Certbot not working for me


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: teams.jrmpc.ca

I ran these commands:

sudo certbot certonly --webroot -w /var/www/jrmpc -d teams.jrmpc.ca

sudo certbot certonly --standalone -d teams.jrmpc.ca

It produced this output:

Failed authorization procedure…

The following errors were reported by the server:

Domain: teams.jrmpc.ca
Type: unauthorized
Detail: Invalid response from http://teams.jrmpc.ca/.well-known/acme-challenge/

After several failed attempts to find the correct procedure, I am now locked out with:

Error creating new order :: too many failed authorizations recently…

My web server is (include version):

Web server is internal to my Pharo/Teapot web application.

The operating system my web server runs on is (include version):

Ubuntu Server 18.04 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


#2

Hi,

Could you please try to place a test file with dummy content at http://teams.jrmpc.ca/.well-known/acme-challenge/test?

Thank you


#3

What was the rest of the error message?

What’s in your web server’s error log?


#4

Done. The file is fred.html


#5

Here’s the tail end of my log:

2018-12-20 14:07:46,940:DEBUG:certbot.main:certbot version: 0.28.0
2018-12-20 14:07:46,942:DEBUG:certbot.main:Arguments: [’–webroot’, ‘-w’, ‘/var/www/jrmpc’, ‘-d’, ‘teams.jrmpc.ca’]
2018-12-20 14:07:46,942:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-12-20 14:07:46,953:DEBUG:certbot.log:Root logging level set at 20
2018-12-20 14:07:46,954:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-12-20 14:07:46,954:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2018-12-20 14:07:46,955:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f5ef2f0e7f0>
Prep: True
2018-12-20 14:07:46,956:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f5ef2f0e7f0> and installer None
2018-12-20 14:07:46,956:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2018-12-20 14:07:46,990:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None), uri=‘https://acme-v02.api.letsencrypt.org/acme/acct/48015966’, new_authzr_uri=None, terms_of_service=None), 87a84c065f95f9e90f7100c73623a28b, Meta(creation_dt=datetime.datetime(2018, 12, 20, 2, 4, 55, tzinfo=), creation_host=‘daredevil’))>
2018-12-20 14:07:46,991:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2018-12-20 14:07:46,993:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2018-12-20 14:07:47,180:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 658
2018-12-20 14:07:47,181:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 20 Dec 2018 14:07:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 20 Dec 2018 14:07:47 GMT
Connection: keep-alive

{
“cNNuD9lyqQk”: “Adding random entries to the directory”,
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
letsencrypt.org
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert
}
2018-12-20 14:07:47,181:INFO:certbot.main:Obtaining a new certificate
2018-12-20 14:07:47,308:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0006_key-certbot.pem
2018-12-20 14:07:47,312:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0006_csr-certbot.pem
2018-12-20 14:07:47,313:DEBUG:acme.client:Requesting fresh nonce
2018-12-20 14:07:47,314:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2018-12-20 14:07:47,387:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “HEAD /acme/new-nonce HTTP/1.1” 204 0
2018-12-20 14:07:47,388:DEBUG:acme.client:Received response:
HTTP 204
Server: nginx
Replay-Nonce: oys_JiJq6KGprW1f-32G4tCCfgxLwexSTilkwEYZQXk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 20 Dec 2018 14:07:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 20 Dec 2018 14:07:47 GMT
Connection: keep-alive

