Certbot manual no validation challenge

Reedys · May 30, 2021, 12:24pm

Hello Let's Encrypt community
I am running certbot certonly --manual. Certificate/key files are well generated. The issue is that I have no information regarding the validation step.
I am expecting certbot to provide me the file name and the challenge value I must put in a .well-known folder and serve on the port 80, but the command just exits after certificate generation.

My domain is:
wowgathering.fr

I ran this command:
certbot certonly --manual

It produced this output:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/wowgathering.fr/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/wowgathering.fr/privkey.pem
Your certificate will expire on 2021-08-28. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew all of your
certificates, run "certbot renew"

My web server is (include version):
Nodejs Express (node version is 14.17.0)

The operating system my web server runs on is (include version):
Centos 8

My hosting provider, if applicable, is:
OVH

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot version: 1.15.0 (installed using snap)

Thank you for the help!

Rip · May 30, 2021, 5:08pm

Hi @Reedys and welcome to the community!

You have obtained 4 certificates in the last 2 days.
https://crt.sh/?q=wowgathering.fr

You should consider installing/using one already issued...

If I understand your issue, you were expecting to asked to asked to provide a "string" into a file for a http or dns challenge...

Please have a look at the documentation for the --manual switch you invoked which should shed some light on the situation for you:

The http challenge will ask you to place a file with a specific name and specific content in the /.well-known/acme-challenge/ directory directly in the top-level directory (“web root”) containing the files served by your webserver. In essence it’s the same as the webroot plugin, but not automated.

When using the dns challenge, certbot will ask you to place a TXT DNS record with specific contents under the domain name consisting of the hostname for which you want a certificate issued, prepended by _acme-challenge .

In addition, from where I sit your port 443 is not open to the internet. That will need to be accessable for your cert(s) to work.

PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  open   http
443/tcp closed https

Firewall? Maybe. Something is blocking 443.
Hope this helps.

Reedys · May 30, 2021, 5:16pm

Thank you for your reply @Rip !
Indeed you understand my issue: I am expecting certbot to provide me data in order to be able to do an http challenge.
I looked at this manual documentation, but I am not "asked for the http challenge" (using no option, or the --preferred-challenges http option).
Indeed port 443 is not open. Do you think it could be related to the fact that certbot does not ask for a challenge?
I will try to open it and let you know

Reedys · May 30, 2021, 5:30pm

@Rip, I did open port 443 to test again

Here is the output a the certbot certonly --manual command:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): wowgathering.fr
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/wowgathering.fr.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal; no action taken.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Looks like having the port 443 does not change the situation.

Also I forgot to mention that I am running certbot from the VPS (Centos 8) that hosts the webserver directly, if it changes anything

petercooperjr · May 30, 2021, 5:47pm

My guess is that because you've successfully completed a challenge for your domain name in the past 30 days, you're not being asked to do another one.

Once you have a certificate, you should just be using it rather than trying to get another one. If you're trying to test your manual process, then add --dry-run in order to run tests against the staging environment, and certbot makes sure to use new authorizations there.

Osiris · May 30, 2021, 5:53pm

Question: what are you trying to accomplish with a new http challenge?

Reedys · May 30, 2021, 6:11pm

Thank you for your replies

@petercooperjr @Osiris from what you are saying I understand that I already validated a challenge succesfully. That surprises me because I have never received a acme challenge token to expose.

Ok so I have just re-checked my domain and you are right, certificate seems to have been validated, I can access to the domain through the browser and the lock icon appears. Last time I checked I had the "Not secure" warning but I was on another port, I forgot that I had to use port 443.

Just out of curiosity now that it works, my .well-known folder has never exposed a correct token, how did the validation work?

In any case, thank you for your support!

griffin · May 30, 2021, 6:21pm

Welcome to the Let's Encrypt Community

You might have used the apache, nginx, or standalone authenticator on your first attempt, which takes care of the http-01 challenge process for you, instead of the manual authenticator.

Incidentally, I'm unable to access your website over port 80 (http) or port 443 (https). Both reports are being reported as closed by Open Port Check Tool - Test Port Forwarding on Your Router.

Update: Now port 443 is open.

Rip · May 30, 2021, 6:26pm

PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  closed http
443/tcp open   https

griffin · May 30, 2021, 6:29pm

I concur, @Rip. Port 443 is now open. I sense that changes are afoot.

Reedys · May 30, 2021, 6:35pm

Oh yes indeed I used the --standalone option on my first attempt.
Thank you all!

Rip · May 30, 2021, 6:36pm

@Reedys

HardcoreGames · May 30, 2021, 9:39pm

OP's server returned and Chrome said cannot GET

system · June 29, 2021, 9:40pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.