Difficulty issuing for shintajim.ir

It had been difficult to get the certificate on our server since February 19th.
Run the query 3 times at
ams.unboundtest.com
Our problem was solved.
:joy:
This is a universal solution.

Thank you very much

This text has been translated into English at Google Translate. :wink:

1 Like

Can you guide me why the results are different over time?

1: https://unboundtest.com/m/A/shintajim.ir/7BODYSU2
2: https://unboundtest.com/m/A/shintajim.ir/CTGTVGGT

We were able to renew the certification for only two domains and then our problems returned again!

Please tell me what the problem is?

The results look the same. Each resolves to the address 158.58.190.66 .

1 Like

Thanks for your post. :slightly_smiling_face:
After thirteen days, suddenly, at about eleven o’clock today we were able to get two new certificates for active domains on our server, but then again we had the same problem.

Is there a way to help us solve our problem?

I’ve moved your post to a new topic so we can discuss it more clearly. Could you please fill out the following information?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

2 Likes

Our company offers online site building tools like wix.com
To date, we have received certification through letsencrypt.org for over one hundred and fifty sites from our subsidiary.
But since February 19th, when the new domain approval process has begun, the process of obtaining and renewing our certification has been difficult for us, including for the site shintajim.ir

My domain is: poopesh.com

I ran this command: ssh: letsencrypt.sh request shintajim.ir 4096

It produced this output:
Requesting new certificate order…
Processing https://acme-v02.api.letsencrypt.org/acme/authz-v3/3146088983
Processing authorization for shintajim.ir…
Waiting for domain verification…
Let’s Encrypt was unable to verify the challenge. Unable to update challenge :: authorization must be pending. Exiting…

My web server is (include version): Apache (v: 2.4.28) && Nginx (v: 1.13.6) as Reverse Proxy

The operating system my web server runs on is (include version): CentOS 6.0 64-Bit

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): DirectAdmin (v: 1.60.3)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Thank you very much for your good follow up :rose:

Please help us fix our problem. :pray:

Hi @poopesh

if you see such an error message, the client you use is buggy.

Looks like that client tries to confirm a challenge, but the authorization of that challenge isn't pending.

May be an older challenge / authorization that is already invalid.

  • Check, if there is an update of that client
  • Check, if you are able to use another client
  • Check the config of that client. May be you must delete some order / authorization informations, so a new order is started
1 Like

hi :slightly_smiling_face:
Thanks for the answer
But I must emphasize that this problem has appeared for a while since changing the domain authentication procedure on your server side.
The certification process is done through the DirectAdmin, the latest version of letsencrypt.sh is dated 2020-02-19 (though the test with other versions has also failed).

Please also take a look at this link you may notice a problem.
https://acme-v02.api.letsencrypt.org/acme/authz-v3/3146088983

While according to testing tools
https://unboundtest.com/m/A/shintajim.ir/UGG5WLDJ
This problem shouldn’t happen !? :thinking:

That's

a different error.

During secondary validation:

Letsencrypt has added the multi perspective validation

So your challenge is checked from different networks.

The error says: Letsencrypt is able to check the challenge. One of these other validations doesn't work.

May be a regional firewall.

1 Like

I quickly looked at the source code of your ACME client, just before the error message
Let's Encrypt was unable to verify the challenge. ..., there is the keyword "keyAuthorization" used in the generated jws. That keyword is not in use in the ACME v2 protocol, it is part only the ACME v1.
As a consequence the ACME client must be buggy. It is important to fix the client, before going forward.

(here is my client: GitHub - bruncsak/ght-acme.sh: Get publicly trusted certificate via ACME protocol from LetsEncrypt or from BuyPass )

1 Like

Your help fixed our issue.

We changed the certificate script in the admin directory,
Before you start receiving any certification,
First delete the old account, from the address
/usr/local/directadmin/conf

That is, every time before getting the certificate, a new letsencrypt.key is built,
In this way, the process of obtaining a certificate is smooth.

Thank you all dear for helping us.
@ bruncsak :rose:
@ jsha :rose:
@ JuergenAuer :rose:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.