2018-12-20 14:07:47,388:DEBUG:acme.client:Storing nonce: oys_JiJq6KGprW1f-32G4tCCfgxLwexSTilkwEYZQXk
2018-12-20 14:07:47,388:DEBUG:acme.client:JWS payload:
b’{\n “identifiers”: [\n {\n “type”: “dns”,\n “value”: “teams.jrmpc.ca”\n }\n ]\n}’
2018-12-20 14:07:47,391:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
“protected”: “eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNDgwMTU5NjYiLCAibm9uY2UiOiAib3lzX0ppSnE2S0dwclcxZi0zMkc0dENDZmd4THdleFNUaWxrd0VZWlFYayIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIn0”,
“signature”: “m8XmX-ljZ0rN8AjIehS-1ScmVXJfCxhjDzsCjRRkYYadawqxX4gYJMLnMFuvremlREn1tvvtAwF_cK8knyIY0X2zaW_ETyzWvNvTLQQ34dc7tngqNI2CAvsUN6aH1Ob7y3ikwbl6Mk_7ewZ0HSDFRP_TOaCCW4Bb8V36rJtWmmgJ3fa8I9A-3uohD1DY3osbPRY6zOEoIt5B_hLs-rbIU6g5wFxkmUBbdbIPKy0bJMvM-35av3q0IeDTTLHPs_2iLPiKYxKIror9stgdW3JhPvip8IY8SHsuHaY2b04MWuX1UrM0b3fsOhLBC6OQYOrC5jSOB18Sy-W9qKhh-5EDuA”,
“payload”: “ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInRlYW1zLmpybXBjLmNhIgogICAgfQogIF0KfQ”
}
2018-12-20 14:07:47,476:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/new-order HTTP/1.1” 429 201
2018-12-20 14:07:47,477:DEBUG:acme.client:Received response:
HTTP 429
Server: nginx
Content-Type: application/problem+json
Content-Length: 201
Boulder-Requester: 48015966
Replay-Nonce: Xx2YP7PIyWu1PPHXBLJQnn_tdbrJ6xuVHUjgG2wPq4Y
Expires: Thu, 20 Dec 2018 14:07:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 20 Dec 2018 14:07:47 GMT
Connection: close

{
“type”: “urn:ietf:params:acme:error:rateLimited”,
“detail”: “Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/”,
“status”: 429
}
2018-12-20 14:07:47,477:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.28.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1340, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1225, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 392, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 335, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 367, in _get_order_and_authorizations
orderr = self.acme.new_order(csr_pem)
File “/usr/lib/python3/dist-packages/acme/client.py”, line 824, in new_order
return self.client.new_order(csr_pem)
File “/usr/lib/python3/dist-packages/acme/client.py”, line 650, in new_order
response = self._post(self.directory[‘newOrder’], order)
File “/usr/lib/python3/dist-packages/acme/client.py”, line 94, in _post
return self.net.post(*args, **kwargs)
File “/usr/lib/python3/dist-packages/acme/client.py”, line 1130, in post
return self._post_once(*args, **kwargs)
File “/usr/lib/python3/dist-packages/acme/client.py”, line 1147, in _post_once
response = self._check_response(response, content_type=content_type)
File “/usr/lib/python3/dist-packages/acme/client.py”, line 999, in _check_response
raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/
2018-12-20 14:07:47,479:ERROR:certbot.log:An unexpected error occurred:
2018-12-20 14:07:47,479:ERROR:certbot.log:There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/


#6

Hi,

What’s the full path that you placed the file to? (Start from system root)
You should use that path (remove the test at the end) as your webroot.

Thank you


#7

Do you still have the log file that contains the original error message? “too many failed authorizations recently” hides the reason it was failing before.


#8

/var/www/.well-known/acme-challenge/test


#9

Yes, but I can’t upload it. Should I cut and paste the whole thing? It’s very long.


#10

Hi,

In this case, do you mind to try to issue certificates using this command:
sudo certbot certonly --webroot -w /var/www/.well-known/acme-challenge/ -d teams.jrmpc.ca

Thank you


#11

Pretty much the same error.


#12

The first part of my cut and paste should contain the info you’re looking for.


#13

I’d like to see the rest of this error message:


#14

certbot.errors.FailedChallenges: Failed authorization procedure. teams.jrmpc.ca (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://teams.jrmpc.ca/.well-known/acme-challenge/WJPmcbAzJIX_fm9V9DjyFTycSh-AMLBX9N6xL1zMAcE [174.117.171.194]: 404


#15

Was /var/www/jrmpc the correct directory?

Are you sure the DNS records are pointing at the correct server?

What did the server’s error logs say?


#16

I’m not sure what you mean by correct directory. My web server is configured to serve files from ‘/var/www’. ‘jrmpc’ is just a subdirectory of that. Do I need to configure file serving from ‘/var/www/jrmpc’?


#17

You just have to have Certbot and your web server use the same directory. That might be “/var/www”. If they’re using different directories, you have to change one of them.

If you wanted to make a file that can be accessed at http://teams.jrmpc.ca/something.html, where would it be? /var/www/something.html? /var/www/jrmpc/something.html? Whatever directory it is, unless the web server has a more complicated configuration, that’s the directory you should use.

What is the web server’s configuration?

What was in the web server’s error log?


#18

Thanks. That worked.


#19

Did you use?:
sudo certbot certonly --webroot -w /var/www/ -d teams.jrmpc.ca


#20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.