My domain is: blanchcentrehistory.com

I ran this command:
./le64.exe --debug --debug --renew 30 --live --api 2 --key blanchcentrehistory.com/blanchcentrehistory.account.key --email "OMITTED" --csr blanchcentrehistory.com/blanchcentrehistory.domain.csr --csr-key blanchcentrehistory.com/blanchcentrehistory.domain.key --crt blanchcentrehistory.com/blanchcentrehistory.domain.crt --generate-missing --domains "www.blanchcentrehistory.com,blanchcentrehistory.com"
(le64.exe = Crypt::LE client v0.39)

It produced this output:
(I have the full 669 line output available though did not post it here in case it exposes some of my private info. It does mention: "Order's status ("pending") is not acceptable for finalization" which might be important).

2024/07/31 10:29:03 Connecting to https://acme-v02.api.letsencrypt.org/acme/chall-v3/384188438967/cv1BDQ
2024/07/31 10:29:03 $VAR1 = {
'content' => '{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/384188438967/cv1BDQ",
"status": "invalid",
"validated": "2024-07-31T09:29:01Z",
"error": {
"type": "urn:ietf:params:acme:error:tls",
"detail": "78.153.218.28: Fetching https://www.blanchcentrehistory.com/.well-known/acme-challenge/yzKYUw-ClhTAd7FyianJmkroGdquTKljccHG-C-6k-0: remote error: tls: handshake failure",
"status": 400
},
"token": "yzKYUw-ClhTAd7FyianJmkroGdquTKljccHG-C-6k-0",
"validationRecord": [
{
"url": "http://blanchcentrehistory.com/.well-known/acme-challenge/yzKYUw-ClhTAd7FyianJmkroGdquTKljccHG-C-6k-0",
"hostname": "blanchcentrehistory.com",
"port": "80",
"addressesResolved": [
"78.153.218.28"
],
"addressUsed": "78.153.218.28"
},
{
"url": "https://www.blanchcentrehistory.com/.well-known/acme-challenge/yzKYUw-ClhTAd7FyianJmkroGdquTKljccHG-C-6k-0",
"hostname": "www.blanchcentrehistory.com",
"port": "443",
"addressesResolved": [
"78.153.218.28"
],
"addressUsed": "78.153.218.28"
}
]
}',
'success' => 1,
'headers' => {
'replay-nonce' => 'Ma8ZwRNAqi45KH6QjXvkoNcYroDu9gW1gSDyAcrNOHgZYCTjUfE',
'link' => [
'https://acme-v02.api.letsencrypt.org/directory;rel="index"',
'https://acme-v02.api.letsencrypt.org/acme/authz-v3/384188438967;rel="up"'
],
'boulder-requester' => '90257323',
'cache-control' => 'public, max-age=0, no-cache',
'date' => 'Wed, 31 Jul 2024 09:29:03 GMT',
'x-frame-options' => 'DENY',
'location' => 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/384188438967/cv1BDQ',
'strict-transport-security' => 'max-age=604800',
'server' => 'nginx',
'content-length' => '1122',
'connection' => 'keep-alive',
'content-type' => 'application/json'
},
'reason' => 'OK',
'url' => 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/384188438967/cv1BDQ',
'protocol' => 'HTTP/1.1',
'status' => '200'
};
2024/07/31 10:29:03 Domain verification results for 'blanchcentrehistory.com': error. 78.153.218.28: Fetching https://www.blanchcentrehistory.com/.well-known/acme-challenge/yzKYUw-ClhTAd7FyianJmkroGdquTKljccHG-C-6k-0: remote error: tls: handshake failure
2024/07/31 10:29:03 You can now delete the 'yzKYUw-ClhTAd7FyianJmkroGdquTKljccHG-C-6k-0' file.
2024/07/31 10:29:03 Domain blanchcentrehistory.com has failed verification (status code 200).
2024/07/31 10:29:03 $VAR1 = {
'validated' => '2024-07-31T09:29:01Z',
'status' => 'invalid',
'url' => 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/384188438967/cv1BDQ',
'type' => 'http-01',
'token' => 'yzKYUw-ClhTAd7FyianJmkroGdquTKljccHG-C-6k-0',
'validationRecord' => [
{
'addressesResolved' => [
'78.153.218.28'
],
'url' => 'http://blanchcentrehistory.com/.well-known/acme-challenge/yzKYUw-ClhTAd7FyianJmkroGdquTKljccHG-C-6k-0',
'port' => '80',
'addressUsed' => '78.153.218.28',
'hostname' => 'blanchcentrehistory.com'
},
{
'hostname' => 'www.blanchcentrehistory.com',
'addressUsed' => '78.153.218.28',
'port' => '443',
'addressesResolved' => [
'78.153.218.28'
],
'url' => 'https://www.blanchcentrehistory.com/.well-known/acme-challenge/yzKYUw-ClhTAd7FyianJmkroGdquTKljccHG-C-6k-0'
}
],
'error' => {
'type' => 'urn:ietf:params:acme:error:tls',
'status' => 400,
'detail' => '78.153.218.28: Fetching https://www.blanchcentrehistory.com/.well-known/acme-challenge/yzKYUw-ClhTAd7FyianJmkroGdquTKljccHG-C-6k-0: remote error: tls: handshake failure'
}
};
2024/07/31 10:29:03 All verifications failed

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Blacknight Solutions, Ireland

I can login to a root shell on my machine (yes or no, or I don't know): No.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No.

I contacted my host and they said to change to DNS validation ("Due to a change made recently by LetsEncrypt, you will need to use DNS validation to issue the certs.").
I will explore this while waiting for a reply to this topic.

I deactivated my .htaccess file (which is mainly WordPress stuff) and file validation worked again.
That's a bit strange.

My .htaccess also had a redirect of blanchcentrehistory.com to www.blanchhistory.com though the challenge failed for www.blanchcentrehistory.com file too.

Redirect blanchcentrehistory.com to www.blanchcentrehistory.com

RewriteEngine on
RewriteCond %{HTTP_HOST} ^blanchcentrehistory.com [NC]
RewriteRule ^/?(.*)$ https://www.blanchcentrehistory.com/$1 [L,R=301]

Redirect http to https

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Compare this: Disabling deprecated TLS cipher suites during validation

And this: https://www.ssllabs.com/ssltest/analyze.html?d=www.blanchcentrehistory.com

Your best option is to enable better cipher suites: ssl-config.mozilla.org

Alternatively, don't redirect the challenge on HTTPS.

Thanks for the links.
The site is on shared hosting so I cannot enable TLS 1.3. The hosting company will be moving sites to newer infrastructure and I believe that this does support TLS 1.3.

That all said, temporarily removing my .htaccess file allowed file validation work!!

That's because htaccess redirects everything to https. You want that to happen, but not for .well-known/acme-challenge

But if you are on shared hosting getting certificates should be on the hosting, not on you.

They charge for certs (they don't provide free LE ones).
My custom perl code (it creates and uploads the challenge files) makes it economical to generate LE certs myself.

I'll try exclude .well-known/acme-challenge fro https redirection.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.