Challenge failed for domain

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
pve.polymicro.net

I ran this command:

certbot run --test-cert -i apache -d pve.polymicro.net

It produced this output:

Waiting for verification...
Challenge failed for domain pve.polymicro.net
http-01 challenge for pve.polymicro.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version):
Server Version: Apache/2.4.53 (Debian) OpenSSL/1.1.1n

The operating system my web server runs on is (include version):
Debian 11.2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.12.0

I can verify the challenge file is create using ionotifywait on the /var/www/.well-known/acme-challenge folder using -I apache' or -a manual' with:

`echo "zui3EMygrY-snij1wqGSo7kDRpGSKV7z1ZCtu3cIJlo.qTGnRO6Yu4SdFyP4Vvb9p1PBpJqSwfHejtaEQtwDhnw" > /www/html/.well-known/acme-challenge/zui3EMygrY-snij1wqGSo7kDRpGSKV7z1ZCtu3cIJlo'

When asked to continue I never see the challenge file being accessed from the Certbot test server even though I see the http request coming in on the eth0 NIC and my Apache2 server responding.

The challenge file is readable if I dump in a html file
http://pve.polymicro.net/.well-known/acme-challenge/

Apache Config

# The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. # Include /etc/apache2/sites-enabled/000-default-le-ssl.conf ServerName pve.polymicro.net Options +FollowSymLinks RewriteEngine on 
# ProxyPreserveHost On
# ProxyPass /confluence http://10.1.2.104:8090/confluence
# ProxyPassReverse /confluence http://atlassian.polymicro.net/confluence

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
<Directory /var/www/html>
    Options Indexes FollowSymLinks Includes ExecCGI
    AllowOverride All
    Order deny,allow
    Allow from all
    Require all granted
</Directory>
# Redirect 301 / http://confluence.polymicro.net

RedirectMatch 301 ^(.*)$ http://confluence.polymicro.net/confluence/$1

# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.

ErrorLog ${APACHE_LOG_DIR}/pve-error.log
CustomLog ${APACHE_LOG_DIR}/pve-access.log combined
# DumpIOInput On
# DumpIOOutput On
# LogLevel debug dumpio:trace7
# LogLevel trace5
LogLevel info ssl:warn

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

Here are the output from 3 terminals, command, watching challenge, tcpdump

Command:

certbot run --test-cert -i apache -d pve.polymicro.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3
Plugins selected: Authenticator webroot, Installer apache
Requesting a certificate for pve.polymicro.net
Performing the following challenges:
http-01 challenge for pve.polymicro.net
Input the webroot for pve.polymicro.net: (Enter 'c' to cancel): /var/www/html
Waiting for verification...
Challenge failed for domain pve.polymicro.net
http-01 challenge for pve.polymicro.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

Challenge folder

root@pve /www/html/nextcloud # /usr/bin/inotifywait -m -r /www/html/.well-known/acme-challenge
/www/html/.well-known/acme-challenge/ CREATE kVn1CHSrEOuCRz6o_z3HhQ-VRPl3azgFizAh6C1o6j8
/www/html/.well-known/acme-challenge/ OPEN kVn1CHSrEOuCRz6o_z3HhQ-VRPl3azgFizAh6C1o6j8
/www/html/.well-known/acme-challenge/ MODIFY kVn1CHSrEOuCRz6o_z3HhQ-VRPl3azgFizAh6C1o6j8
/www/html/.well-known/acme-challenge/ CLOSE_WRITE,CLOSE kVn1CHSrEOuCRz6o_z3HhQ-VRPl3azgFizAh6C1o6j8
/www/html/.well-known/acme-challenge/ DELETE kVn1CHSrEOuCRz6o_z3HhQ-VRPl3azgFizAh6C1o6j8

