Certbot renew not working


#1

I tried to fix this issue on my own and read a lot of topics but nothing seems to work for me.
Here is the command i trigger to update the certificate + the output:

sudo certbot --installer apache --agree-tos --debug-challenges --email a valid address -v --webroot -w /var/lib/letsencrypt/ -d skargeth.at
Performing the following challenges:
http-01 challenge for skargeth.at
Using the webroot path /var/lib/letsencrypt for all unmatched domains.
Creating root challenges validation dir at /var/lib/letsencrypt/.well-known/acme-challenge
Attempting to save validation to /var/lib/letsencrypt/.well-known/acme-challenge/4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE
Waiting for verification…
Skipped user interaction because Certbot doesn’t appear to be running in a terminal. You should probably include --non-interactive or --force-interactive on the command line.
Not pausing for user confirmation
JWS payload:
b’{\n “resource”: “challenge”,\n “keyAuthorization”: “4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE.XUin-qerlRsOXMDLRYX5TYOyBKZoQ5yDq15IYuOMI_M”,\n “type”: “http-01”\n}’
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107022:
{
“protected”: “eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDEuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL3JlZy83ODMxOTU3IiwgIm5vbmNlIjogIk12eGpfT01NVk03ME96S0RZVVJiUG9fMWJGeEE2d1gtZ2dQY2lSRW5nRjAiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsZW5nZS8zWkJIZGhzcmIxYTgzNmR5X0lDM2dnNmdPLVFuZ3FXNl9LSGk1NDVBX0VFLzk1NzMxMDcwMjIifQ”,
“signature”: “OxiSd73iNLJH4VqnfPxFVqJ5QYUg07fDRcmy1qr0A5-fK4JKvcHlACmYbbpHaLgoHOG5AYkGsTuREFuX5eOsioDY_d3PoCw1HBS-7JXb3wPTelXEguE_vXbGCKErM7hWTmK-NFpLNVkhrP75jIbnIl-fNvLx6H4JmWBw_qdPsvh2avobG2J2lqgDWBKIYY9akUyp7JfoQ5949LYeusP8xAENcpRbiHyMMUXiFNXe4jN5Nozn9Rx1dakdSodXGRcOq1LCgBkK4DIIeAQhmWVsh4qYIjb-NsMnqahrC4mE7pYiHs_cLDPn7aHeluvU_BHSrT2ISLdyif44L5aAfQ0ETQ”,
“payload”: “ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJrZXlBdXRob3JpemF0aW9uIjogIjRzcW5IaEM3cmFlSXVlSjdLWnhRd3BtSHRZU2dIa2l6SE9ZY3VZSWRoTEUuWFVpbi1xZXJsUnNPWE1ETFJZWDVUWU95Qktab1E1eURxMTVJWXVPTUlfTSIsCiAgInR5cGUiOiAiaHR0cC0wMSIKfQ”
}
https://acme-v02.api.letsencrypt.org:443 “POST /acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107022 HTTP/1.1” 200 223
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 223
Boulder-Requester: 7831957
Link: https://acme-v02.api.letsencrypt.org/acme/authz/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE;rel=“up”
Location: https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107022
Replay-Nonce: hcr0-EwL6PozdTK2gcDyg7bM0JOABZuSpURhRppGF2o
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 23 Nov 2018 13:54:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 23 Nov 2018 13:54:15 GMT
Connection: keep-alive

