Certificate generation fails

saadalla · September 30, 2020, 4:54pm

I failed to create certificate.
I tried to check access using command below (just to check if there is an issue in the web server for this specific folder) and it works
curl -I http://egerp.com/.well-known/acme-challenge/3vGIG540TjxdzS4O_eCm0qi1VaZaDfvQQ9Ib0ZAyaO8

HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Wed, 30 Sep 2020 16:51:46 GMT
Content-Type: text/html; charset=utf-8
Connection: close

So it seems not to be an access problem.

My domain is: egerp.com

I ran this command: sudo certbot --nginx

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?

1: egerp.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for egerp.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. egerp.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://egerp.com/.well-known/acme-challenge/VGqRPZjDPYaytu-0AZ2WNwrvGCQYv57DZ0UQe32v-f8: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: egerp.com
Type: connection
Detail: Fetching
http://egerp.com/.well-known/acme-challenge/VGqRPZjDPYaytu-0AZ2WNwrvGCQYv57DZ0UQe32v-f8:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

My web server is (include version):
nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 18.04.5 LTS (GNU/Linux 5.4.0-1025-aws x86_64)

My hosting provider, if applicable, is:
aws EC2

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.27.0

JuergenAuer · September 30, 2020, 5:02pm

Hi @saadalla

checking your domain your setup can't work - see egerp.com/.well-known/acme-challenge/3vgig540tjxdzs4o_ecm0qi1vazadfvqq9ib0zayao8 - Make your website better - DNS, redirects, mixed content, certificates

There is a frame

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
   "http://www.w3.org/TR/html4/strict.dtd">
<html>

<head>
  <title>Egypt ERP</title>  
  <meta name="description" content="Startup Egypt ERP Service Provide">
  <meta name="keywords" content="Egypt ERP">
</head>
<frameset rows="100%,*" border="0">
  <frame src="http://3.133.90.192/.well-known/acme-challenge/3vgig540tjxdzs4o_ecm0qi1vazadfvqq9ib0zayao8" frameborder="0" />
</frameset>

</html>

So the wrong ip is checked. An A-record yourdomain -> 3.133.90.192 is required.

And I don't have a timeout. So if Letsencrypt reports that timeout: Looks like a regional filter, so your server blocks some ip addresses.

rg305 · September 30, 2020, 10:02pm

That is a false positive check.
I get:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
   "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
  <title>Egypt ERP</title>
  <meta name="description" content="Startup Egypt ERP Service Provide">
  <meta name="keywords" content="Egypt ERP">
</head>
<frameset rows="100%,*" border="0">
  <frame src="http://3.133.90.192/.well-known/acme-challenge/3vGIG540TjxdzS4O_eCm0qi1VaZaDfvQQ9Ib0ZAyaO8" frameborder="0" />
</frameset>
</html>

It might look correct to the eye (within a web/html browser).
But it is far from what is actually the expected.
Note: LE will follow "normal" HTTP/HTTPS redirections.
This is using HTTP://IP (not normal), and is actually not even a redirection at all - it's framed HTML.

saadalla · October 1, 2020, 4:31pm

Thanks for your feedback.
I am new in this, it seems the work of my domain provider. (GoDaddy)
I will be adding an A DNS entry and re-testing.

Also regarding the timeout, i suspect a failure in the client as i get these python logs below (or is this normal?):

Domain: egerp.com
Type: connection
Detail: Fetching http://egerp.com/.well-known/acme-challenge/X6jgebNbTLBD36duEFcg8nR8lOPGnxKHOeJjdoxwtGg: Timeout during connect (likely firewall problem)

To fix these errors........

2020-09-30 15:54:33,687:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. egerp.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://egerp.com/.well-known/acme-challenge/X6jgebNbTLBD36duEFcg8nR8lOPGnxKHOeJjdoxwtGg: Timeout during connect (likely firewall problem)

2020-09-30 15:54:33,687:DEBUG:certbot.error_handler:Calling registered functions
2020-09-30 15:54:33,687:INFO:certbot.auth_handler:Cleaning up challenges
2020-09-30 15:54:34,796:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.27.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1364, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1124, in run
certname, lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 120, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 391, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 334, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 370, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. egerp.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://egerp.com/.well-known/acme-challenge/X6jgebNbTLBD36duEFcg8nR8lOPGnxKHOeJjdoxwtGg: Timeout during connect (likely firewall problem)

rg305 · October 1, 2020, 5:07pm

You now have two IPs:

Name:    egerp.com
Addresses:  3.133.90.192
          184.168.131.241

That should only be one IP.
Like:

Name:    www.egerp.com
Address:  3.133.90.192

saadalla · October 1, 2020, 5:48pm

Thanks rg,
It seems to be working now.

system · October 31, 2020, 5:48pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.