_qvq81rOB1wtrHMAxjTbU4g1cJmPLn1i0cenMGGaBn-dJ1pxWFt4xJcTRH4dU5-c6Xg6D7dXJqlR0x2Aqy9ZbVT5plkbJrESENQF0dpNd22tXhDuM3o8ymCzCkpTpPBY1KKdAEKzpT2PDKqicasqA1MTKY17eYpxwZ9N4dnzG3FehXjyWYvYxeG9FBIUeGg6c6Y_g5O5JVAZP-8ZFxsmOdpqPNjdqNju6zfpJ0jmCsALdIWsx6Pe4lnaG37Mdm05jnXmsmFWbZ1Pr4Z9ukbWL-n8GccW-f7hqSXivNtABweAXJk2KBNDCnau5jF0nYjHW8xkfi8--u51pxOZAURTwZjDzr4IeE9B2KTJ4IT4NhkEFhNWDnN4WdsEY3H97PQpROT7HmrJyLHU4bIH5XnOsve3WD5jETRXd-SFBddJNTDT6C7LBulKMFbebxUDQTf3Qy8N_mW4kUzQMGOiTbIhDzI",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIjRza29iby5vcGVucGxhbml0LmNvbSIKICAgIH0KICBdCn0"
}
2024-04-17 11:38:41,435:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 359
2024-04-17 11:38:41,436:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Wed, 17 Apr 2024 11:38:41 GMT
Content-Type: application/json
Content-Length: 359
Connection: keep-alive
Boulder-Requester: 98108904
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/98108904/15974834154
Replay-Nonce: 456DJV3nSCfPRCGppvu_D4qxxkr0y_i456AH1xYnTrQKvPM5X38
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"status": "pending",
"expires": "2024-04-24T11:38:41Z",
"identifiers": [
{
"type": "dns",
"value": "4skobo.openplanit.com"
}
],
"authorizations": [
"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12042434104"
],
"finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/98108904/15974834154"
}
2024-04-17 11:38:41,436:DEBUG:acme.client:Storing nonce: 456DJV3nSCfPRCGppvu_D4qxxkr0y_i456AH1xYnTrQKvPM5X38
2024-04-17 11:38:41,436:DEBUG:acme.client:JWS payload:
b''
2024-04-17 11:38:41,442:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12042434104:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85ODEwODkwNCIsICJub25jZSI6ICI0NTZESlYzblNDZlBSQ0dwcHZ1X0Q0cXh4a3IweV9pNDU2QUgxeFluVHJRS3ZQTTVYMzgiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMTIwNDI0MzQxMDQifQ",
"signature": "MrBjbhrIoSmgErWDv_OJtEtQoAAUs6kYkXD4lTED_Ebms_PO7YMHjW0InZA_2m6lJYDBHfUBbsdBM-poGEEEohqmVts1zV8hl-dB60nH0KD1aIhopTHr5GfQjO4uTBx_Va3p0XeNvVNYc3MzSBdFsR1JBolskMiepDdPw4TTMYImis0o4MieLF1Dt1gWLb-u2pomMxdn7bgJV4-MZS7L-2w3zjxZsyqCKsvabqjvcMulzBnD63_MX5aQBxjan1p014Hw5pCOU-9wUotPBDCEs3LE71AjMi0ORcTq3Mvlz9fpAeMdhj8Stj5QYr-SLfvkGljPg3PToyzp5MjebHhIEvfaAcvZu2b1q5KQ2k4eVraWKzS_gtj1J-0ndZkHOQf0kJJyzwlrqoPdHXZwdFjZEu5gDiTMwlK1tJ8m5J1UW9s_uU0-Ojq4gWpWEHpu1XRd9uMfSVk06Zysd5efeVRbUNL4eZdouU3hOOomhrfH7I71SfF4NZCBcoLDV-X5qilhlFSo4qwZdMaj0m3-6SPCcLIDaeN4osFlBSnu8otJMeTLatcVsJoqJf3GOSa3H69w8G9_E5x7z7tJpFpTKj4GJx_BqF6J-hUgT7mrsb4PRQ8lH0IOaYn6q40OXQGs1V07q7eVV9BknfqxJRqHw2FoP8G7gDsh6QmawcRaPzqscq0",
"payload": ""
}
2024-04-17 11:38:41,579:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/12042434104 HTTP/1.1" 200 826
2024-04-17 11:38:41,579:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 17 Apr 2024 11:38:41 GMT
Content-Type: application/json
Content-Length: 826
Connection: keep-alive
Boulder-Requester: 98108904
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 456DJV3nBnnoCpP3iK5yKB12dd0adTJCcdI75WsV1fwoaXWS0hc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "4skobo.openplanit.com"
},
"status": "pending",
"expires": "2024-04-24T11:38:41Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12042434104/-uwGIA",
