Certbot - No DNS Delegation but IP Is Returned - Challenge Fails

I get this strange error:

Error Detail:
5/17/2017 7:56:10 PM	Validation for domain.name:80
5/17/2017 7:56:10 PM	Resolved to:
5/17/2017 7:56:10 PM		<my ip>
5/17/2017 7:56:10 PM	Used: <my ip>

Ip is the same so… where is the error??

Hi @dalareo,

That is just an excerpt of the error from the CA, not the full error. What software are you using to obtain the certificate?

This is the full error:

5/17/2017 8:17:38 PMtime="2017-05-17T18:17:38Z" level=info msg="Starting Let's Encrypt Certificate Manager v0.5.0 0913231"
5/17/2017 8:17:39 PMtime="2017-05-17T18:17:39Z" level=info msg="Using locally stored Let's Encrypt account for david@educaas.io"
5/17/2017 8:17:39 PMtime="2017-05-17T18:17:39Z" level=info msg="Using Let's Encrypt Sandbox API"
5/17/2017 8:17:39 PMtime="2017-05-17T18:17:39Z" level=info msg="Using HTTP challenge: Sleeping for 120 seconds before requesting certificate"
5/17/2017 8:17:39 PMtime="2017-05-17T18:17:39Z" level=info msg="Make sure that HTTP requests for '/.well-known/acme-challenge' for all certificate domains are forwarded to port 80 of the container running this application"
5/17/2017 8:19:39 PMtime="2017-05-17T18:19:39Z" level=info msg="Trying to obtain SSL certificate (educaas.eteo.mondragon.edu) from Let's Encrypt Sandbox CA"
5/17/2017 8:19:39 PMtime="2017-05-17T18:19:39Z" level=info msg="[INFO][educaas.eteo.mondragon.edu] acme: Obtaining bundled SAN certificate"
5/17/2017 8:19:39 PMtime="2017-05-17T18:19:39Z" level=info msg="[INFO][educaas.eteo.mondragon.edu] AuthURL: https://acme-staging.api.letsencrypt.org/acme/authz/anonymized_hash"
5/17/2017 8:19:39 PMtime="2017-05-17T18:19:39Z" level=info msg="[INFO][educaas.eteo.mondragon.edu] acme: Trying to solve HTTP-01"
5/17/2017 8:19:41 PMtime="2017-05-17T18:19:41Z" level=error msg="[educaas.eteo.mondragon.edu] Error obtaining certificate: acme: Error 400 - urn:acme:error:connection - Could not connect to educaas.eteo.mondragon.edu
5/17/2017 8:19:41 PMError Detail:
5/17/2017 8:19:41 PM	Validation for educaas.eteo.mondragon.edu:80
5/17/2017 8:19:41 PM	Resolved to:
5/17/2017 8:19:41 PM
5/17/2017 8:19:41 PM	Used:
5/17/2017 8:19:41 PM

I am using Rancher with rancher-letsencrypt template from community catalog. Everything was running until now.

It looks like it’s relying on an existing web server to perform the authentication, and that web server is either not currently running, or is no longer listening on port 80.

Another possibility since you’re likely then running inside of a container is that the container’s port 80 (or the port 80 of a different container that it depends on) is no longer mapped properly to the publicly-visible port 80 of the host system.


Get the same error …
I use the HTTP method, and created a rule on haproxy, that go to my letsencrypt container with /.well-known/acme-challenge on port 80.

When I go inside letsencrypt container I don’t see any tcp listen on 80.
but May be cause of the netstat release of alpine ?

Is the client using an existing Apache or something, or is it launching its own web server?

In the latter case, it might only launch the web server during the actual verification process, so it might only be running and listening on port 80 for a few seconds.

In my case, I don’t konw if the following, can explain the issue …

The DNS name server1.mydomain.com is define on a public IP xxxx
But inside the server, the same DNS name server1.mydomain.com is resolved on a private IP yyyy

When Iestencrypt display the validation message, I see the private ip :

Validation for server1.mydomain.com
Resolved to: yyyy
Used: yyyy

It sounds like you have a DNS leak (some DNS server that Let’s Encrypt thinks is authoritative for your domain is returning the private IP address instead of the public one, even outside of your network).

Hi @dalareo

You have a very interesting DNS setup.

There are no name servers but an IP is returned which is what I expect the error is.

Let’s Encrypt asks for a list of name servers and then picks a random one to query for IP.

I would suggest fixing DNS related issues first.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.