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107022",
  "token": "4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE"
}
Storing nonce: hcr0-EwL6PozdTK2gcDyg7bM0JOABZuSpURhRppGF2o
Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE.
https://acme-v02.api.letsencrypt.org:443 "GET /acme/authz/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE HTTP/1.1" 200 1155
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1155
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 23 Nov 2018 13:54:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 23 Nov 2018 13:54:18 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "skargeth.at"
  },
  "status": "pending",
  "expires": "2018-11-30T13:53:35Z",
  "challenges": [
    {
      "type": "tls-sni-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107021",
      "token": "gBbkJUajlG9IDLigeAswqRZhg-O7T4rw5ta-zxym3Oo"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107022",
      "token": "4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107023",
      "token": "o0xYPEMCKPWCyzRTRbsOLACxjK7FoYR3w2rfF4Vjank"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107024",
      "token": "gQ5EpRsNxNebqdiLrOM1xB6DbtMHgzitWwXfTfxrtwU"
    }
  ]
}
Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE.
https://acme-v02.api.letsencrypt.org:443 "GET /acme/authz/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE HTTP/1.1" 200 1155
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1155
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 23 Nov 2018 13:54:22 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 23 Nov 2018 13:54:22 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "skargeth.at"
  },
  "status": "pending",
  "expires": "2018-11-30T13:53:35Z",
  "challenges": [
    {
      "type": "tls-sni-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107021",
      "token": "gBbkJUajlG9IDLigeAswqRZhg-O7T4rw5ta-zxym3Oo"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107022",
      "token": "4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107023",
      "token": "o0xYPEMCKPWCyzRTRbsOLACxjK7FoYR3w2rfF4Vjank"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107024",
      "token": "gQ5EpRsNxNebqdiLrOM1xB6DbtMHgzitWwXfTfxrtwU"
    }
  ]
}
Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE.
https://acme-v02.api.letsencrypt.org:443 "GET /acme/authz/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE HTTP/1.1" 200 1155
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1155
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 23 Nov 2018 13:54:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 23 Nov 2018 13:54:25 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "skargeth.at"
  },
  "status": "pending",
  "expires": "2018-11-30T13:53:35Z",
  "challenges": [
    {
      "type": "tls-sni-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107021",
      "token": "gBbkJUajlG9IDLigeAswqRZhg-O7T4rw5ta-zxym3Oo"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107022",
      "token": "4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107023",
      "token": "o0xYPEMCKPWCyzRTRbsOLACxjK7FoYR3w2rfF4Vjank"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107024",
      "token": "gQ5EpRsNxNebqdiLrOM1xB6DbtMHgzitWwXfTfxrtwU"
    }
  ]
}
Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE.
https://acme-v02.api.letsencrypt.org:443 "GET /acme/authz/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE HTTP/1.1" 200 1771
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1771
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 23 Nov 2018 13:54:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 23 Nov 2018 13:54:28 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "skargeth.at"
  },
  "status": "invalid",
  "expires": "2018-11-30T13:53:35Z",
  "challenges": [
    {
      "type": "tls-sni-01",
      "status": "invalid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107021",
      "token": "gBbkJUajlG9IDLigeAswqRZhg-O7T4rw5ta-zxym3Oo"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching http://skargeth.at/.well-known/acme-challenge/4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE: Timeout during connect (likely firewall problem)",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107022",
      "token": "4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE",
      "validationRecord": [
        {
          "url": "http://skargeth.at/.well-known/acme-challenge/4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE",
          "hostname": "skargeth.at",
          "port": "80",
          "addressesResolved": [
            "91.224.71.24"
          ],
          "addressUsed": "91.224.71.24"
        }
      ]
    },
    {
      "type": "dns-01",
      "status": "invalid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107023",
      "token": "o0xYPEMCKPWCyzRTRbsOLACxjK7FoYR3w2rfF4Vjank"
    },
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3ZBHdhsrb1a836dy_IC3gg6gO-QngqW6_KHi545A_EE/9573107024",
      "token": "gQ5EpRsNxNebqdiLrOM1xB6DbtMHgzitWwXfTfxrtwU"
    }
  ]
}
Reporting to user: The following errors were reported by the server:

Domain: skargeth.at
Type:   connection
Detail: Fetching http://skargeth.at/.well-known/acme-challenge/4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. skargeth.at (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://skargeth.at/.well-known/acme-challenge/4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE: Timeout during connect (likely firewall problem)

Calling registered functions
Cleaning up challenges
Removing /var/lib/letsencrypt/.well-known/acme-challenge/4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE
All challenges cleaned up
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.26.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1124, in run
    certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 120, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 391, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 334, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 370, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. skargeth.at (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://skargeth.at/.well-known/acme-challenge/4sqnHhC7raeIueJ7KZxQwpmHtYSgHkizHOYcuYIdhLE: Timeout during connect (likely firewall problem)

And here is my apache config:

<VirtualHost *:80>
ServerAdmin martin@skargeth.at
ServerName skargeth.at

DocumentRoot /var/www/html

It is assumed that the log directory is in /var/log/httpd.

For Debian distributions you might want to change this to

/var/log/apache2.

LogFormat “%{X-Forwarded-For}i %l %u %t “%r” %>s %b” common_forwarded
ErrorLog /var/log/apache2/skargeth.at_error.log
CustomLog /var/log/apache2/skargeth.at_forwarded.log common_forwarded
CustomLog /var/log/apache2/skargeth.at_access.log combined env=!dontlog
CustomLog /var/log/apache2/skargeth.at.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =skargeth.at
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

And my apache ssl config (created by certbot):

ServerAdmin martin@skargeth.at ServerName skargeth.at

DocumentRoot /var/www/html

It is assumed that the log directory is in /var/log/httpd.

For Debian distributions you might want to change this to

/var/log/apache2.

