Challenge did not pass (status 400) UCS 5 Univention

Piero · January 26, 2023, 12:18pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

It produced this output: Do 26. Jan 12:28:33 CET 2023
Refreshing certificate for following domains:
nextcloud.flg.......
Parsing account key...
Parsing CSR...
Found domains: nextcloud.flg..
Getting directory...
Directory found!
Registering account...
Already registered!
Creating new order...
Order created!
Verifying nextcloud.flg.....
Traceback (most recent call last):
File "/usr/share/univention-letsencrypt/acme_tiny.py", line 198, in
main(sys.argv[1:])
File "/usr/share/univention-letsencrypt/acme_tiny.py", line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File "/usr/share/univention-letsencrypt/acme_tiny.py", line 149, in get_crt
raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for nextcloud.flg......: {u'status': u'invalid', u'challenges': [{u'status': u'invalid', u'validationRecord': [{u'url': u'http://nextcloud.flg..../.well-known/acme-challenge/Nh9SdSW6h4bZg2ZNClg_ZRaRBYkV4p2Pv7vOrPRYG38', u'hostname': u'nextcloud.flg.....', u'addressUsed': u'93.238....', u'port': u'80', u'addressesResolved': [u'93.238....']}], u'url': u'https://acme-v02.api.letsencrypt.org/acme/chall-v3/198362170227/kOlXFg', u'token': u'Nh9SdSW6h4bZg2ZNClg_ZRaRBYkV4p2Pv7vOrPRYG38', u'error': {u'status': 400, u'type': u'urn:ietf:params:acme:error:connection', u'detail': u'93.238....: Fetching http://nextcloud...../.well-known/acme-challenge/Nh9SdSW6h4bZg2ZNClg_ZRaRBYkV4p2Pv7vOrPRYG38: Timeout during connect (likely firewall problem)'}, u'validated': u'2023-01-26T11:28:19Z', u'type': u'http-01'}], u'identifier': {u'type': u'dns', u'value': u'nextcloud.flg....'}, u'expires': u'2023-02-02T11:28:17Z'}

My web server is (include version): Apache

The operating system my web server runs on is (include version): Linux Ubuntu

My hosting provider, if applicable, is: Vodafone

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Univention/Letsencrypt Version 2.0.0-2 (UCS 5)

Bruce5051 · January 26, 2023, 3:55pm

Is showing

Oops! No nameservers found.

We tried to query nextcloud.flg for NS records (your nameservers), but couldn't find any. Does the domain you've added have any NS records?

Piero · January 26, 2023, 3:56pm

I´m sorry.. My domain is: nextcloud.flg-asperg.de

Bruce5051 · January 26, 2023, 4:00pm

And this is what is shown for that domain name


DNS report for nextcloud.flg-asperg.de
Oops! No nameservers found.

We tried to query nextcloud.flg-asperg.de for NS records (your nameservers), but couldn't find any. Does the domain you've added have any NS records?

Or are they on a domain higher up the chain?

    flg-asperg.de
    de

Go ahead, scan a new domain for its DNS records.

Bruce5051 · January 26, 2023, 4:01pm

Yet in the past certificates have been issued, here is a list crt.sh | nextcloud.flg-asperg.de

Bruce5051 · January 26, 2023, 4:04pm

And https://unboundtest.com/m/CAA/nextcloud.flg-asperg.de/BVG65GXA the top shows this

Query results for CAA nextcloud.flg-asperg.de

Response:
;; opcode: QUERY, status: NOERROR, id: 53417
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;nextcloud.flg-asperg.de.	IN	 CAA

;; ANSWER SECTION:
nextcloud.flg-asperg.de.	0	IN	CNAME	flg-asperg.dyndns.org.

