Could not connect to .well-known

MikeFrizz · March 31, 2016, 2:06pm

More than 30 days ago, I created the first LE certificates on some of my domains. Everything worked out great. Today I wanted to secure the missing domains with LE. I got this message:

I started the routine with:
sudo /opt/letsencrypt/letsencrypt-auto certonly --webroot --rsa-key-size 4096 -w /var/www/xyz.de/web/ -d www.xyz.de -d xyz.de

`IMPORTANT NOTES:
_ - The following errors were reported by the server:_

_ Domain: XYZ.de_
_ Type: connection_
_ Detail: Could not connect to url /.well-known_
_ /acme-challenge_

_ Domain:xyz_
_ Type: connection_
_ Detail: Could not connect to url/.well-_
_ known/acme-challenge_

_ To fix these errors, please make sure that your domain name was_
_ entered correctly and the DNS A record(s) for that domain_
_ contain(s) the right IP address. Additionally, please check that_
_ your computer has a publicly routable IP address and that no_
_ firewalls are preventing the server from communicating with the_
_ client. If you’re using the webroot plugin, you should also verify_
_ that you are serving files from the webroot path you provided._

`

Then I wanted to know if the renewal of the existing certificates works or fails with the same message. Fortunately for me, the renewal worked flawlessly.

Thaks in advance.

pfg · March 31, 2016, 2:10pm

Can you verify that you’re able to manually browse to a file in http://example.com/.well-known/acme-challenge?
Try putting a file called test in there (with some random content) and make sure your browser is able to open it.

sleepypikachu · March 31, 2016, 2:11pm

Please provide more information about the steps you’re following to produce this error.
Which client are you using to request certificates for XYZ.de? Is some other server perhaps running on port 80 for that domain?

MikeFrizz · March 31, 2016, 2:15pm

Yes. My Server is a multidomainserver.

MikeFrizz · March 31, 2016, 2:16pm

I try:

sudo /opt/letsencrypt/letsencrypt-auto certonly --webroot --rsa-key-size 4096 -w /var/www/clients/client2/xyz.de/web/ -d www.xyz.de -d xyz.de

firstly

MikeFrizz · March 31, 2016, 2:18pm

I’m using ISPconfig. And in the past all things does well

sleepypikachu · March 31, 2016, 2:20pm

Please provide output of:
sudo netstat -plant | grep “:80”

MikeFrizz · March 31, 2016, 2:24pm

tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 7007/apache2
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 7007/apache2
tcp 0 0 0.0.0.0:8081 0.0.0.0:* LISTEN 7007/apache2
tcp 0 0 85.25.210.22:8080 91.65.64.238:7047 TIME_WAIT -
tcp 0 0 85.25.210.22:8080 91.65.64.238:7048 TIME_WAIT -
tcp 0 0 85.25.210.22:8080 91.65.64.238:7043 TIME_WAIT -
tcp 0 0 85.25.210.22:50970 108.161.187.134:80 TIME_WAIT -
tcp 0 0 85.25.210.22:8080 91.65.64.238:7045 TIME_WAIT -
tcp 0 0 85.25.210.22:8080 91.65.64.238:7044 TIME_WAIT -
tcp 0 0 85.25.210.22:50971 108.161.187.134:80 TIME_WAIT -
tcp 0 0 85.25.210.22:8080 91.65.64.238:7046 TIME_WAIT -

sleepypikachu · March 31, 2016, 2:26pm

You’ve asked it to run the acme challenge on port 80 but your apache instance is already bound to 80 on all interfaces:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 7007/apache2

Try stopping apache and then rerunning the command.

MikeFrizz · March 31, 2016, 2:29pm

It doesn’t help. I am wondering because, when the apache isn’t working, LE is uanble to connect and verify the client.

pfg · March 31, 2016, 2:37pm

@sleepypikachu: --webroot doesn't bind to any port, it just puts challenge files in a directory. The existing web server (apache) is supposed to serve the challenge files.

@MikeFrizz: Take a look at my reply (example.com is your domain in this example):

sleepypikachu · March 31, 2016, 2:38pm

D’oh. My bad, thanks for clearing that up.

MikeFrizz · March 31, 2016, 2:43pm

I have a directory called .well-known only. There is no directory in there.

pfg · March 31, 2016, 2:44pm

The client automatically deletes it afterwards. Try putting a test file in .well-known/acme-challenge and try browsing to it.

MikeFrizz · March 31, 2016, 2:50pm

After I manually created a directory acme-challenge, I could display the contents of the file TEST in the browser.

pfg · March 31, 2016, 3:05pm

Is one of the affected domains behind a firewall that blocks access from the public internet?

If you wouldn’t mind sharing the URL to your test file, that would probably help analyze the problem. Note that all domains you request a certificate for a published to Certificate Transparency log servers, so they are in some way already public anyway.

MikeFrizz · March 31, 2016, 3:07pm

Try:
https://www.beulenrechner.de/.well-known/acme-challenge/test

pfg · March 31, 2016, 3:13pm

Looks good to me. Try running the client with -vvvv and paste the contents of /var/log/letsencrypt/letsencrypt.log here.

i.e.:

sudo /opt/letsencrypt/letsencrypt-auto certonly --webroot --rsa-key-size 4096 -w /var/www/clients/client2/xyz.de/web/ -d www.xyz.de1 -d xyz.de -vvvv

MikeFrizz · March 31, 2016, 3:17pm

Sorry. Did not work.

pfg · March 31, 2016, 3:19pm

Not sure I follow. What did the client return? What’s in your /var/log/letsencrypt/letsencrypt.log?