LogFormat “%{X-Forwarded-For}i %l %u %t “%r” %>s %b” common_forwarded
ErrorLog /var/log/apache2/skargeth.at_error.log
CustomLog /var/log/apache2/skargeth.at_forwarded.log common_forwarded
CustomLog /var/log/apache2/skargeth.at_access.log combined env=!dontlog
CustomLog /var/log/apache2/skargeth.at.log combined
SSLCertificateFile /etc/letsencrypt/live/skargeth.at/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/skargeth.at/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

If I pause the process and try to access the file in the .well-known/… folder I can reach it just fine. Can’t figure out whats going wrong here.


#2

Hi @SirBirne

Certbot uses this

as your webroot. But both versions (www + non-www) redirect your http to https:

So put a file (file name 1234) in /var/www/html/.well-known/acme-challenge/ and try, if you can load this file via

http://skargeth.at/.well-known/acme-challenge/1234

If yes, use certbot with

certbot run -a webroot -i apache -w /var/www/html -d skargeth.at -d www.skargeth.at


Moved to “Help”


#3

Please check it again. I can access the file without troubles now. The http is still redirected to https but that should be no problem - at least that is what I read - feel free to correct me.

Outcome of the renew is the same.


#4

Which webroot did you use?


#5

/var/www/html - I also disabled the redirect

Look here is what I do:

  1. I run the following and wait until it prompts me to Press Enter to continue:

sudo certbot run --debug-challenges -v -a webroot -i apache -w /var/www/html -d skargeth.at -d www.skargeth.at
Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator webroot and installer apache
Apache version is 2.4.33
Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f17f2f95a58>
Prep: True
Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f17eeebfa58>
Prep: True
Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f17eeebfa58> and installer <certbot_apache.override_debian.DebianConfigurator object at 0x7f17f2f95a58>
Plugins selected: Authenticator webroot, Installer apache
Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f17eed935c0>)>), contact=(‘mailto:martin@skargeth.at’,), agreement=‘https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf’, status=None, terms_of_service_agreed=None, only_return_existing=None), uri=‘https://acme-v01.api.letsencrypt.org/acme/reg/7831957’, new_authzr_uri=‘https://acme-v01.api.letsencrypt.org/acme/new-authz’, terms_of_service=‘https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf’), 244bbca5f5432601c9d5b1756fd5694e, Meta(creation_dt=datetime.datetime(2016, 12, 29, 8, 28, 52, tzinfo=), creation_host=‘SKA-WEB01’))>
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
https://acme-v02.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 658
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 23 Nov 2018 18:55:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 23 Nov 2018 18:55:32 GMT
Connection: keep-alive

{
“KaW3Jac5Rzk”: “Adding random entries to the directory”,
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
letsencrypt.org
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert
}
Should renew, less than 30 days before certificate expiry 2018-12-06 20:16:29 UTC.
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Generating key (2048 bits): /etc/letsencrypt/keys/0369_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0372_csr-certbot.pem
Requesting fresh nonce
Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-order.
https://acme-v02.api.letsencrypt.org:443 “HEAD /acme/new-order HTTP/1.1” 405 0
Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 103
Allow: POST
Replay-Nonce: Vd1eVsa2Yx7eOadTIrH5IRYQiMSLIwGV4kBPij_78p0
Expires: Fri, 23 Nov 2018 18:55:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 23 Nov 2018 18:55:32 GMT
Connection: keep-alive

Storing nonce: Vd1eVsa2Yx7eOadTIrH5IRYQiMSLIwGV4kBPij_78p0
JWS payload:
b’{\n “identifiers”: [\n {\n “type”: “dns”,\n “value”: “skargeth.at”\n },\n {\n “type”: “dns”,\n “value”: “www.skargeth.at”\n }\n ],\n “status”: “pending”,\n “resource”: “new-order”\n}’
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
“protected”: “eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDEuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL3JlZy83ODMxOTU3IiwgIm5vbmNlIjogIlZkMWVWc2EyWXg3ZU9hZFRJckg1SVJZUWlNU0xJd0dWNGtCUGlqXzc4cDAiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9”,
“signature”: “bSPbONx1-cSr3FY-Yo3oPrHQDjYtu1n0vq4l0_BXeaFGXOS_r82VrQOi5wXNmJnk7HShNHnBRm69EDwnPRnsvFzBebOCr8okGdF3uM0AaUOImozKqEX6HwIKEfGDVQ3zVacIbqSM7iU9g2TTvNPLB7vizFkChq42k8X_2vKqJyONy2YgHf9L3b5u76iKyPBtAYvQnEsCury6RVX2vQ96waPhqhg4b_APJzEw9A2qzpXg4bbS_2nArTW_aB44v3iWKjFzfiHVXb6DZyE09MNEpsGULHZx-x-KBZnjBDDsHURrCge8ItlMKswGmgjecU53CVZooE5lblJ0Beqb8qTRWQ”,
“payload”: “ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInNrYXJnZXRoLmF0IgogICAgfSwKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInd3dy5za2FyZ2V0aC5hdCIKICAgIH0KICBdLAogICJzdGF0dXMiOiAicGVuZGluZyIsCiAgInJlc291cmNlIjogIm5ldy1vcmRlciIKfQ”
}
https://acme-v02.api.letsencrypt.org:443 “POST /acme/new-order HTTP/1.1” 201 525
Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 525
Boulder-Requester: 7831957
Location: https://acme-v02.api.letsencrypt.org/acme/order/7831957/188739252
Replay-Nonce: EzlTkZDLIFhB472n36qghj7adDGQSfJtaqeCWHSeGYI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 23 Nov 2018 18:55:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 23 Nov 2018 18:55:32 GMT
Connection: keep-alive

