Creating/Renewing SSL [RESOLVED]

Hello,

Today I wanted to create a SSL for one of my customers and I've ran into this problem:

2023-07-15 22:19:14,115:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/245911412187 HTTP/1.1" 200 1382
2023-07-15 22:19:14,116:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 15 Jul 2023 20:19:14 GMT
Content-Type: application/json
Content-Length: 1382
Connection: keep-alive
Boulder-Requester: 979492396
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 371CBD3Fsv6YO2_UVCbfC-uwyblrGGLosNxFlHCj-D1ywKM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "<client's site>"
},
"status": "invalid",
"expires": "2023-07-22T20:19:03Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "51.195.126.41: Invalid response from https://<client's site>/.well-known/acme-challenge/tgNpixCpyN040KO0QQsvxSLWdZlHu_cvT0IF1hQYde4: 502",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/245911412187/pRhE-w",
"token": "tgNpixCpyN040KO0QQsvxSLWdZlHu_cvT0IF1hQYde4",
"validationRecord": [
{
"url": "http://<client's site>/.well-known/acme-challenge/tgNpixCpyN040KO0QQsvxSLWdZlHu_cvT0IF1hQYde4",
"hostname": "<client's site>t",
"port": "80",
"addressesResolved": [
"51.195.126.41"
],
"addressUsed": "51.195.126.41"
},
{
"url": "https://<client's site>/.well-known/acme-challenge/tgNpixCpyN040KO0QQsvxSLWdZlHu_cvT0IF1hQYde4",
"hostname": "<client's site>",
"port": "443",
"addressesResolved": [
"51.195.126.41"
],
"addressUsed": "51.195.126.41"
}
],
"validated": "2023-07-15T20:19:09Z"
}
]
}
2023-07-15 22:19:14,116:DEBUG:acme.client:Storing nonce: 371CBD3Fsv6YO2_UVCbfC-uwyblrGGLosNxFlHCj-D1ywKM
2023-07-15 22:19:14,116:WARNING:certbot._internal.auth_handler:Challenge failed for domain <client's site>
2023-07-15 22:19:14,116:INFO:certbot._internal.auth_handler:http-01 challenge for <client's site>
2023-07-15 22:19:14,117:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: <client's site>
Type: unauthorized
Detail: 51.195.126.41: Invalid response from https://<client's site>/.well-known/acme-challenge/tgNpixCpyN040KO0QQsvxSLWdZlHu_cvT0IF1hQYde4: 502

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2023-07-15 22:19:14,117:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-07-15 22:19:14,117:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-07-15 22:19:14,117:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-07-15 22:19:20,798:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==1.12.0', 'console_scripts', 'certbot')())
File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1413, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1154, in run
new_lineage = _get_and_save_cert(le_client, config, domains,
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 134, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 441, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 374, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 421, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-07-15 22:19:20,799:ERROR:certbot._internal.log:Some challenges have failed.

I'm not sure what I'm supposed to do with this error but I hope that you can help me.

have a nice rest of the day.
Sincerely, Leading Team of SpaceProtect.net

You missed the text that indicated the domain name is required to receive assistance. Please fill in the support template completely so that the Community can assist you.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Transparency logs: crt.sh | spaceprotect.net

My domain is: spaceprotect.net

I ran this command: certbot --nginx --non-interactive --agree-tos -m leading@spaceprotect.net -d spaceprotect.net

It produced this output:

