Dry run error -- http-01 challenge times out


#1

Hi everyone! My web server was recently moved from a VPS hosted in Canada to one in Los Angelos(The original DC was shutdown due to a Canadian court order:grimacing:) Anyways, I decided to do a --dry-run renewal to make sure everything was still working smoothly after the move and I blessed with some errors. I ran “sudo certbot renew --dry-run” and this on Ubuntu 16.04 running NGINX using Certbot 0.22.2. The output was as follows:

HTTP-01 Error Output

Processing /etc/letsencrypt/renewal/example.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for example[.]com
http-01 challenge for www.example[.]com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (example[.]com) from /etc/letsencrypt/renewal/v example.com.conf produced an unexpected error: Failed authorization pro cedure. www[.]example[.]com (http-01): urn:ietf:params:acme:error:connecti on :: The server could not connect to the client to verify the domain :: Fetchin g http[:]//www[.]example[.]com/.well-known/acme-challenge/ikxS407_m8o7JCWHk1 FIvhFKZn3MINQF4iuLeYWbcPw: Timeout, example[.]com (http-01): urn:ietf:pa rams:acme:error:connection :: The server could not connect to the client to veri fy the domain :: Fetching http[:]//example[.]com/.well-known/acme-challeng e/NOIFxJc8l4LEfR_ktnAfvuRmB6NgTXquOPYk5rp8gWo: Timeout. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.example[.]com
    Type: connection
    Detail: Fetching
    http[:]//www[.]example[.]com/.well-known/acme-challenge/ikxS407_m8o7JCWHk 1FIvhFKZn3MINQF4iuLeYWbcPw:
    Timeout

    Domain: example[.]com
    Type: connection
    Detail: Fetching
    http[:]//example[.]com/.well-known/acme-challenge/NOIFxJc8l4LEfR_ktnAfv uRmB6NgTXquOPYk5rp8gWo:
    Timeout

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.


Ok, so I realize it is attempting an http-01 challenge and failing because I have all http requests redirecting to https. So I ran “sudo certbot --preferred-challenges tls-sni-01” selecting all domains example[.]com and www.[.]example[.]com, renew and replace, redirect all traffic to https. That went well, or so I thought until I again tested with a --dry-run and got this error output:

TLS-SNI-01 Error Output

Processing /etc/letsencrypt/renewal/example.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert (example[.]com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

Then I discovered that tls-sni-01 has been disabled and my http-01 challenge should not have been affected by NGINX redirecting http to https. I’ve tried changing back to http-01, but I get the same errors as my first output above and so the challenges fail. Where do I go from here?

Thanks all for taking the time to look at this,

Quantum


#2

Hi,

The http-01 will follow the port redirection. However it will try to connect to your http port 80 first. (Unless specified)

Can you please share us your domain name? (Or at least pm ) so we can know what’s going on?
(Normally it’s ipv6 inaccessible, since the verify server will try connect to your ipv6 first if any present.)

Thank you


#3

Hi Steven,

I think you’ve hit the nail on the head; I looked into ipv6 connectivity and it seems that certbot has broken our ipv6 connectivity in our NGINX server block. I’ll PM you the domain as I think it best not to broadcast the issue. Port 80 and port 443 are both open for ipv4, ipv6.

This seems to be an issue that’s already in the pipeline as I am following these Certbot’s Github Issues:



I’ve tried adding this directive, “listen [::]:443 ssl;” in the SSL Configuration and HTTP redirect installed by Certbot, but that doesn’t seem to fix ipv6 connectivity. For now I’ll be following the advice of disabling AAAA record, acquiring certificate, re-enable AAAA record. Any idea on how to resolve this?

Thanks,

Quantum

UPDATE
I’ve been PM’ing @stevenzhu and he has helped me work through this issue.

As it stands right now, I have removed our AAAA record to force Certbot Authenticator to interact over ipv4 and switched back to the HTTP-01 challenge. After successfully grabbing a new cert, a --dry-run still resulted in an error:

Attempting to renew cert produced an unexpected error: urn:ietf:params:acme:error:serverInternal :: The server experienced an internal error :: Error finalizing order. Skipping.

Steven has informed me that this has been an issue in the past, and that the cert should renew when the time comes, but should be verified. So I guess we’ll wait and see what happens in a couple months :smile:


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.