;; AUTHORITY SECTION:
dyndns.org.	0	IN	SOA	ns1.dyndns.org. hostmaster.dyndns.org. 1676483148 600 300 604800 600

----- Unbound logs -----
Jan 26 16:03:22 unbound[58841:0] notice: init module 0: validator
Jan 26 16:03:22 unbound[58841:0] notice: init module 1: iterator
Jan 26 16:03:22 unbound[58841:0] info: start of service (unbound 1.16.3).

Bruce5051 · January 26, 2023, 4:07pm

Let's Debug for the HTTP-01 Challenge has 2 ERRORs results here https://letsdebug.net/nextcloud.flg-asperg.de/1350686

The HTTP-01 Challenge needs Port 80
Best Practice - Keep Port 80 Open

Piero · February 1, 2023, 9:16am

How can we solve this? In the past we haven´t no Problem with Certificate issue... we have a pfsense firewall and Ports 80 and 443 are forwarded to the Nexcloud VM. Is the Problem with our NO public IP Adress?

Osiris · February 1, 2023, 11:16am

By having your host reachable by port 80 (and depending on a redirect also on port 443).

That's not something we can tell, but is something for you to investigate and find out unfortunately.

First have a working website and then try again.

Bruce5051 · February 1, 2023, 6:08pm

The system only has Port 443 open; if you desire to use TLS-ALPN-01 challenge then that could work.

$ nmap -Pn nextcloud.flg-asperg.de
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2023-02-01 09:59 PST
Stats: 0:04:01 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 74.97% done; ETC: 10:04 (0:01:20 remaining)
Nmap scan report for nextcloud.flg-asperg.de (93.238.71.93)
Host is up (0.18s latency).
rDNS record for 93.238.71.93: p5dee475d.dip0.t-ipconnect.de
Not shown: 635 closed ports, 364 filtered ports
PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 360.51 seconds

Piero · February 9, 2023, 7:35am

We have both ports open (see marker).. We don´t understand where is the Problem.. Maybe has Letsencrypt a Problem with our Domain name?

rg305 · February 9, 2023, 7:36am

Why do I get a different IP?:

nslookup nextcloud.flg-asperg.de
Name:    flg-asperg.dyndns.org
Address: 93.238.68.209
Aliases: nextcloud.flg-asperg.de

Piero · February 9, 2023, 7:45am

We don´t have a public IP we use Dyndns..

rg305 · February 9, 2023, 8:55am

You may not have a static/reserved IP. but you must have a public IP.

Why does your screenshot show IP: 93.213.31.25
While mine shows IP: 93.238.68.209

Can you retest now, at this new IP?

Piero · February 9, 2023, 9:08am

Both ports are open

rg305 · February 9, 2023, 9:45am

That's not what I see from the U.S.

HTTP fails:

curl -Ii nextcloud.flg-asperg.de
curl: (56) Recv failure: Connection reset by peer

curl -Ii 93.238.68.209
curl: (56) Recv failure: Connection reset by peer

HTTPS works:

curl -Iik https://nextcloud.flg-asperg.de
HTTP/1.1 302 Found
Date: Thu, 09 Feb 2023 09:45:23 GMT
Server: Apache/2.4.38 (Univention)
Location: https://nextcloud.flg-asperg.de/univention/
Content-Type: text/html; charset=iso-8859-1

Bruce5051 · February 9, 2023, 3:41pm

Here is an online tool https://check-host.net/ this takes a Host Name or IP Address
to check HTTPS enter the URL with HTTPS and hit the HTTP button

to check from around the world your

DNS - https://check-host.net/check-report/e96b102kce8
HTTP - https://check-host.net/check-report/e96b128kdf9
HTTPS - https://check-host.net/check-report/e96b14akc61
PING - https://check-host.net/check-report/e96b178k83b

Here is an online tool TCP Port Scanner, Online Port Scan, Port Scanning | IPVoid
It requires an IP Address to scan (no domain names).
This will allow you to see how the public side of the Internet views your IP Address

system · March 11, 2023, 3:42pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.