2023-07-15 22:19:14,115:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/245911412187 HTTP/1.1" 200 1382
2023-07-15 22:19:14,116:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 15 Jul 2023 20:19:14 GMT
Content-Type: application/json
Content-Length: 1382
Connection: keep-alive
Boulder-Requester: 979492396
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 371CBD3Fsv6YO2_UVCbfC-uwyblrGGLosNxFlHCj-D1ywKM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "<client's site>"
},
"status": "invalid",
"expires": "2023-07-22T20:19:03Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "51.195.126.41: Invalid response from https://<client's site>/.well-known/acme-challenge/tgNpixCpyN040KO0QQsvxSLWdZlHu_cvT0IF1hQYde4: 502",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/245911412187/pRhE-w",
"token": "tgNpixCpyN040KO0QQsvxSLWdZlHu_cvT0IF1hQYde4",
"validationRecord": [
{
"url": "http://<client's site>/.well-known/acme-challenge/tgNpixCpyN040KO0QQsvxSLWdZlHu_cvT0IF1hQYde4",
"hostname": "<client's site>t",
"port": "80",
"addressesResolved": [
"51.195.126.41"
],
"addressUsed": "51.195.126.41"
},
{
"url": "https://<client's site>/.well-known/acme-challenge/tgNpixCpyN040KO0QQsvxSLWdZlHu_cvT0IF1hQYde4",
"hostname": "<client's site>",
"port": "443",
"addressesResolved": [
"51.195.126.41"
],
"addressUsed": "51.195.126.41"
}
],
"validated": "2023-07-15T20:19:09Z"
}
]
}
2023-07-15 22:19:14,116:DEBUG:acme.client:Storing nonce: 371CBD3Fsv6YO2_UVCbfC-uwyblrGGLosNxFlHCj-D1ywKM
2023-07-15 22:19:14,116:WARNING:certbot._internal.auth_handler:Challenge failed for domain <client's site>
2023-07-15 22:19:14,116:INFO:certbot._internal.auth_handler:http-01 challenge for <client's site>
2023-07-15 22:19:14,117:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: <client's site>
Type: unauthorized
Detail: 51.195.126.41: Invalid response from https://<client's site>/.well-known/acme-challenge/tgNpixCpyN040KO0QQsvxSLWdZlHu_cvT0IF1hQYde4: 502

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2023-07-15 22:19:14,117:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-07-15 22:19:14,117:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-07-15 22:19:14,117:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-07-15 22:19:20,798:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==1.12.0', 'console_scripts', 'certbot')())
File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1413, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1154, in run
new_lineage = _get_and_save_cert(le_client, config, domains,
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 134, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 441, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 374, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 421, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-07-15 22:19:20,799:ERROR:certbot._internal.log:Some challenges have failed.

My web server is (include version): nginx version: nginx/1.18.0

The operating system my web server runs on is (include version): Debian 5.10.178-3

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine: Yes I can

I'm using a control panel to manage my site: No I don't.

The version of my client is: certbot 1.12.0

You say "client's site" so are you running Certbot on the same server that handles that domain name?

Because the Let's Encrypt server is sending an HTTP request to that server but gets a response as if Certbot did not prepare the nginx server config properly.

Specifically, the LE Server gets directed to HTTPS but Certbot would normally setup the nginx config so that a redirect was not done when using the --nginx plug-in

Yes, I'm running them on the dedicated server which is used as a LoadBalancer.
About configuration, we did not change any part of the configuration and this issue just happened without anything changing. We used the mentioned command for like 1 year and there was no problem with that. As I've mentioned, I wanted to set up a certificate today and I got this error, Client did connect their domain to our CDN network ( exactly to IP: cns.spaceprotect.net ), and then this error.

In short, I think you need to upgrade to Certbot v1.13 or later. Ideally, you'd upgrade to the snap version but Debian 5? See https://certbot.eff.org

Or, some CDN rule needs changing. I'll recap

Certbot with --nginx plug-in makes temp changes to the active nginx config so that the HTTP server block (port 80) responds properly to the request by the Let's Encrypt server to validate your domain.

But, your error message shows HTTPS as the URL that errors. That means your CDN redirected the HTTP request to HTTPS for the ACME HTTP Challenge (I also see this in response headers for tests I send to that domain).

Certbot v1.12 which you use only updates the HTTP server block. So, when the HTTPS request arrives to your nginx the needed response is not made. Certbot v1.13 will update both the HTTP and HTTPS server blocks.

You could also change your CDN rules to not redirect the acme-challenge URI

So, something must have changed as this would not have worked before as you describe it.

I've now tried to shutdown the NGINX and it does work for some reason.
I'll redirect it to our developers' team.

Thanks for the help.
Have a nice rest of the day.
Sincerely, Leading Team of SpaceProtect.net

It's probably Debian 10 running kernel 5.10.178-3.

oldstable: 5.10.178-3

https://tracker.debian.org/pkg/linux

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.