{
“status”: “pending”,
“expires”: “2018-11-30T18:55:15Z”,
“identifiers”: [
{
“type”: “dns”,
“value”: “skargeth.at”
},
{
“type”: “dns”,
“value”: “www.skargeth.at”
}
],
“authorizations”: [
https://acme-v02.api.letsencrypt.org/acme/authz/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw”,
https://acme-v02.api.letsencrypt.org/acme/authz/N7GPQoMCIhoGgnkyZeHlV7IrxEN0uH-p_yyDBwmyicc
],
“finalize”: “https://acme-v02.api.letsencrypt.org/acme/finalize/7831957/188739252
}
Storing nonce: EzlTkZDLIFhB472n36qghj7adDGQSfJtaqeCWHSeGYI
Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw.
https://acme-v02.api.letsencrypt.org:443 “GET /acme/authz/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw HTTP/1.1” 200 1155
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1155
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 23 Nov 2018 18:55:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 23 Nov 2018 18:55:32 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “skargeth.at”
},
“status”: “pending”,
“expires”: “2018-11-30T18:55:15Z”,
“challenges”: [
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw/9579155551”,
“token”: “W3mgQq8F4kGJEbr6acn9jEQeeIvFY1qmuLYMhFP3cyw”
},
{
“type”: “tls-sni-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw/9579155552”,
“token”: “nCFD_IQOfOJ2_eVlxDNXxZVFjMQrcMhHVPw2XN0qvns”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw/9579155553”,
“token”: “wIiPBl40CjvwQieF2TNGNQRrFHbTdWLSXwb95iYwUt8”
},
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw/9579155555”,
“token”: “AMZCtl_FW6B1xLOhGePa5R8l35_eUsGj_RGnyZLNcWU”
}
]
}
Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/N7GPQoMCIhoGgnkyZeHlV7IrxEN0uH-p_yyDBwmyicc.
https://acme-v02.api.letsencrypt.org:443 “GET /acme/authz/N7GPQoMCIhoGgnkyZeHlV7IrxEN0uH-p_yyDBwmyicc HTTP/1.1” 200 1159
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1159
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 23 Nov 2018 18:55:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 23 Nov 2018 18:55:33 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “www.skargeth.at”
},
“status”: “pending”,
“expires”: “2018-11-30T18:55:15Z”,
“challenges”: [
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/N7GPQoMCIhoGgnkyZeHlV7IrxEN0uH-p_yyDBwmyicc/9579155566”,
“token”: “qMIKhsbEkI0CGdbqq5Hb8CXuK3dFJudOpPNCtPhtFZM”
},
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/N7GPQoMCIhoGgnkyZeHlV7IrxEN0uH-p_yyDBwmyicc/9579155568”,
“token”: “qaByQrmxOiIBmo3iKIcbMXkrlPn1BNT9wzdAT_skKSM”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/N7GPQoMCIhoGgnkyZeHlV7IrxEN0uH-p_yyDBwmyicc/9579155570”,
“token”: “ksm92EBsIvMUKS_q5k2tyqcXII-4NtLHy6nXrWmfZg0”
},
{
“type”: “tls-sni-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/N7GPQoMCIhoGgnkyZeHlV7IrxEN0uH-p_yyDBwmyicc/9579155572”,
“token”: “R0E5RkVwu8f2jfaaN21Efr_NUNzkVnyDTQYcw31K-dk”
}
]
}
Performing the following challenges:
http-01 challenge for skargeth.at
http-01 challenge for www.skargeth.at
Using the webroot path /var/www/html for all unmatched domains.
Creating root challenges validation dir at /var/www/html/.well-known/acme-challenge
Creating root challenges validation dir at /var/www/html/.well-known/acme-challenge
Attempting to save validation to /var/www/html/.well-known/acme-challenge/AMZCtl_FW6B1xLOhGePa5R8l35_eUsGj_RGnyZLNcWU
Attempting to save validation to /var/www/html/.well-known/acme-challenge/qaByQrmxOiIBmo3iKIcbMXkrlPn1BNT9wzdAT_skKSM
Waiting for verification…


