Certificate can not be issued in staging boulder

JohnBoy · August 30, 2017, 6:52am

Finally I got the certificate on August 29

Currently the following logs are returned
I am masking confidential information

method=:get,
             body=
              {"identifier"=>{"type"=>"dns", "value"=>"u**.***.r****.ga"},
               "status"=>"invalid",
               "expires"=>"2017-09-06T06:19:00Z",
               "challenges"=>
                [{"type"=>"dns-01",
                  "status"=>"pending",
                  "uri"=>
                   "https://acme-staging.api.letsencrypt.org/acme/challenge/0t2Y*****B8rWbln60-h***YpZ6lFe*****Pa5Ur1g/55814711",
                  "token"=>"No***WZepR****F4bEGQJ-****-4RtAgf****Ty9ODs"},
                 {"type"=>"http-01",
                  "status"=>"invalid",
                  "error"=>
                   {"type"=>"urn:acme:error:connection",
                    "detail"=>
                     "Fetching http://***.***.*****.ga/.well-known/acme-challenge/U_ZoQfNHSz6N2A****cuy5eQ2hl1M-***********: Timeout",
                    "status"=>400},
                  "uri"=>
                   "https://acme-staging.api.letsencrypt.org/acme/challenge/0t2Y*****B8rWbln60-h***YpZ6lFe*****Pa5Ur1g/55814712",
                  "token"=>"U_ZoQfNHSz6N2A****cuy5eQ2hl1M-***********",
                  "keyAuthorization"=>
                   "U_ZoQfNHSz6N2A****cuy5eQ2hl1M-***********.dGTw_oLZp***dZHHOILt****dMuPtcAe***ieR***I",
                  "validationRecord"=>
                   [{"url"=>
                      "http://u**.***.r****.ga/.well-known/acme-challenge/U_ZoQfNHSz6N2A****cuy5eQ2hl1M-***********",
                     "hostname"=>"u**.***.r****.ga",
                     "port"=>"80",
                     "addressesResolved"=>["***.**.***.**"],
                     "addressUsed"=>"***.**.***.**",
                     "addressesTried"=>[]}]},
                 {"type"=>"tls-sni-01",
                  "status"=>"pending",
                  "uri"=>
                   "https://acme-staging.api.letsencrypt.org/acme/challenge/0t2Y*****B8rWbln60-h***YpZ6lFe*****Pa5Ur1g/55814713",
                  "token"=>"Gr2y9gf****HEgARmBZek8z8***ruQ8nz1**idY_c"}],
               "combinations"=>[[1], [0], [2]]},
             url=
              #<URI::HTTPS https://acme-staging.api.letsencrypt.org/acme/authz/0t2Y*****B8rWbln60-h***YpZ6lFe*****Pa5Ur1g>,

I tried in the production environment on the same domain and I got a certificate. At that time there is no change in our environment.

Domain can not be published due to circumstances

JohnBoy · August 30, 2017, 7:01am

I do not really know what is the timeout
I have confirmed that the server has checked the authentication file from boulder

{“type”=>“urn:acme:error:connection”,
“detail”=>
“Fetching http://…ga/.well-known/acme-challenge/U_ZoQfNHSz6N2A****cuy5eQ2hl1M-: Timeout”,
“status”=>400}

mkwm · August 30, 2017, 8:42am

If you fail to obtain certificate from staging environment, but you're able to do so on production instance, this may be to changes in validation process. To improve security of certificate issuance (protection from BGP-directed attacks, causing CAs to believe that the challenge was completed by authorized server owner, while traffic to given IP address was being redirected to the attacker), Let's Encrypt started to validate challenges from various different network locations simultaneously (for now, on staging only). See:

Also, please note that if your domain name itself is really confidential, probably you shouldn't use it with Let's Encrypt (or with any other publicly trusted CA - since April 2018, when Google Chrome starts to enforce CT), as all certificates get logged to publicly available Certificate Transparency log servers (and once they get logged, you won't be able to remove it from log - by design they are append-only). If you got certificate from production LE environment, it will be visible there: crt.sh | % (this is only a CT log browser, which aggregates certificates from different logs).

cpu · August 30, 2017, 2:43pm

Hi @johnboy,

What ACME client are you using? What is the command line you’re using to invoke it (if applicable)?

JohnBoy · August 31, 2017, 12:55am

Thank you for returning!

cpu · August 31, 2017, 3:22pm

Hi @JohnBoy,

I’m not able to identify the failing requests you observed based on the information provided. Can you share the exact domain name(s) or the full challenge/authorization URLs?W

Which ACME client are you using? Did the problem eventually resolve itself?

system · September 30, 2017, 3:22pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.