Certbot - improve error for failed validation


#1

When validation fails, certbot gives users the following error:

As we’ve seen here over and over and over again, this often sends folks on a wild goose chase to fix their DNS records, when it turns out there was nothing wrong with them to begin with. DNS issues aren’t the only common issue, and my observation suggests they aren’t even the most common issue (I suspect the most common issue is an incorrect webroot path). It’d be good to improve this. I’d suggest either

  • (easy, but less useful) “The most common causes of failure are missing or incorrect DNS records, an incorrect webroot path, and a firewall preventing the Let’s Encrypt validation servers from accessing this server”, followed by a short bullet list of things to check for each. This might at least avoid the (incorrect) laser focus on the DNS records.
  • (more useful, but no doubt considerably more work) actually testing common failure points. Certbot can tell, in most common configurations, if the DNS records are adequate. It can tell, assuming the webserver is listening on localhost, what’s being served for the challenge. Firewall may be harder, but would still be beneficial to check if possible.

#2

Let’s Encrypt does give back many more errors besides the one you’re quoting. The error you’re quoting suggests a connection time out, but in that case, it would suggest a firewall problem (a different error message). Also, when the token for http verification cannot be found, it also tells the client exactly that, even with the first part of the webserver response.


#3

It wasn’t–it was copied from a thread where the validation returned 404.

Yes, and then it gives the text I quoted above.

Certbot does report more in the way of error messages than what I quoted–but it seems to very frequently (if not always) conclude with what I quoted. And that’s the problem. No matter what goes wrong (which certbot does report), it concludes with “check your DNS entries”.


#4

Hi @danb35,

This is good feedback and I think the Certbot team would be receptive to discussing it, but I think it would be better if you could provide it in a Certbot issue.