Challenges loaded. Press continue to submit to CA. Pass “-v” for more info about
challenges.


At this point i can access the file at: http://skargeth.at/.well-known/acme-challenge/qaByQrmxOiIBmo3iKIcbMXkrlPn1BNT9wzdAT_skKSM -> it’s content is qaByQrmxOiIBmo3iKIcbMXkrlPn1BNT9wzdAT_skKSM.XUin-qerlRsOXMDLRYX5TYOyBKZoQ5yDq15IYuOMI_M

And for diagnostic reasons, here is the output after hitting enter:

JWS payload:
b’{\n “resource”: “challenge”,\n “keyAuthorization”: “AMZCtl_FW6B1xLOhGePa5R8l35_eUsGj_RGnyZLNcWU.XUin-qerlRsOXMDLRYX5TYOyBKZoQ5yDq15IYuOMI_M”,\n “type”: “http-01”\n}’
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/challenge/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw/9579155555:
{
“protected”: “eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDEuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL3JlZy83ODMxOTU3IiwgIm5vbmNlIjogIkV6bFRrWkRMSUZoQjQ3Mm4zNnFnaGo3YWRER1FTZkp0YXFlQ1dIU2VHWUkiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsZW5nZS9BZE5IQ0ZzdjE3aEF4MzVaODRwdkxrR29tTERqcW5qVW5laFFpNThaY0R3Lzk1NzkxNTU1NTUifQ”,
“signature”: “SnUeXm2On74m6lSstPqX6efaAGpiqqo03A5tLaHJPOEWLmVl8kg9UMb-p-UwErQcEXBInSjrBxjPmI_uNEwGwVGcD9tyhnm8iUNZ3lWOgcbfKYhAnGWTlKjjuQj5mHsYtxugXDrlXNI9Q2Dg6xFBLw-v1sKWkkGtUpaRsvRKtFaxA6H3TDzgt7-IJLBHy8hZs_YKZtyT2XacEG7mDTMh-xIQPcL_9ebniYb3_GLoT79R3qzLCQ6b1oth0iDYrOiA4XV58wYwaUdyeqdsDaXpkG3mqQtgAjiZiRtHfPXe-QnlKzng975GNqMmaPL9ofl-DStFACszcZBLTR6Opwf_rg”,
“payload”: “ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJrZXlBdXRob3JpemF0aW9uIjogIkFNWkN0bF9GVzZCMXhMT2hHZVBhNVI4bDM1X2VVc0dqX1JHbnlaTE5jV1UuWFVpbi1xZXJsUnNPWE1ETFJZWDVUWU95Qktab1E1eURxMTVJWXVPTUlfTSIsCiAgInR5cGUiOiAiaHR0cC0wMSIKfQ”
}
https://acme-v02.api.letsencrypt.org:443 “POST /acme/challenge/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw/9579155555 HTTP/1.1” 200 223
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 223
Boulder-Requester: 7831957
Link: https://acme-v02.api.letsencrypt.org/acme/authz/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw;rel=“up”
Location: https://acme-v02.api.letsencrypt.org/acme/challenge/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw/9579155555
Replay-Nonce: -XyNUmxvIbGGQnbN9XNeVq-9I3q4nlAYLVNAOrfREv4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 23 Nov 2018 19:01:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 23 Nov 2018 19:01:16 GMT
Connection: keep-alive