"token": "uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12042434104/FMEmLg",
"token": "uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12042434104/bSJ7ZQ",
"token": "uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs"
}
]
}
2024-04-17 11:38:41,579:DEBUG:acme.client:Storing nonce: 456DJV3nBnnoCpP3iK5yKB12dd0adTJCcdI75WsV1fwoaXWS0hc
2024-04-17 11:38:41,580:INFO:certbot._internal.auth_handler:Performing the following challenges:
2024-04-17 11:38:41,580:INFO:certbot._internal.auth_handler:http-01 challenge for 4skobo.openplanit.com
2024-04-17 11:38:41,580:DEBUG:acme.standalone:Failed to bind to 127.0.0.1:10081 using IPv6
2024-04-17 11:38:41,580:DEBUG:acme.standalone:Successfully bound to 127.0.0.1:10081 using IPv4
2024-04-17 11:38:41,582:DEBUG:certbot._internal.display.obj:Notifying user: Challenges loaded. Press continue to submit to CA.
The following URLs should be accessible from the internet and return the value
mentioned:
URL:
http://4skobo.openplanit.com/.well-known/acme-challenge/uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs
Expected value:
uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs.GZhXFAv_xm22ixmU1QStLTzOb-EfLkYyVnyB0PWSHok
2024-04-17 11:38:48,953:DEBUG:acme.standalone:127.0.0.1 - - Incoming request
2024-04-17 11:38:48,954:DEBUG:acme.standalone:127.0.0.1 - - Serving HTTP01 with token 'uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs'
2024-04-17 11:38:48,954:DEBUG:acme.standalone:127.0.0.1 - - "GET /.well-known/acme-challenge/uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs HTTP/1.1" 200 -
2024-04-17 11:38:54,051:DEBUG:acme.client:JWS payload:
b'{}'
2024-04-17 11:38:54,056:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12042434104/-uwGIA:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85ODEwODkwNCIsICJub25jZSI6ICI0NTZESlYzbkJubm9DcFAzaUs1eUtCMTJkZDBhZFRKQ2NkSTc1V3NWMWZ3b2FYV1MwaGMiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvMTIwNDI0MzQxMDQvLXV3R0lBIn0",
"signature": "cRe6x5qPtpbjvWBsgsjv_7mFs5tbnSjhUxkgV33RPC0jne_zViyLG5g_4mE1kIshFJBXjYmvCD1d8V-KCh7RZ2TIHwFwvESWZj99CKJR6AIPNhnOJkOTHlBTRrHwfcjbX9i6qMVYVGsjjNkFOvgQonswptO32H1eMkjLivsSN_yEdyho53qSL7sqnl8HYD4hXFgOs0PliBZVuKVGcgULa4bM29vLl13XXv4hqbyv2uLzAcDdxIOfp9-UKkaeosSk3Hjc1sihADvEfFTpO76UzzDkPo_fVo8VZOd9QHTBX-kSh0To-7cLYIyuqSpZ4frR8Z5MZUUTNv0If5K-7K9lF0JRED2wlF-rjeKmUPk7qOGmKu6YKhBy71hgyxGvkcXeIJ1J2TnhL1zvYhvJl390k8E6vHwACARCTvvflXiQMIQAhqGvdZtJuvkt3FXuGAivZJhu9qMPbMrhehZB59t6HBI85p-5LobvsrNzhbMTY8wBEDaVpARiuICYAhqI4kKC1c-gFsocKa2zeGhvJSNxBFgDD48Qs6N3uclBcfuLqEC-ZDVwROrvWHYUo6TmI4PBttTlF9rf1e7xLuQ9Bn3rf0zOx1ZjnjX1-IIkoNAe1nQTkDUHeEXHo_JxoZDjslTqylP16fDYQEt0ZrnPuu9VdblO0f_nzRe2BxDJHIsBFWY",
"payload": "e30"
}
2024-04-17 11:38:54,197:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/12042434104/-uwGIA HTTP/1.1" 200 194
2024-04-17 11:38:54,198:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 17 Apr 2024 11:38:54 GMT
Content-Type: application/json
Content-Length: 194
Connection: keep-alive
Boulder-Requester: 98108904
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12042434104>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12042434104/-uwGIA
