Challenge failed for domain

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
certbot certonly --standalone --preferred-challenges http --http-01-address 127.0.0.1 --http-01-port 9080 -d timetracker.maverickwine.com --email ssl@willchilders.com --agree-tos --non-interactive

It produced this output:
root@ICELB-01:/etc/haproxy# certbot certonly --standalone --preferred-challenges http --http-01-address 127.0.0.1 --http-01-port 9080 -d timetracker.maverickwine.com --email ssl@willchilders.com --agree-tos --non-interactive
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for timetracker.maverickwine.com
Waiting for verification...
Challenge failed for domain timetracker.maverickwine.com
http-01 challenge for timetracker.maverickwine.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version):
root@ICELB-01:/etc/haproxy# haproxy -v
HA-Proxy version 2.1.12-1ppa1~focal 2021/03/20 - https://haproxy.org/
Status: End of life - please upgrade to branch 2.2.
Known bugs: http://www.haproxy.org/bugs/bugs-2.1.12.html
Running on: Linux 5.4.0-146-generic #163-Ubuntu SMP Fri Mar 17 18:26:02 UTC 2023 x86_64

(I'm just now seeing the EOL status. hmm. Wonder if this has something to do with the failure. I've got 13 other domains on this server that have let's encrypt SSL. They auto renew each month with no issues. This is the first new domain I have added in awhile.)

The operating system my web server runs on is (include version):
Distributor ID: Ubuntu
Description: Ubuntu 20.04.6 LTS
Release: 20.04
Codename: focal

My hosting provider, if applicable, is:
My personal server colocated in a data center.

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

2

Some notes about my HAProxy Server.

In my config file, I need to run the website on port 80 only to get the cert and then I re-config haproxy to change it to 443.

This is my haproxy config for this domain currently.

# If adding a new domain - run on port 80 first to get SSL
    acl tt_fe hdr(host) -i timetracker.maverickwine.com
    use_backend tt_be if tt_fe

# -------------------------------------------
# TimeTracker Maverick Backend 
# -------------------------------------------
backend tt_be
    mode http
    balance source
    option forwardfor
    server www-01 10.1.x.x:80 check inter 1s
    server www-02 10.1.x.x:80 check inter 1s

This is the config for the certbot backend

#----------------
# Certbot backend
#----------------
# Contains certbot stand-alone webserver
backend backend-certbot
    mode http	
    server certbot 127.0.0.1:9080
4

Likely not related to the current problem...
But it's always good to keep things up-to-date.
[and they even asked so nicely :slight_smile:]

Ubuntu 20 supports snaps; Which is the recommended method of installing certbot [now at 2.4.0].

6 Likes
5

How are ACME requests redirected to this certbot backend?

4 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.