Certbot renew failed most of the time

My domain is: myhopeless.life

I ran this command: sudo certbot renew --dry-run

It produced this output:

 Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for myhopeless.life
http-01 challenge for www.myhopeless.life
Using the webroot path /var/www/myhopeless for all unmatched domains.
Waiting for verification...
Challenge failed for domain myhopeless.life
http-01 challenge for myhopeless.life
Cleaning up challenges
Attempting to renew cert (myhopeless.life) from /etc/letsencrypt/renewal/myhopeless.life.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/myhopeless.life/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/myhopeless.life/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: myhopeless.life
   Type:   connection
   Detail: 172.67.207.242: Fetching
   https://www.myhopeless.life/.well-known/acme-challenge/YApGukwx6aGSZsB8c7M8Q5p-_yzF620LUKv6KdBYEaA:
   Timeout during connect (likely firewall problem)


My web server is (include version): nginx/1.18.0 (Ubuntu) & xray

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: cloudflare(Proxied)

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

The renew command failed most of the time,not always.

xray(a proxy server) listen on 443,whitch handle the tls connection,fallback normal https to 2443,and nginx listen on 80 and 2443.

I tried "curl https://www.myhopeless.life/.well-known/acme-challenge/YApGukwx6aGSZsB8c7M8Q5p-_yzF620LUKv6KdBYEaA:" on anotther server and got 404(nginx).

Hi @soon, and welcome to the LE community forum :slight_smile:

  1. I don't see how you can possibly circumvent Cloudlfare
    [So, what you are seeing is what Cloudflare is showing you - (very) indirectly from something claiming to be running nginx/1.18.0 (Ubuntu)]
  2. Are you seeing any of those ACME challenge requests in the local servers' xray proxy logs?
  3. Are you seeing any of those ACME challenge requests in the local servers' nginx access logs?

Please uninstall that old version and follow the recommended installation instructions:
Certbot (eff.org)
[so that you may start using the latest version of certbot: 2.7.2]

2 Likes

nginx access log after I ran certbot renew

172.70.179.60 - - [24/Oct/2023:01:15:15 +0000] "GET /.well-known/acme-challenge/D7TOprLfA7zGA35c3qVkSrJQSR3eOJtcF15ENHbGxVI HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
162.158.245.62 - - [24/Oct/2023:01:15:15 +0000] "GET /.well-known/acme-challenge/xd6-Y5rKWxfYLOkGmrWzWO0MwEgQxSsyhhKE4fV6NFY HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
108.162.245.189 - - [24/Oct/2023:01:15:15 +0000] "GET /.well-known/acme-challenge/D7TOprLfA7zGA35c3qVkSrJQSR3eOJtcF15ENHbGxVI HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.71.151.146 - - [24/Oct/2023:01:15:15 +0000] "GET /.well-known/acme-challenge/xd6-Y5rKWxfYLOkGmrWzWO0MwEgQxSsyhhKE4fV6NFY HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:01:15:15 +0000] "GET /.well-known/acme-challenge/D7TOprLfA7zGA35c3qVkSrJQSR3eOJtcF15ENHbGxVI HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/D7TOprLfA7zGA35c3qVkSrJQSR3eOJtcF15ENHbGxVI" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:01:15:15 +0000] "GET /.well-known/acme-challenge/xd6-Y5rKWxfYLOkGmrWzWO0MwEgQxSsyhhKE4fV6NFY HTTP/1.1" 200 87 "http://www.myhopeless.life/.well-known/acme-challenge/xd6-Y5rKWxfYLOkGmrWzWO0MwEgQxSsyhhKE4fV6NFY" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:01:15:15 +0000] "GET /.well-known/acme-challenge/D7TOprLfA7zGA35c3qVkSrJQSR3eOJtcF15ENHbGxVI HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/D7TOprLfA7zGA35c3qVkSrJQSR3eOJtcF15ENHbGxVI" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:01:15:16 +0000] "GET /.well-known/acme-challenge/xd6-Y5rKWxfYLOkGmrWzWO0MwEgQxSsyhhKE4fV6NFY HTTP/1.1" 200 87 "http://www.myhopeless.life/.well-known/acme-challenge/xd6-Y5rKWxfYLOkGmrWzWO0MwEgQxSsyhhKE4fV6NFY" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
162.158.245.58 - - [24/Oct/2023:01:15:25 +0000] "GET /.well-known/acme-challenge/D7TOprLfA7zGA35c3qVkSrJQSR3eOJtcF15ENHbGxVI HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

