Challenge failed for domain

twellit · September 1, 2023, 4:19am

Hi Let's Encrypt experts,

I have tried to renew my certificate, the way I have done it many times every three months, using [certbot --force-renewal] (if there is a better way, pls let me know). This time, for the first time, I got the [Challenge failed for domain] error message and I have no idea why and what to do. The server is remote and the people there are not able to help, so far. Can someone offer me some advice and point me in the right direction? Any help is much appreciated! Thanks!

My domain is: travelintaiwan.net

I ran this command:

certbot --force-renewal

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: travelintaiwan.net
2: www.travelintaiwan.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Renewing an existing certificate for travelintaiwan.net and www.travelintaiwan.net
Performing the following challenges:
http-01 challenge for travelintaiwan.net
http-01 challenge for www.travelintaiwan.net
Waiting for verification...
Challenge failed for domain travelintaiwan.net
Challenge failed for domain www.travelintaiwan.net
http-01 challenge for travelintaiwan.net
http-01 challenge for www.travelintaiwan.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: travelintaiwan.net
   Type:   connection
   Detail: 211.79.207.183: Fetching
   http://travelintaiwan.net/.well-known/acme-challenge/htFaZNpQmU6fHjWYZ_eVa0rkTJCRV7HztnazAT1O_q4:
   Connection refused

   Domain: www.travelintaiwan.net
   Type:   connection
   Detail: 211.79.207.183: Fetching
   http://www.travelintaiwan.net/.well-known/acme-challenge/6tLOkY9bRjaT_bp_V1cYO_WjllUDpI_VclCi6gqQmuU:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version):

The operating system my web server runs on is (include version): Centos 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0

rg305 · September 1, 2023, 4:51am

It seems like something is preventing LE from reaching your server on port 80:

twellit · September 1, 2023, 4:55am

So it must be on the server side, right?

Osiris · September 1, 2023, 5:15am

Please don't use this option if you don't know what it actually is for.

rg305 · September 1, 2023, 5:16am

Most likely, yes.
But it could also be your ISP or your country blocking it.

twellit · September 1, 2023, 5:17am

That's why I wrote, "if there is a better way, pls let me know".

What should I use instead?

rg305 · September 1, 2023, 5:18am

I can reach it:

curl -Ii www.travelintaiwan.net
HTTP/1.1 301 Moved Permanently
Date: Fri, 01 Sep 2023 05:16:09 GMT
Server: Apache/2.4.54 (codeit) OpenSSL/1.1.1q+quic PHP/7.4.33
Location: https://www.travelintaiwan.net/
Content-Type: text/html; charset=iso-8859-1

But LE can't.
And Let's Debug also can't:
Let's Debug (letsdebug.net)

rg305 · September 1, 2023, 5:18am

Just:
certbot renew

[which should be run twice a day via a scheduled job/task]

MikeMcQ · September 1, 2023, 2:31pm

I can also reach your domain and even tested from several locations around the world and they all worked. I also tried with the same "user-agent" string as Let's Encrypt as the Palo Alto brand of firewall might block those requests. But, those tests also worked so it is not that.

It looks more like an IP based firewall blocking Let's Encrypt and the Let's Debug IP addresses.

twellit · September 4, 2023, 6:17am

Server people say ports 22 and 80 are open, no IP's get blocked. No idea what to do.

schoen · September 4, 2023, 6:25am

Can you check logs for right around the time of a test using Let's Debug? See if your server can see the connection being refused somehow?

(I'm not sure what logs to suggest looking at, since "connection refused" is more often OS-level rather than application-level... you might need to run something like tcpdump on the server!)

twellit · September 4, 2023, 6:58am

ANotWorking

ERROR

www.travelintaiwan.net has an A (IPv4) record (211.79.207.183) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

What could be the reason why the request did not succeed, if it's not an IP based firewall blocking LE?

rg305 · September 4, 2023, 9:57am

I can think of a few other possibilities:

Routing tables mishaps
Geo-location blocks
IPS signature blocks
The Great [Fire] Wall type blocks

twellit · September 7, 2023, 6:14am

OK, some progress. Looks fine in the backend.

Successfully received certificate.
Certificate is saved at: /etc/ssl-com/live/travelintaiwan.net/fullchain.pem
Key is saved at:         /etc/ssl-com/live/travelintaiwan.net/privkey.pem
This certificate expires on 2023-12-20.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for travelintaiwan.net to /etc/httpd/conf.d/travelintaiwan-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://travelintaiwan.net

But in the browsers it's not accepted it seems. Is there a waiting period?

As you can see, I used ssl.com (SSL Dragon), not sure if that is a competitor to Let's Encrypt? I hope this has not disqualified me from asking questions here. I just want to get this to work. Will be happy to use whatever provider. Tks, guys!

derek-mba · September 7, 2023, 12:00pm

Just use certbot renew daily. It won't renew if it's not due for renewal.

derek-mba · September 7, 2023, 12:02pm

"Travel in Taiwan": I can definitely imagine a Great Firewall block.

Do you control your DNS entries? It may be simpler to set up a DNS challenge.

derek-mba · September 7, 2023, 12:07pm

It's not IN your HTTP configuration. Certificate chains are specified at the server. It's not that the browser is not "accepting" the new, it's just that you haven't restarted your HTTP server, so the new certs aren't being sent. In my experience, on self-hosted systems, certbot does that, but perhaps it can't in your configuration.

rg305 · September 7, 2023, 12:40pm

What shows?:
sudo apachectl -t -D DUMP_VHOSTS

twellit · September 8, 2023, 2:53am

Here it is

[ABC]# sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server www.travelintaiwan.net (/etc/httpd/conf.d/ssl.conf:58)
         port 443 namevhost www.travelintaiwan.net (/etc/httpd/conf.d/ssl.conf:58)
         port 443 namevhost travelintaiwan.net (/etc/httpd/conf.d/travelintaiwan-le-ssl.conf:2)
                 alias www.travelintaiwan.net
*:80                   travelintaiwan.net (/etc/httpd/conf.d/travelintaiwan.conf:1)

Anything you can see in there?

9peppe · September 8, 2023, 3:29am

Isn't that more of a "PRC" issue? (Although, Asia is funny like that. You never know.)