Replay-Nonce: _O0fw7Zk4LYYf0NzuShXKX_zj5zmP5c4bUGtt9WCVGfCn9v5afI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"type": "http-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12042434104/-uwGIA",
"token": "uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs"
}
2024-04-17 11:38:54,198:DEBUG:acme.client:Storing nonce: _O0fw7Zk4LYYf0NzuShXKX_zj5zmP5c4bUGtt9WCVGfCn9v5afI
2024-04-17 11:38:54,198:INFO:certbot._internal.auth_handler:Waiting for verification...
2024-04-17 11:38:55,063:DEBUG:acme.standalone:127.0.0.1 - - Incoming request
2024-04-17 11:38:55,064:DEBUG:acme.standalone:127.0.0.1 - - Serving HTTP01 with token 'uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs'
2024-04-17 11:38:55,064:DEBUG:acme.standalone:127.0.0.1 - - "GET /.well-known/acme-challenge/uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs HTTP/1.1" 200 -
2024-04-17 11:38:55,199:DEBUG:acme.client:JWS payload:
b''
2024-04-17 11:38:55,205:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12042434104:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85ODEwODkwNCIsICJub25jZSI6ICJfTzBmdzdaazRMWVlmME56dVNoWEtYX3pqNXptUDVjNGJVR3R0OVdDVkdmQ245djVhZkkiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMTIwNDI0MzQxMDQifQ",
"signature": "FxficYZM-3Dc1PrkYvMQFRQXeCfEl-wCBchQRzkXpz6RWBdaejcI-aJq2J9gHwnK6rzkHVbshAiBKYjWkfF8mO37NXr-S7xNRgPFzbehAmoI1HmDBPk_Q1CLN74PSP5xUuwDKzB8jEZorqwfhFzQqFdFIJUaO4P-zRMJcX-6usKbBGpopyITed396z8U7L8RlLm_1HVMrykXi43roAqiK5tBxgaiAWyesbdRhhgOBuJvIYpag8xY4q7XRqKNFovshW07nfDDefCqkiYvGEGGSbztUGQC1ibfOS_94SSU0J5iH9VuDlSi4lGmUhUIauQ08PHPazAovmDVdAgVmSxVQ8UATZDMTCujuvEkYplweyJIAxdqxTmAWot8WvG112LBVLpRlzoalKLrA-5Wj_xULfpkk6deJHGwx-SaIH_zHeYta3Y-1LQhdlAy3pqpWIkz5wf_vXAY-ioO4itO0FZ_UIbW-d5Io-743kC26yRfZW6ZFX9xxzCGx-USgU8h0x1MALP6B8g9dDuEE-0lkhp6pwBt9dJCZUojtcELrcD4m8we8CablGACZ55Ef4h_tJeHu3PN5xJYfXMqQmHorUN3LzrqQElN71A-UGvNpeEo84Y23SoZkfcXkN1ZIbZWmsK17Zss75QnDssrzYFhE1bQCqlJroRj1AL6sRO8j3vDXg0",
"payload": ""
}
2024-04-17 11:38:55,340:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/12042434104 HTTP/1.1" 200 826
2024-04-17 11:38:55,340:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 17 Apr 2024 11:38:55 GMT
Content-Type: application/json
Content-Length: 826
Connection: keep-alive
Boulder-Requester: 98108904
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 456DJV3nemPbzSuYd6EaB27j45mGw7sU2C7HeJYIXY8d5PeOjf8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "4skobo.openplanit.com"
},
"status": "pending",
"expires": "2024-04-24T11:38:41Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12042434104/-uwGIA",
"token": "uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12042434104/FMEmLg",
"token": "uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12042434104/bSJ7ZQ",
"token": "uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs"
}
]
}
2024-04-17 11:38:55,340:DEBUG:acme.client:Storing nonce: 456DJV3nemPbzSuYd6EaB27j45mGw7sU2C7HeJYIXY8d5PeOjf8
2024-04-17 11:38:58,344:DEBUG:acme.client:JWS payload:
b''
2024-04-17 11:38:58,349:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12042434104:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85ODEwODkwNCIsICJub25jZSI6ICI0NTZESlYzbmVtUGJ6U3VZZDZFYUIyN2o0NW1HdzdzVTJDN0hlSllJWFk4ZDVQZU9qZjgiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMTIwNDI0MzQxMDQifQ",
