/directory access problem

OpenSSL 1.1.0l 10 Sep 2019

I see this on all devices. Macs, Windows, iOS.

@sccmrb
Please show the outputs of:
wget --delete-after https://acme-v02.api.letsencrypt.org/directory
curl -I https://acme-v02.api.letsencrypt.org/directory

wget --delete-after https://acme-v02.api.letsencrypt.org/directory

--2021-09-30 13:05:33--  https://acme-v02.api.letsencrypt.org/directory
Resolving acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)... 172.65.32.248, 2606:4700:60:0:f53d:5624:85c7:3a2c
Connecting to acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)|172.65.32.248|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 658 [application/json]
Saving to: ‘directory.tmp’

directory.tmp                           100%[============================================================================>]     658  --.-KB/s    in 0s      

2021-09-30 13:05:34 (17.0 MB/s) - ‘directory.tmp’ saved [658/658]

curl -I https://acme-v02.api.letsencrypt.org/directory

HTTP/2 200 
server: nginx
date: Thu, 30 Sep 2021 19:05:50 GMT
content-type: application/json
content-length: 658
cache-control: public, max-age=0, no-cache
replay-nonce: 0002NIlvHF4AlF4hxwACRL0A7-hXib9UdfN1UUe9zegdutM
x-frame-options: DENY
strict-transport-security: max-age=604800

@sccmrb
hmm...
Let's have a look at the log file.
Please upload:
/var/log/letsencrypt/letsencrypt.log

Attached.
letsencrypt.txt (26.5 KB)

I think the problem was transient; as there was a degraded service alert posted around that time.
See: Let's Encrypt Status

The more troubling entries show:
ValueError: Challenge did not pass for groups.skaggscatholiccenter.org: {u'status': u'invalid', u'challenges': [{u'status': u'invalid', u'validationRecord': [{u'url': u'http://groups.skaggscatholiccenter.org/.well-known/acme-challenge/w1matVCnZNhVUom02sJz2QgWvlrqgXlk_8AT_2TPtJA', u'hostname': u'groups.skaggscatholiccenter.org', u'addressUsed': u'205.127.242.55', u'port': u'80', u'addressesResolved': [u'205.127.242.55']}], u'url': u'https://acme-v02.api.letsencrypt.org/acme/chall-v3/14086887429/suXfag', u'token': u'w1matVCnZNhVUom02sJz2QgWvlrqgXlk_8AT_2TPtJA', u'error': {u'status': 400, u'type': u'urn:ietf:params:acme:error:connection', u'detail': u'Fetching http://groups.skaggscatholiccenter.org/.well-known/acme-challenge/w1matVCnZNhVUom02sJz2QgWvlrqgXlk_8AT_2TPtJA: Timeout during connect (likely firewall problem)'}, u'validated': u'2021-06-18T15:54:01Z', u'type': u'http-01'}], u'identifier': {u'type': u'dns', u'value': u'groups.skaggscatholiccenter.org'}, u'expires': u'2021-06-25T15:54:00Z'}

Timeout during connect (likely firewall problem)
You need a functional HTTP service before you can secure it (via HTTP authentication).
I get:

curl -Iki groups.skaggscatholiccenter.org
curl: (56) Recv failure: Connection reset by peer
2 Likes

Correct I'm only allowing connections from their servers in my firewall

acme-v02.api.letsencrypt.org
acme-staging.api.letsencrypt.org
acme-staging-v02.api.letsencrypt.org
r3.o.lencr.org

That is ill-advised.

The most prudent thing to do is to allow port 80 in and only handle the challenge requests there and send all other requests to HTTPS [which can be locked down as much as you like].

But don't take my word for it, check the FAQ page.

2 Likes

I haven't had any issues with it for the last several years doing it this way. Also, when they connect from their servers I'm allowing all ports, but general outside access is locked down from all other IPs. For giggles I briefly set it to allow 80, 443 from all IPs to this server and forced a cert update and it's the exact same error. So it's not the firewall.

Please show this exact same error.

This is the same error when the frewall rul for this server is set to allow ALL from ALL on ports 80 and 443.

Thu Sep 30 13:34:37 MDT 2021
Refreshing certificate for following domains:
groups.skaggscatholiccenter.org
Parsing account key...
Parsing CSR...
Found domains: groups.skaggscatholiccenter.org
Getting directory...
Traceback (most recent call last):
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 197, in <module>
    main(sys.argv[1:])
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 193, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 105, in get_crt
    directory, _, _ = _do_request(directory_url, err_msg="Error getting directory")
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 45, in _do_request
    raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error getting directory:
Url: https://acme-v02.api.letsencrypt.org/directory
Data: None
Response Code: None
Response: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>
Setting letsencrypt/status

As I said, it's the same error in the log and the one that started this off for me.

Dude - please be patient with us we are volunteers here.
This is only one of many open topics - and it has 380 posts.
Don't ask me to remember what you posted before.

3 Likes

Dude I am being patient, I'm just impressed you're replying as fast as you are and I'm just replying when you reply so that you're not "waiting on me". Not mad at all, you're the one taking offense. I inspected the signed_chain.crt and it is indeed expired, how can I get a fresh chain certificate file?

1 Like

OK no blood no foul - LOL

1 Like

@sccmrb
I'm not what why but I do know how this is breaking.
It is on the curl type request form your system to the LE/directory that fails.
Which I'm sure has something to do with some TLS libraries using the wrong root.

@sccmrb
Remind me again...
What version of certbot are you running?

A post was merged into an existing topic: Help thread for DST Root CA X3 expiration (September 2021)

Trying to make some order out of the chaos...

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.