I'm operating a production server already containing multiple let's encrypt certificates. While trying to install one new certificate, it fails stating:
[DEBUG] acme.solver: challenge start failed: could not install DNS challenge, no hooks succeeded
[ERROR] acme.storageops: could not obtain authorization for t-stor.teagasc.ie: failed all combinations
[ERROR] acme.storageops: Target(t-stor.teagasc.ie;https://acme-v01.api.letsencrypt.org/directory;0): failed to request certificate: failed all combinations
The /.well-known/acme-challenge location is accessible for the hostname, and the Apache logs clearly indicate there's no problem retrieving the files:
52.208.117.227 - - [11/Jan/2018:16:11:05 +0000] "GET /.well-known/acme-challenge/JFj-pdUNMDtDEFBtwtufOeeuMBB-GzBUdBfKb8sD3IY HTTP/1.1" 200 87 "-" "Go-http-client/1.1"
66.133.109.36 - - [11/Jan/2018:16:11:07 +0000] "GET /.well-known/acme-challenge/JFj-pdUNMDtDEFBtwtufOeeuMBB-GzBUdBfKb8sD3IY HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
I can still add other domains, but this particular domain is rejected.
Most problems I can find on the internet state either a HTTP->HTTPS redirect is in place, or the /.well-known/acme-challenge is not accessible due to a proxy setting. These issues are not applicable here (I've verified writing a file to /var/lib/acme/.well-known/acme-challenge/ and accessing it)
Any input on what else can be blocking the request would be welcome
My domain is: t-stor.teagasc.ie
I ran this command: acmetool want t-stor.teagasc.ie --xlog.severity=debug
It produced this output:
…
[DEBUG] acme.responder: writing webroot file /var/lib/acme/.well-known/acme-challenge/JFj-pdUNMDtDEFBtwtufOeeuMBB-GzBUdBfKb8sD3IY
[DEBUG] acme.responder: writing webroot file /var/run/acme/acme-challenge/JFj-pdUNMDtDEFBtwtufOeeuMBB-GzBUdBfKb8sD3IY
[DEBUG] acme.hooks: calling hook script: /usr/libexec/acme/hooks/haproxy
[DEBUG] acme.hooks: calling hook script: /usr/libexec/acme/hooks/reload
[DEBUG] acme.responder: http-01 self test
[DEBUG] acme.responder: http-01 started
[DEBUG] acme.api: request: https://acme-v01.api.letsencrypt.org/acme/challenge/8QxyRncmNWlshybUJw-zWJqK4xOEblK4tPXRF867N4Y/3056555713
[DEBUG] acme.api: response: &{202 Accepted 202 HTTP/1.1 1 1 map[Date:[Thu, 11 Jan 2018 16:11:06 GMT] Connection:[keep-alive] Content-Type:[application/json] Cache-Control:[max-age=0, no-cache, no-store] Pragma:[no-cache] Link:[https://acme-v01.api.letsencrypt.org/acme/authz/8QxyRncmNWlshybUJw-zWJqK4xOEblK4tPXRF867N4Y;rel="up"] Location:[https://acme-v01.api.letsencrypt.org/acme/challenge/8QxyRncmNWlshybUJw-zWJqK4xOEblK4tPXRF867N4Y/3056555713] Replay-Nonce:[GjbPExoRM2ZTjY1a-H6ivOMTnDmkD-K2rebksGeHOyM] Expires:[Thu, 11 Jan 2018 16:11:06 GMT] Server:[nginx] Content-Length:[336] Boulder-Requester:[20605555]] 0xc420444580 336 false false map 0xc420198900 0xc4201b49a0}
[DEBUG] acme.solver: waiting to poll challenge
[DEBUG] acme.solver: querying challenge status
[DEBUG] acme.api: request: https://acme-v01.api.letsencrypt.org/acme/challenge/8QxyRncmNWlshybUJw-zWJqK4xOEblK4tPXRF867N4Y/3056555713
[DEBUG] acme.api: response: &{202 Accepted 202 HTTP/1.1 1 1 map[Content-Type:[application/json] Link:[https://acme-v01.api.letsencrypt.org/acme/authz/8QxyRncmNWlshybUJw-zWJqK4xOEblK4tPXRF867N4Y;rel="up"] Location:[https://acme-v01.api.letsencrypt.org/acme/challenge/8QxyRncmNWlshybUJw-zWJqK4xOEblK4tPXRF867N4Y/3056555713] Replay-Nonce:[qmJSX0_Y47ByUIkX7ixs-XwEh602-MYX3ZlJF1N-uUs] Expires:[Thu, 11 Jan 2018 16:11:11 GMT] Pragma:[no-cache] Date:[Thu, 11 Jan 2018 16:11:11 GMT] Server:[nginx] Content-Length:[830] Cache-Control:[max-age=0, no-cache, no-store] Connection:[keep-alive]] 0xc420444640 830 false false map 0xc420198b00 0xc4201b49a0}
[DEBUG] acme.solver: challenge now in final state
[DEBUG] acme.responder: removing webroot file /var/lib/acme/.well-known/acme-challenge/JFj-pdUNMDtDEFBtwtufOeeuMBB-GzBUdBfKb8sD3IY
[DEBUG] acme.responder: removing webroot file /var/run/acme/acme-challenge/JFj-pdUNMDtDEFBtwtufOeeuMBB-GzBUdBfKb8sD3IY
[DEBUG] acme.hooks: calling hook script: /usr/libexec/acme/hooks/haproxy
[DEBUG] acme.hooks: calling hook script: /usr/libexec/acme/hooks/reload
[DEBUG] acme.api: request: https://acme-v01.api.letsencrypt.org/acme/new-authz
[DEBUG] acme.api: response: &{201 Created 201 HTTP/1.1 1 1 map[Link:[https://acme-v01.api.letsencrypt.org/acme/new-cert;rel="next"] X-Frame-Options:[DENY] Strict-Transport-Security:[max-age=604800] Date:[Thu, 11 Jan 2018 16:11:12 GMT] Server:[nginx] Content-Type:[application/json] Content-Length:[732] Boulder-Requester:[20605555] Location:[https://acme-v01.api.letsencrypt.org/acme/authz/wrkDVfLYW2Qbx7WSafYLBB60qlQwYrapWufbQb_nS-Q] Replay-Nonce:[FnHi78g8UryqHpEiPhiiubXUYRbb_MFP3aDd_4oStj8] Expires:[Thu, 11 Jan 2018 16:11:12 GMT] Cache-Control:[max-age=0, no-cache, no-store] Pragma:[no-cache] Connection:[keep-alive]] 0xc420184d80 732 false false map 0xc42054c200 0xc4201b49a0}
[DEBUG] acme.solver: attempting challenge type dns-01
[DEBUG] acme.hooks: calling hook script: /usr/libexec/acme/hooks/haproxy
[DEBUG] acme.hooks: calling hook script: /usr/libexec/acme/hooks/reload
[DEBUG] acme.solver: challenge start failed: could not install DNS challenge, no hooks succeeded
[ERROR] acme.storageops: could not obtain authorization for t-stor.teagasc.ie: failed all combinations
[ERROR] acme.storageops: Target(t-stor.teagasc.ie;https://acme-v01.api.letsencrypt.org/directory;0): failed to request certificate: failed all combinations
…
My web server is (include version): Apache/2.2.32
The operating system my web server runs on is (include version): Amazon Linux version 2017.03
My hosting provider, if applicable, is: AWS
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no