"signature": "HjxKL9Vo982esgznFENThEHB6jF1R4VXQ92lei6eDHG6RWo9aODDjMYs6KRN-oixw5o4bEH4GLnbUQuEAfSgknB5wmQ9og73HGfdjejul6Wf1uV2u8Cd0UHcLdliUMbjch1TFClkuC4HT5qa-Pjdro-LF5032PeY4Rnv8bWp61M0X2P3dXx0W4orY57Z8_h84GwdeUqPYvDMM9nupU9XFO2cADhK8cd5o61bhgVUjxB1L_Ne5CEU_xDjtmgVN9JHDewOacoMd8S0JJIJl5Xh_3OlDzx4lsjacqkVByqr4aMx-rVxkQf8FolpkiBvixsHuCoXzdBC7azwQeFOfG9ojNm4dnLvDI00b6wffSGxy6_9euOHH_oGhDQfOspaDMihRBNES-TDnzd78iajxgSo5sI7URxLjZzbmn8KI14AbAOn5JJMJoiHx5EAL8nd62KLIVMp4aauTgwZuy71NXHL_nXi7ilrYV8KKc2gsSU2mzrjvWMZXafxxSUypRBb2y5ptE1jFbq_R_UH1hSmjGP07WjC3frQZnMctl1gBv270zG419t5d3lCA04wjRWHStyacYqsGrvknRFiN4fE5eJVxzFVQFt9NmfiGZK6SCZ5h_6l6gmorTMLLLLRdCofbd_Z5Zb0GKIMZSCBVmeftSKzX4T4colk1n6TI9zv9bjPU2g",
"payload": ""
}
2024-04-17 11:38:58,487:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/12042434104 HTTP/1.1" 200 1289
2024-04-17 11:38:58,487:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 17 Apr 2024 11:38:58 GMT
Content-Type: application/json
Content-Length: 1289
Connection: keep-alive
Boulder-Requester: 98108904
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 456DJV3nD88kewRkC5O9FcZPgIkcj72Jnz4kb2GnVHWasRkEbV4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "4skobo.openplanit.com"
},
"status": "invalid",
"expires": "2024-04-24T11:38:41Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "During secondary validation: 108.157.214.125: Invalid response from http://4skobo.openplanit.com/.well-known/acme-challenge/uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs: 403",
"status": 403
},
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12042434104/-uwGIA",
"token": "uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs",
"validationRecord": [
{
"url": "http://4skobo.openplanit.com/.well-known/acme-challenge/uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs",
"hostname": "4skobo.openplanit.com",
"port": "80",
"addressesResolved": [
"18.154.101.94",
"18.154.101.8",
"18.154.101.114",
"18.154.101.25"
],
"addressUsed": "18.154.101.94",
"resolverAddrs": [
"A:10.0.32.81:30689",
"AAAA:10.0.32.82:23095"
]
}
],
"validated": "2024-04-17T11:38:54Z"
}
]
}
2024-04-17 11:38:58,487:DEBUG:acme.client:Storing nonce: 456DJV3nD88kewRkC5O9FcZPgIkcj72Jnz4kb2GnVHWasRkEbV4
2024-04-17 11:38:58,488:INFO:certbot._internal.auth_handler:Challenge failed for domain 4skobo.openplanit.com
2024-04-17 11:38:58,488:INFO:certbot._internal.auth_handler:http-01 challenge for 4skobo.openplanit.com
2024-04-17 11:38:58,488:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: 4skobo.openplanit.com
Type: unauthorized
Detail: During secondary validation: 108.157.214.125: Invalid response from http://4skobo.openplanit.com/.well-known/acme-challenge/uIuZxewfTU-ZjgUQ3j2d0YOjaPUE_WAh-BnX146tLhs: 403
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on 127.0.0.1:10081. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
2024-04-17 11:38:58,488:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2024-04-17 11:38:58,489:DEBUG:certbot._internal.error_handler:Calling registered functions
2024-04-17 11:38:58,489:INFO:certbot._internal.auth_handler:Cleaning up challenges
2024-04-17 11:38:58,489:DEBUG:certbot._internal.plugins.standalone:Stopping server at 127.0.0.1:10081...