{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw/9579155555”,
“token”: “AMZCtl_FW6B1xLOhGePa5R8l35_eUsGj_RGnyZLNcWU”
}
Storing nonce: -XyNUmxvIbGGQnbN9XNeVq-9I3q4nlAYLVNAOrfREv4
JWS payload:
b’{\n “resource”: “challenge”,\n “keyAuthorization”: “qaByQrmxOiIBmo3iKIcbMXkrlPn1BNT9wzdAT_skKSM.XUin-qerlRsOXMDLRYX5TYOyBKZoQ5yDq15IYuOMI_M”,\n “type”: “http-01”\n}’
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/challenge/N7GPQoMCIhoGgnkyZeHlV7IrxEN0uH-p_yyDBwmyicc/9579155568:
{
“protected”: “eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDEuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL3JlZy83ODMxOTU3IiwgIm5vbmNlIjogIi1YeU5VbXh2SWJHR1FuYk45WE5lVnEtOUkzcTRubEFZTFZOQU9yZlJFdjQiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsZW5nZS9ON0dQUW9NQ0lob0dnbmt5WmVIbFY3SXJ4RU4wdUgtcF95eURCd215aWNjLzk1NzkxNTU1NjgifQ”,
“signature”: “Wg-HPXi0LbsXRjMpR47m-Bjp_uEgr08QRubxghhAcFCGeAvLVUKGQefJgx2WBQ51nZBWbqAaHDKRP3xjAD7qYcfu51a8uhRmI0d5H8Ep8YwpFnf4Nyi2BUAC7X-sy9voNILw29igyHUwrK3itqjbaym3dhJdKf0bWLVRjf1EJ7368f-hLHPJ0nUCazi9acaSb1I2FsnXJ0-S_Gknb5i6yF9VZlOoI7bBGYZ80feJHgtXtWyq3iKWGgeiQIfexRUExSGygGDC20OfchZaEXsilgcjjCTNigp9wf-QFYg-5XwaV2lsUqIuIem3-GcXCDA4QWztW4RASTXZqjd1SfyIeA”,
“payload”: “ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJrZXlBdXRob3JpemF0aW9uIjogInFhQnlRcm14T2lJQm1vM2lLSWNiTVhrcmxQbjFCTlQ5d3pkQVRfc2tLU00uWFVpbi1xZXJsUnNPWE1ETFJZWDVUWU95Qktab1E1eURxMTVJWXVPTUlfTSIsCiAgInR5cGUiOiAiaHR0cC0wMSIKfQ”
}
https://acme-v02.api.letsencrypt.org:443 “POST /acme/challenge/N7GPQoMCIhoGgnkyZeHlV7IrxEN0uH-p_yyDBwmyicc/9579155568 HTTP/1.1” 200 223
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 223
Boulder-Requester: 7831957
Link: https://acme-v02.api.letsencrypt.org/acme/authz/N7GPQoMCIhoGgnkyZeHlV7IrxEN0uH-p_yyDBwmyicc;rel=“up”
Location: https://acme-v02.api.letsencrypt.org/acme/challenge/N7GPQoMCIhoGgnkyZeHlV7IrxEN0uH-p_yyDBwmyicc/9579155568
Replay-Nonce: 5eJB_0x76p3If9V_88h_keI4ytwultzcoRGrmgEL0bQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 23 Nov 2018 19:01:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 23 Nov 2018 19:01:17 GMT
Connection: keep-alive

