Error getting ACME certificate for domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: evm.xrtc.cloud, pr-evm-east-001.xrtc.cloud

I ran this command:
launched traefik binary 1.5.1

It produced this output:
{“level”:“error”,“msg”:“map[pr-evm-east-001.xrtc.cloud:acme: Error 400 - urn:acme:error:connection - Fetching http://pr-evm-east-001.xrtc.cloud/.well-known/acme-challenge/KonqIoyYXofIMYD43cBmWmECMhlB5qXg1-NIZrgLxvY: Timeout\nError Detail:\n\tValidation for pr-evm-east-001.xrtc.cloud:80\n\tResolved to:\n\t\t54.173.176.241\n\t\t2600:1f18:228a:ef00:7c2a:32b9:43a7:918d\n\tUsed: 2600:1f18:228a:ef00:7c2a:32b9:43a7:918d\n\n]”,“time”:“2018-02-08T17:09:53Z”}
{“level”:“error”,“msg”:“Error getting ACME certificate for domain [pr-evm-east-001.xrtc.cloud]: cannot obtain certificates map[pr-evm-east-001.xrtc.cloud:acme: Error 400 - urn:acme:error:connection - Fetching http://pr-evm-east-001.xrtc.cloud/.well-known/acme-challenge/KonqIoyYXofIMYD43cBmWmECMhlB5qXg1-NIZrgLxvY: Timeout\nError Detail:\n\tValidation for pr-evm-east-001.xrtc.cloud:80\n\tResolved to:\n\t\t54.173.176.241\n\t\t2600:1f18:228a:ef00:7c2a:32b9:43a7:918d\n\tUsed: 2600:1f18:228a:ef00:7c2a:32b9:43a7:918d\n\n]”,“time”:“2018-02-08T17:09:53Z”}
My web server is (include version):
Traefik 1.5.1

The operating system my web server runs on is (include version):
Ubuntu 16.04

My hosting provider, if applicable, is:
AWS
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Hi @hbellur,

This problem could be a result of a firewall or of an IPv6 routing issue. I can currently connect to port 80 of this host in both IPv4 and IPv6, so I’m somewhat inclined to suspect an IPv6 routing problem. However, do you have any kind of host or network firewall policy that could block incoming connections from some sources on port 80?

So I fixed the routing issue. Now I am getting messed up with my load balancers. I was able to launch the first load balancer successfully. I get these errors on the second load balancer

{“level”:“error”,“msg”:“map[evm.xrtc.cloud:acme: Error 400 - urn:acme:error:connection - Fetching http://evm.xrtc.cloud/.well-known/acme-challenge/tg2dLS37EgpdIMfmiVdFGTudm49uvHOJ_IxuFmKUF4M: Timeout\nError Detail:\n\tValidation for evm.xrtc.cloud:80\n\tResolved to:\n\t\t54.173.176.241\n\t\t2600:1f18:228a:ef00:7c2a:32b9:43a7:918d\n\tUsed: 2600:1f18:228a:ef00:7c2a:32b9:43a7:918d\n\n]”,“time”:“2018-02-08T18:33:38Z”}
{“level”:“error”,“msg”:“Error getting ACME certificate for domain [evm.xrtc.cloud]: cannot obtain certificates map[evm.xrtc.cloud:acme: Error 400 - urn:acme:error:connection - Fetching http://evm.xrtc.cloud/.well-known/acme-challenge/tg2dLS37EgpdIMfmiVdFGTudm49uvHOJ_IxuFmKUF4M: Timeout\nError Detail:\n\tValidation for evm.xrtc.cloud:80\n\tResolved to:\n\t\t54.173.176.241\n\t\t2600:1f18:228a:ef00:7c2a:32b9:43a7:918d\n\tUsed: 2600:1f18:228a:ef00:7c2a:32b9:43a7:918d\n\n]”,“time”:“2018-02-08T18:33:38Z”}
{“level”:“error”,“msg”:“map[testevm.comcast.net:acme: Error 400 - urn:acme:error:connection - Fetching http://testevm.comcast.net/.well-known/acme-challenge/JbCKom8tlNB4SPFCwLGaVQ18hQm9v1LNYb7prfkpDNU: Timeout\nError Detail:\n\tValidation for testevm.comcast.net:80\n\tResolved to:\n\t\t54.173.176.241\n\t\t2600:1f18:228a:ef00:7c2a:32b9:43a7:918d\n\tUsed: 2600:1f18:228a:ef00:7c2a:32b9:43a7:918d\n\n]”,“time”:“2018-02-08T18:33:49Z”}
{“level”:“error”,“msg”:“Error getting ACME certificate for domain [testevm.comcast.net]: cannot obtain certificates map[testevm.comcast.net:acme: Error 400 - urn:acme:error:connection - Fetching http://testevm.comcast.net/.well-known/acme-challenge/JbCKom8tlNB4SPFCwLGaVQ18hQm9v1LNYb7prfkpDNU: Timeout\nError Detail:\n\tValidation for testevm.comcast.net:80\n\tResolved to:\n\t\t54.173.176.241\n\t\t2600:1f18:228a:ef00:7c2a:32b9:43a7:918d\n\tUsed: 2600:1f18:228a:ef00:7c2a:32b9:43a7:918d\n\n]”,“time”:“2018-02-08T18:33:49Z”}

Note that the IP addresses belong to the first load balancer.

So could incoming requests go to either load balancer?

What we’ve often suggested in this case is to treat /.well-known/acme-challenge specially in this case. There are various ways to do that. One is to cause it to generate an HTTP 301 redirect (which the certificate authority will follow!) to a special hostname that is only used for ACME challenges, and which is always routed to the machine that’s running the ACME client.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.