2024-04-17 11:38:58,569:ERROR:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/snap/certbot/3700/bin/certbot", line 8, in <module>
sys.exit(main())
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot/_internal/main.py", line 1894, in main
return config.func(config, plugins)
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot/_internal/main.py", line 1600, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot/_internal/main.py", line 131, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 399, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/snap/certbot/3700/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
haproxy.cfg
global
log /dev/log local0
log /dev/log local1 info
#notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
maxcompcpuusage 95
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHA>
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
####
defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
timeout connect 5s
timeout client 50s
timeout server 50s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
####
frontend default
bind *:80
mode http
log global
option httplog
option httpslog
maxconn 2000
option forwardfor
# ACME challenge ACL
acl is_acme_challenge path_beg /.well-known/acme-challenge/
# Redirect non-ACME challenges to HTTPS
http-request redirect scheme https code 301 if !{ ssl_fc } !is_acme_challenge
http-request set-header X-Forwarded-Proto "https"
http-request set-header X-Forwarded-Port "443"
# ACME challenge backend
use_backend certbot if is_acme_challenge
####
frontend ssl
bind *:443 ssl crt /etc/ssl/haproxy/4skobo.openplanit.com.pem
log global
option httplog
maxconn 2000
option forwardfor
http-request set-header X-Forwarded-Proto https
acl 4s hdr(host) -i 4skobo.openplanit.com
use_backend kobo if 4s
default_backend backend-no-match
####
backend kobo
mode http
log global
fullconn 2000
# balance source # for load balancing
http-response set-header Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
http-response set-header Pragma "no-cache"
http-request set-header Host domain.openplanit.com
# Cloudfront IP forwarding
http-request set-header X-Real-IP %[src]
# https://dannytsang.co.uk/securing-haproxy-headers/
http-response add-header X-XSS-Protection "1; mode=block"
http-response set-header X-Frame-Options "SAMEORIGIN"
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
http-response add-header X-Content-Type-Options "nosniff"
http-response set-header Referrer-Policy strict-origin
# https://stackoverflow.com/questions/66263928/how-do-i-secure-cookies-in-haproxy-2-2-using-an-http-response-line
http-response replace-header Set-Cookie ^((?:.(?!\ [Ss]ecure))*)$ \1;\ SameSite=None;\ Secure
# https://www.haproxy.com/blog/how-to-secure-cookies-using-haproxy-enterprise/
http-after-response replace-header Set-Cookie '(^((?!(?i)httponly).)*$)' "\1; HttpOnly"
# prevent directory traversal
http-request deny if { path_reg -i "/\.\./" }
server kobo a.domain.com:443 ssl verify none
####
backend certbot
mode http
log global
server local 127.0.0.1:10081
####
backend backend-no-match
http-request deny deny_status 400
Certbot has worked as expected on this server before with a script that then updates both haproxy and CloudFront certs. The last cert was issued on Fri Feb 02 2024 using this method. Since then no changes have been made
Please note - this is a test server and isn't always online
Thanks in advance for any help
