ERROR: Could not get certificate from Lets Encrypt. Check domain name and if it is reaching the configured service

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

image689×233 5 KB

My domain is:

I ran this command:
in the barracuda WAF we had used the generate lets encrypt fuctioality to attempt to generate new LE certs for sites that for some reason did not auto renew. When this attempt is made, it trys to reach out to lets encrypt and fails which causes the cert to not generate as well. It may be possible that the certs that did not auto-renew as they should and this issue may be linked. Each attempt that is made using correct steps in the WAF using verifiable reproducable steps that follow SOP. its been about a week since we notice all these sites fail to auto renew, and about 2 days since we first began receiving this error.

It produced this output:
Time

2024-12-02 12:41:51

Module

CERT

Event ID

17503

Severity

Error

Message

"Could not get certificate from Lets Encrypt. Check domain name and if it is reaching the configured service."

My web server is (include version):
barracuda WAF

The operating system my web server runs on is (include version):
Win Server 2019

My hosting provider, if applicable, is:
az

I can login to a root shell on my machine (yes or no, or I don't know):
no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
seems we are also seeing this error.

Hello @ssj4evostevo, welcome to the Let's Encrypt community.

It seems there possibly is some Geo Blocking happening.
See: for HTTP Permanent link to this check report and for HTTPS Permanent link to this check report

Also see https://www.geopeeker.com/fetch/?url=buya.com&csrf_token=T1hIIXUVmgNqEr4L%2FR0Q%2BrRIuJT54A73QCQbKJJ1tMM%3D

Regarding Geo Blocking please read:

• Let's Encrypt is adding two new remote perspectives for domain validation
• Multi-Perspective Validation & Geoblocking FAQ
• Unexpected renewal failures since April 2024? Please read this!

Edit

Here is a list of issued certificates crt.sh | buya.com
and the certificate presently being served SSL Checker
which is this certificate crt.sh | 13000999130
and has a Validity
Not Before: Apr 18 16:12:24 2024 GMT
Not After : May 20 16:12:24 2025 GMT

The online tool Let's Debug yeilds these results https://letsdebug.net/buya.com/2298794 of "OK"

It would help if this software passed the error from LE through as is, but it doesn't. Without it it's hard to debug.

You'll get better luck if you contact support channels of the WAF software you use.

Hi @ssj4evostevo,

Let’s Encrypt offers Domain Validation (DV) certificates; not IP Address Validation.

I see, from the image you provided, a (Private) IPv4 address; Let's Encrypt cannot (presently) issue certificates for IP Addresses (I do not see how they ever could issue a certificate for a Private IP Address).

That seems to be their WAF - not necessarily the service intending to use the requested certificate.
Although, granted, all things that can use a certificate should use a certificate.

Agree; just grabbing at any straws I can get a hold of.

this was resolved by BARACUDDA, they made a change on their end. They had to fix somnething in their os and issue a patch to the WAF os and this will be corrected in the next release of their WAF os thanks.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.