and the nginx config

server {
    listen 127.0.0.1:2443;
    server_name www.myhopeless.life;
    proxy_cookie_path / "/; secure";


    location /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /var/www/myhopeless;
    }


#    root /home/ubuntu/docs/.vitepress/dist/;
    location / {
        index  index.html;
        root /home/ubuntu/docs/.vitepress/dist/;
    }
}

server {
    listen 80;
    server_name www.myhopeless.life;
    charset utf-8;
    proxy_cookie_path / "/; secure";
    rewrite ^(.*)$ https://$host$1 permanent;
}

server {
    listen 80;
    server_name myhopeless.life;
    return 301 https://www.myhopeless.life$request_uri;
}

and the 404 was also list on the access log,so It's not cloudflare's fake response.

1 Like

I update certbot to the latest 2.7.2 and try renew twice.one success and one failure.

the output of the failure.

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: www.myhopeless.life
  Type:   connection
  Detail: 172.67.207.242: Fetching https://www.myhopeless.life/.well-known/acme-challenge/IXi9Xbe0_aQ5ZxjBOkABM_oS1V1SF-0I2DtJAlqsWB0: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate myhopeless.life with error: Some challenges have failed.

And here is the nginx access log.

172.71.146.90 - - [24/Oct/2023:02:29:10 +0000] "GET /.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.69.58.206 - - [24/Oct/2023:02:29:10 +0000] "GET /.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.69.58.94 - - [24/Oct/2023:02:29:10 +0000] "GET /.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8 HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.71.150.188 - - [24/Oct/2023:02:29:10 +0000] "GET /.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8 HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
162.158.245.63 - - [24/Oct/2023:02:29:10 +0000] "GET /.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8 HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
162.158.245.57 - - [24/Oct/2023:02:29:10 +0000] "GET /.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:29:11 +0000] "GET /.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:29:11 +0000] "GET /.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:29:11 +0000] "GET /.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8 HTTP/1.1" 200 87 "http://www.myhopeless.life/.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:29:11 +0000] "GET /.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8 HTTP/1.1" 200 87 "http://www.myhopeless.life/.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:29:11 +0000] "GET /.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8 HTTP/1.1" 200 87 "http://www.myhopeless.life/.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:29:11 +0000] "GET /.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.71.146.184 - - [24/Oct/2023:02:30:39 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.70.130.211 - - [24/Oct/2023:02:30:39 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
108.162.245.203 - - [24/Oct/2023:02:30:39 +0000] "GET /.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.70.130.202 - - [24/Oct/2023:02:30:39 +0000] "GET /.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
162.158.245.37 - - [24/Oct/2023:02:30:39 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:30:40 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:30:40 +0000] "GET /.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs HTTP/1.1" 200 87 "http://www.myhopeless.life/.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:30:40 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:30:40 +0000] "GET /.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs HTTP/1.1" 200 87 "http://www.myhopeless.life/.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:30:41 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
162.158.245.62 - - [24/Oct/2023:02:30:50 +0000] "GET /.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

And what about this?

And, why do some entries show up as coming from 127.0.0.1? I only know of that happening when one of your server blocks proxies to another. The originating IP is then yourself. But, I don't see any proxy statements to make that happen.

Can you add an access_log in each server block and use a different file name for each one? I think requests are flowing to several server blocks that they shouldn't.

3 Likes

entire site is behind cloudflare: so it's better just use CF origin certificate

4 Likes

I often suggest that myself ! :slight_smile: But, there are some restrictions then like not being able to disable the proxy for specialized purposes and some other bits.