TCPDUMP

root@pve ~ # tcpdump -v port 80
tcpdump: listening on eno1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:45:05.944169 IP (tos 0x0, ttl 47, id 44374, offset 0, flags [DF], proto TCP (6), length 60)
ec2-34-215-125-167.us-west-2.compute.amazonaws.com.31448 > pve.polymicro.net.http: Flags [S], cksum 0x8e70 (correct), seq 892603456, win 62727, options [mss 1460,sackOK,TS val 1026957109 ecr 0,nop,wscale 7], length 0
14:45:05.944200 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
pve.polymicro.net.http > ec2-34-215-125-167.us-west-2.compute.amazonaws.com.31448: Flags [R.], cksum 0x47b3 (correct), seq 0, ack 892603457, win 0, length 0
14:45:05.974817 IP (tos 0x0, ttl 48, id 4860, offset 0, flags [DF], proto TCP (6), length 60)
outbound1.letsencrypt.org.48172 > pve.polymicro.net.http: Flags [S], cksum 0x7a01 (correct), seq 1415316773, win 64240, options [mss 1460,sackOK,TS val 1636737238 ecr 0,nop,wscale 7], length 0
14:45:05.974844 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
pve.polymicro.net.http > outbound1.letsencrypt.org.48172: Flags [R.], cksum 0xdf26 (correct), seq 0, ack 1415316774, win 0, length 0
14:45:06.969820 IP (tos 0x0, ttl 47, id 44375, offset 0, flags [DF], proto TCP (6), length 60)
ec2-34-215-125-167.us-west-2.compute.amazonaws.com.31448 > pve.polymicro.net.http: Flags [S], cksum 0x8a6f (correct), seq 892603456, win 62727, options [mss 1460,sackOK,TS val 1026958134 ecr 0,nop,wscale 7], length 0
14:45:06.969847 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
pve.polymicro.net.http > ec2-34-215-125-167.us-west-2.compute.amazonaws.com.31448: Flags [R.], cksum 0x47b3 (correct), seq 0, ack 1, win 0, length 0
14:45:06.982298 IP (tos 0x0, ttl 48, id 4861, offset 0, flags [DF], proto TCP (6), length 60)
outbound1.letsencrypt.org.48172 > pve.polymicro.net.http: Flags [S], cksum 0x7612 (correct), seq 1415316773, win 64240, options [mss 1460,sackOK,TS val 1636738245 ecr 0,nop,wscale 7], length 0
14:45:06.982325 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
pve.polymicro.net.http > outbound1.letsencrypt.org.48172: Flags [R.], cksum 0xdf26 (correct), seq 0, ack 1, win 0, length 0
14:45:08.986486 IP (tos 0x0, ttl 47, id 44376, offset 0, flags [DF], proto TCP (6), length 60)
ec2-34-215-125-167.us-west-2.compute.amazonaws.com.31448 > pve.polymicro.net.http: Flags [S], cksum 0x828f (correct), seq 892603456, win 62727, options [mss 1460,sackOK,TS val 1026960150 ecr 0,nop,wscale 7], length 0
14:45:08.986514 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
pve.polymicro.net.http > ec2-34-215-125-167.us-west-2.compute.amazonaws.com.31448: Flags [R.], cksum 0x47b3 (correct), seq 0, ack 1, win 0, length 0
14:45:08.999089 IP (tos 0x0, ttl 48, id 4862, offset 0, flags [DF], proto TCP (6), length 60)
outbound1.letsencrypt.org.48172 > pve.polymicro.net.http: Flags [S], cksum 0x6e32 (correct), seq 1415316773, win 64240, options [mss 1460,sackOK,TS val 1636740261 ecr 0,nop,wscale 7], length 0
14:45:08.999120 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
pve.polymicro.net.http > outbound1.letsencrypt.org.48172: Flags [R.], cksum 0xdf26 (correct), seq 0, ack 1, win 0, length 0
14:45:13.126212 IP (tos 0x0, ttl 48, id 4863, offset 0, flags [DF], proto TCP (6), length 60)
outbound1.letsencrypt.org.48172 > pve.polymicro.net.http: Flags [S], cksum 0x5e12 (correct), seq 1415316773, win 64240, options [mss 1460,sackOK,TS val 1636744389 ecr 0,nop,wscale 7], length 0
14:45:13.126238 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
pve.polymicro.net.http > outbound1.letsencrypt.org.48172: Flags [R.], cksum 0xdf26 (correct), seq 0, ack 1, win 0, length 0
14:45:13.242368 IP (tos 0x0, ttl 47, id 44377, offset 0, flags [DF], proto TCP (6), length 60)
ec2-34-215-125-167.us-west-2.compute.amazonaws.com.31448 > pve.polymicro.net.http: Flags [S], cksum 0x71ef (correct), seq 892603456, win 62727, options [mss 1460,sackOK,TS val 1026964406 ecr 0,nop,wscale 7], length 0