{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/N7GPQoMCIhoGgnkyZeHlV7IrxEN0uH-p_yyDBwmyicc/9579155568”,
“token”: “qaByQrmxOiIBmo3iKIcbMXkrlPn1BNT9wzdAT_skKSM”
}
Storing nonce: 5eJB_0x76p3If9V_88h_keI4ytwultzcoRGrmgEL0bQ
Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw.
https://acme-v02.api.letsencrypt.org:443 “GET /acme/authz/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw HTTP/1.1” 200 1155
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1155
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 23 Nov 2018 19:01:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 23 Nov 2018 19:01:20 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “skargeth.at”
},
“status”: “pending”,
“expires”: “2018-11-30T18:55:15Z”,
“challenges”: [
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw/9579155551”,
“token”: “W3mgQq8F4kGJEbr6acn9jEQeeIvFY1qmuLYMhFP3cyw”
},
{
“type”: “tls-sni-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw/9579155552”,
“token”: “nCFD_IQOfOJ2_eVlxDNXxZVFjMQrcMhHVPw2XN0qvns”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw/9579155553”,
“token”: “wIiPBl40CjvwQieF2TNGNQRrFHbTdWLSXwb95iYwUt8”
},
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw/9579155555”,
“token”: “AMZCtl_FW6B1xLOhGePa5R8l35_eUsGj_RGnyZLNcWU”
}
]
}
Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw.
https://acme-v02.api.letsencrypt.org:443 “GET /acme/authz/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw HTTP/1.1” 200 1155
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1155
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 23 Nov 2018 19:01:23 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 23 Nov 2018 19:01:23 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “skargeth.at”
},
“status”: “pending”,
“expires”: “2018-11-30T18:55:15Z”,
“challenges”: [
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw/9579155551”,
“token”: “W3mgQq8F4kGJEbr6acn9jEQeeIvFY1qmuLYMhFP3cyw”
},
{
“type”: “tls-sni-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw/9579155552”,
“token”: “nCFD_IQOfOJ2_eVlxDNXxZVFjMQrcMhHVPw2XN0qvns”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw/9579155553”,
“token”: “wIiPBl40CjvwQieF2TNGNQRrFHbTdWLSXwb95iYwUt8”
},
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw/9579155555”,
“token”: “AMZCtl_FW6B1xLOhGePa5R8l35_eUsGj_RGnyZLNcWU”
}
]
}
Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw.
https://acme-v02.api.letsencrypt.org:443 “GET /acme/authz/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw HTTP/1.1” 200 1771
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1771
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 23 Nov 2018 19:01:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 23 Nov 2018 19:01:30 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “skargeth.at”
},
“status”: “invalid”,
“expires”: “2018-11-30T18:55:15Z”,
“challenges”: [
{
“type”: “tls-alpn-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw/9579155551”,
“token”: “W3mgQq8F4kGJEbr6acn9jEQeeIvFY1qmuLYMhFP3cyw”
},
{
“type”: “tls-sni-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw/9579155552”,
“token”: “nCFD_IQOfOJ2_eVlxDNXxZVFjMQrcMhHVPw2XN0qvns”
},
{
“type”: “dns-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw/9579155553”,
“token”: “wIiPBl40CjvwQieF2TNGNQRrFHbTdWLSXwb95iYwUt8”
},
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://skargeth.at/.well-known/acme-challenge/AMZCtl_FW6B1xLOhGePa5R8l35_eUsGj_RGnyZLNcWU: Timeout during connect (likely firewall problem)”,
“status”: 400
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/AdNHCFsv17hAx35Z84pvLkGomLDjqnjUnehQi58ZcDw/9579155555”,
“token”: “AMZCtl_FW6B1xLOhGePa5R8l35_eUsGj_RGnyZLNcWU”,
“validationRecord”: [
{
“url”: “http://skargeth.at/.well-known/acme-challenge/AMZCtl_FW6B1xLOhGePa5R8l35_eUsGj_RGnyZLNcWU”,
“hostname”: “skargeth.at”,
“port”: “80”,
“addressesResolved”: [
“91.224.71.24”
],
“addressUsed”: “91.224.71.24”
}
]
}
]
}
Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/N7GPQoMCIhoGgnkyZeHlV7IrxEN0uH-p_yyDBwmyicc.
https://acme-v02.api.letsencrypt.org:443 “GET /acme/authz/N7GPQoMCIhoGgnkyZeHlV7IrxEN0uH-p_yyDBwmyicc HTTP/1.1” 200 1787
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1787
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 23 Nov 2018 19:01:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 23 Nov 2018 19:01:30 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “www.skargeth.at”
},
“status”: “invalid”,
“expires”: “2018-11-30T18:55:15Z”,
“challenges”: [
{
“type”: “tls-alpn-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/N7GPQoMCIhoGgnkyZeHlV7IrxEN0uH-p_yyDBwmyicc/9579155566”,
“token”: “qMIKhsbEkI0CGdbqq5Hb8CXuK3dFJudOpPNCtPhtFZM”
},
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://www.skargeth.at/.well-known/acme-challenge/qaByQrmxOiIBmo3iKIcbMXkrlPn1BNT9wzdAT_skKSM: Timeout during connect (likely firewall problem)”,
“status”: 400
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/N7GPQoMCIhoGgnkyZeHlV7IrxEN0uH-p_yyDBwmyicc/9579155568”,
“token”: “qaByQrmxOiIBmo3iKIcbMXkrlPn1BNT9wzdAT_skKSM”,
“validationRecord”: [
{
“url”: “http://www.skargeth.at/.well-known/acme-challenge/qaByQrmxOiIBmo3iKIcbMXkrlPn1BNT9wzdAT_skKSM”,
“hostname”: “www.skargeth.at”,
“port”: “80”,
“addressesResolved”: [
“91.224.71.24”
],
“addressUsed”: “91.224.71.24”
}
]
},
{
“type”: “dns-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/N7GPQoMCIhoGgnkyZeHlV7IrxEN0uH-p_yyDBwmyicc/9579155570”,
“token”: “ksm92EBsIvMUKS_q5k2tyqcXII-4NtLHy6nXrWmfZg0”
},
{
“type”: “tls-sni-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/N7GPQoMCIhoGgnkyZeHlV7IrxEN0uH-p_yyDBwmyicc/9579155572”,
“token”: “R0E5RkVwu8f2jfaaN21Efr_NUNzkVnyDTQYcw31K-dk”
}
]
}
Reporting to user: The following errors were reported by the server:

Domain: skargeth.at
Type: connection
Detail: Fetching http://skargeth.at/.well-known/acme-challenge/AMZCtl_FW6B1xLOhGePa5R8l35_eUsGj_RGnyZLNcWU: Timeout during connect (likely firewall problem)

Domain: www.skargeth.at
Type: connection
Detail: Fetching http://www.skargeth.at/.well-known/acme-challenge/qaByQrmxOiIBmo3iKIcbMXkrlPn1BNT9wzdAT_skKSM: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. skargeth.at (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://skargeth.at/.well-known/acme-challenge/AMZCtl_FW6B1xLOhGePa5R8l35_eUsGj_RGnyZLNcWU: Timeout during connect (likely firewall problem), www.skargeth.at (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.skargeth.at/.well-known/acme-challenge/qaByQrmxOiIBmo3iKIcbMXkrlPn1BNT9wzdAT_skKSM: Timeout during connect (likely firewall problem)

Calling registered functions
Cleaning up challenges
Removing /var/www/html/.well-known/acme-challenge/AMZCtl_FW6B1xLOhGePa5R8l35_eUsGj_RGnyZLNcWU
Removing /var/www/html/.well-known/acme-challenge/qaByQrmxOiIBmo3iKIcbMXkrlPn1BNT9wzdAT_skKSM
All challenges cleaned up
Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.26.1’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1364, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1124, in run
certname, lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 115, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 305, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 334, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 370, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. skargeth.at (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://skargeth.at/.well-known/acme-challenge/AMZCtl_FW6B1xLOhGePa5R8l35_eUsGj_RGnyZLNcWU: Timeout during connect (likely firewall problem), www.skargeth.at (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.skargeth.at/.well-known/acme-challenge/qaByQrmxOiIBmo3iKIcbMXkrlPn1BNT9wzdAT_skKSM: Timeout during connect (likely firewall problem)
Failed authorization procedure. skargeth.at (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://skargeth.at/.well-known/acme-challenge/AMZCtl_FW6B1xLOhGePa5R8l35_eUsGj_RGnyZLNcWU: Timeout during connect (likely firewall problem), www.skargeth.at (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.skargeth.at/.well-known/acme-challenge/qaByQrmxOiIBmo3iKIcbMXkrlPn1BNT9wzdAT_skKSM: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

I also have a few other and more important domains on this server, all of them having the same issue right now. I urgently need a solution. I can’t use DNS challenge or I atleast failed trying to use it.


#6

Further inromation:

My apache logs do not show any access other than my own. So nobody is even trying to connect to my machine. I can access it easily from diffrent loctions. I tried it from austria and via a VPN from the UK.


#7

But now you have completely different errors: Timeout.

That’s ok, if Letsencrypt reports a timeout :wink:


#8

Timeout was my initial problem too.

Any further suggestions. I’m really stuck here.


#9

Hi,

Could you please check if your hosting provider has a firewall in place? Or do you have any firewall setup on your machine? It seems there’s a firewall block…

Thank you


#10

But

https://www.skargeth.at/.well-known/acme-challenge/1234

works.


#11

Yes. But i’m having trouble connects to the http port 80… Let’s Encrypt need to connect to port 80 first…

Wierd thing: port 443 is also not reponding to my scan… Both showed filtered.


#12

My online check https://check-your-website.server-daten.de/?q=skargeth.at

has no problem to check the http - version.

Same when using an old own .NET-Tool to check a single url.

That works with http://www.skargeth.at/.well-known/acme-challenge/1234


#13

Could you please try to connect to the following 3 things for me:

edited examples away

The first two are on my host, the other one is hosted on the same network but on a different machine. I would also like to know your IP (Range) so I can check for firewall issues. Basically everything should be fine, no known issues so far on my end, but there seems to be some sort of problem.


#14

Hi,

All three sites, including the site you have problem with, are having “connection timed out” in my browser and “filtered” in portqry as well as nmap.

I’m in Atlanta, GA using Comcast internet…

I’ve also tried to curl to the site, on three other servers in United States (Quadranet LA, GCP and Colo in Buffalo), all shown “Connection Timed out”

Maybe there’s some policy on the server / Provider / ISP that blocked the connections from United States.

A pingdom test from United Kingdom could show the site, but not for any server locations in U.S…

Thank you


#15

Thank you, sorry for me bothering you, I’ll check that.


#16

Ok, this looks really bad.

Checked with https://www.uptrends.com/de/tools/uptime