3 Likes

he uses xray (anti GFW proxy) on it so it's tunneled
and I don't think he'd able to listen on port 80 from internet if he needed that

4 Likes

Ah, missed that. Still, why are the challenges logging in different patterns? Some we've seen two sets of two getting thru (just secondaries). Then one works. Then another all 3 initial requests get thru but the redirected request does not.

Something is seriously erratic.

3 Likes

there are 3rd hidden server in question: the other side of xray tunnel: do you control that? if you are why not host site there?
if I have to guess this are 2 nested tunnel , cloudflare argo one and xray one, as CF don't talk with : add one mare and now you have a onion :stuck_out_tongue:
I kinda think the log is xray's x-proxy header as all of them are CF IPs?

4 Likes

Ouch, right. My bad. I got AWS for Let's Encrypt mixed up with Cloudflare :slight_smile: Time for bed !

3 Likes

the last line

162.158.245.62 - - [24/Oct/2023:02:30:50 +0000] "GET /.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs HTTP/1.1" 301

it's 11 seconds later than the previous request

162.158.245.37 - - [24/Oct/2023:02:30:39 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 301

and no more request after 301,the renew failed,

anyway,I'll try CF origin certificate later.

These first three groups seem OK:
[HTTP gets redirected to HTTPS - goes through the proxy and is returned the 87 bytes expected]

172.71.146.90 - - [24/Oct/2023:02:29:10 +0000] "GET /.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.69.58.206 - - [24/Oct/2023:02:29:10 +0000] "GET /.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
162.158.245.57 - - [24/Oct/2023:02:29:10 +0000] "GET /.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:29:11 +0000] "GET /.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:29:11 +0000] "GET /.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:29:11 +0000] "GET /.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

172.69.58.94 - - [24/Oct/2023:02:29:10 +0000] "GET /.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8 HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.71.150.188 - - [24/Oct/2023:02:29:10 +0000] "GET /.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8 HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
162.158.245.63 - - [24/Oct/2023:02:29:10 +0000] "GET /.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8 HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:29:11 +0000] "GET /.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8 HTTP/1.1" 200 87 "http://www.myhopeless.life/.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:29:11 +0000] "GET /.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8 HTTP/1.1" 200 87 "http://www.myhopeless.life/.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:29:11 +0000] "GET /.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8 HTTP/1.1" 200 87 "http://www.myhopeless.life/.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

172.71.146.184 - - [24/Oct/2023:02:30:39 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.70.130.211 - - [24/Oct/2023:02:30:39 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
162.158.245.37 - - [24/Oct/2023:02:30:39 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:30:40 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:30:40 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:30:41 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

But this last group definitely encounters an issue:

108.162.245.203 - - [24/Oct/2023:02:30:39 +0000] "GET /.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.70.130.202 - - [24/Oct/2023:02:30:39 +0000] "GET /.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:30:40 +0000] "GET /.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs HTTP/1.1" 200 87 "http://www.myhopeless.life/.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:30:40 +0000] "GET /.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs HTTP/1.1" 200 87 "http://www.myhopeless.life/.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

162.158.245.62 - - [24/Oct/2023:02:30:50 +0000] "GET /.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

There is a clear 10 second gap between the first requests and the last.
Then the third request is never being proxied.
I'd say something is doing some sort of inbound rate limiting/throttling.
Do you use anything that could do anything along those lines?

2 Likes

I see two names:

Maybe you could obtain certs for them individually.
That would cut the challenges in half.
[I mean they would run at different times]

OR

Get a cert for one name [and don't actually use it].
Then the next day get a cert for both names [and use this one].
That way each time the second cert goes to renew, the first name is already renewed and it's authorization for that account is cached.

In either case, you would be using two certs [instead of one].
So, neither is more wasteful than the other.

2 Likes

As a sidestep/workaround: Have you looked into using DNS-01 authentication?

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.