14:45:13.242380 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
pve.polymicro.net.http > ec2-34-215-125-167.us-west-2.compute.amazonaws.com.31448: Flags [R.], cksum 0x47b3 (correct), seq 0, ack 1, win 0, length 0
14:45:15.977875 IP (tos 0x0, ttl 42, id 12764, offset 0, flags [DF], proto TCP (6), length 60)
ec2-54-93-203-169.eu-central-1.compute.amazonaws.com.25304 > pve.polymicro.net.http: Flags [S], cksum 0x7c38 (correct), seq 1403420529, win 62727, options [mss 1460,sackOK,TS val 2868635771 ecr 0,nop,wscale 7], length 0
14:45:15.977898 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
pve.polymicro.net.http > ec2-54-93-203-169.eu-central-1.compute.amazonaws.com.25304: Flags [R.], cksum 0x6c87 (correct), seq 0, ack 1403420530, win 0, length 0
14:45:15.988167 IP (tos 0x0, ttl 42, id 29918, offset 0, flags [DF], proto TCP (6), length 60)
ec2-18-219-18-231.us-east-2.compute.amazonaws.com.16334 > pve.polymicro.net.http: Flags [S], cksum 0xf65f (correct), seq 1029465953, win 62727, options [mss 1460,sackOK,TS val 917901379 ecr 0,nop,wscale 7], length 0
14:45:15.988177 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
pve.polymicro.net.http > ec2-18-219-18-231.us-east-2.compute.amazonaws.com.16334: Flags [R.], cksum 0x9a30 (correct), seq 0, ack 1029465954, win 0, length 0
14:46:08.295483 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
10.1.1.7.62211 > pve.polymicro.net.http: Flags [S], cksum 0x49f8 (correct), seq 2457539301, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 756158772 ecr 0,sackOK,eol], length 0
14:46:08.295521 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
pve.polymicro.net.http > 10.1.1.7.62211: Flags [R.], cksum 0x0112 (correct), seq 0, ack 2457539302, win 0, length 0
14:46:08.321841 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
10.1.1.7.62213 > pve.polymicro.net.http: Flags [S], cksum 0x5c74 (correct), seq 3478904277, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3742254312 ecr 0,sackOK,eol], length 0
14:46:08.321868 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
pve.polymicro.net.http > 10.1.1.7.62213: Flags [R.], cksum 0xf93e (correct), seq 0, ack 3478904278, win 0, length 0
14:46:08.328866 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 64)
10.1.1.7.62214 > pve.polymicro.net.http: Flags [S], cksum 0x992f (correct), seq 1114500162, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1897591969 ecr 0,sackOK,eol], length 0
14:46:08.328897 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
pve.polymicro.net.http > 10.1.1.7.62214: Flags [R.], cksum 0x77bf (correct), seq 0, ack 1114500163, win 0, length 0
14:46:39.976325 IP (tos 0x0, ttl 54, id 59040, offset 0, flags [DF], proto TCP (6), length 60)
tieinterceptor1a.sea1.discourse.cloud.37296 > pve.polymicro.net.http: Flags [S], cksum 0xf2be (correct), seq 2108990077, win 42340, options [mss 1460,sackOK,TS val 3687990728 ecr 0,nop,wscale 9], length 0

1 Like
2

Hi @tgunr, and welcome to the LE community forum :slight_smile:

That usually means inbound HTTP access is either being blocked by your ISP or by your own firewall.
In any case, you will first need an HTTP path to your system in order to validate using HTTP authentication.

2 Likes
3

Start with:

  • ensure the IP ("47.220.70.147") is correct
    you can use: curl -4 ifconfig.co

  • ensure HTTP reaches your system
    try from any other system on the Internet: http://pve.polymicro.net/

Then we can proceed into the weeds (if needed).

2 Likes
4

And.... one last finding.
Check your NATting, this is bad [443 goes to 80]:

curl -Ii http://pve.polymicro.net:443/
HTTP/1.1 200 OK
Date: Sat, 21 May 2022 20:14:07 GMT
Server: Apache/2.4.53 (Debian)
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Thu, 01 Apr 2021 10:18:23 GMT
ETag: "2c4c-5bee68d2019c0"
Accept-Ranges: bytes
Content-Length: 11340
Vary: Accept-Encoding
Content-Type: text/html
3 Likes
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.