Error getting validation data - Challenge failed for domain

Hello Everyone!

I had some issues when i try to use the letsencrypt to generate a SSL certificate. Can you help me?

My domain is: "video.temtrampo.com.br"

I ran this command: "/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh"

It produced this output:
"Domain: voice.temtrampo.com.br
Type: connection
Detail: Fetching
http://voice.temtrampo.com.br/.well-known/acme-challenge/YmtOhIfZudrQ7-anxcV0McwaUh-VODdHVxWpbX6hY1s:
Error getting validation data

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided."

My web server is (include version): "nginx version: nginx/1.18.0 (Ubuntu)"

The operating system my web server runs on is (include version): "Ubuntu 20.04.4 LTS"

My hosting provider, if applicable, is: "Oracle Cloud"

I can login to a root shell on my machine (yes or no, or I don't know): Yes

Here's the log:

Server: nginx
Date: Fri, 15 Apr 2022 03:07:28 GMT
Content-Type: application/json
Content-Length: 1055
Connection: keep-alive
Boulder-Requester: 497655490
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0101ishyU_KVa5CBVY9Ep59yGclrFohL5vIFnIUdxXzh31c
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "voice.temtrampo.com.br"
},
"status": "invalid",
"expires": "2022-04-22T03:07:26Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "Fetching http://voice.temtrampo.com.br/.well-known/acme-challenge/xJaU3Cqp2oELWysDqkd9rwbBaIZ5bZdUqXFYBqQwprs: Error getting validation data",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/98390710030/OvFmyw",
"token": "xJaU3Cqp2oELWysDqkd9rwbBaIZ5bZdUqXFYBqQwprs",
"validationRecord": [
{
"url": "http://voice.temtrampo.com.br/.well-known/acme-challenge/xJaU3Cqp2oELWysDqkd9rwbBaIZ5bZdUqXFYBqQwprs",
"hostname": "voice.temtrampo.com.br",
"port": "80",
"addressesResolved": [
"168.138.148.101"
],
"addressUsed": "168.138.148.101"
}
],
"validated": "2022-04-15T03:07:27Z"
}
]
}
2022-04-15 00:07:28,672:DEBUG:acme.client:Storing nonce: 0101ishyU_KVa5CBVY9Ep59yGclrFohL5vIFnIUdxXzh31c
2022-04-15 00:07:28,673:WARNING:certbot.auth_handler:Challenge failed for domain voice.temtrampo.com.br
2022-04-15 00:07:28,674:INFO:certbot.auth_handler:http-01 challenge for voice.temtrampo.com.br
2022-04-15 00:07:28,674:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: voice.temtrampo.com.br
Type: connection
Detail: Fetching http://voice.temtrampo.com.br/.well-known/acme-challenge/xJaU3Cqp2oELWysDqkd9rwbBaIZ5bZdUqXFYBqQwprs: Error getting validation data

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2022-04-15 00:07:28,676:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-04-15 00:07:28,676:DEBUG:certbot.error_handler:Calling registered functions
2022-04-15 00:07:28,676:INFO:certbot.auth_handler:Cleaning up challenges
2022-04-15 00:07:28,676:DEBUG:certbot.plugins.webroot:Removing /usr/share/jitsi-meet/.well-known/acme-challenge/xJaU3Cqp2oELWysDqkd9rwbBaIZ5bZdUqXFYBqQwprs
2022-04-15 00:07:28,677:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2022-04-15 00:07:28,677:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1265, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 417, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 396, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

Olá @jorgeaugustorc,

This is a situation in which, for several historical reasons, most software does not give useful or relevant error messages.

In this case, there is a firewall somewhere on your network that is returning an ICMP error (ICMP type 3, code 10: "Administratively prohibited") whenever anyone tries to connect from outside of your network.

Unfortunately, most software, including the Let's Encrypt CA itself, is not able to detect and report this error with a more useful and specific error message. Instead most software displays very generic error messages that don't reveal the fact that a firewall has deliberately blocked the connection. But indeed, a firewall has deliberately blocked the connection here.

So, you'll need to identify where that firewall is (it might be the same device where you're trying to get the certificate, or might be a different device) and change it to allow the inbound connections that are needed for the certificate authority to complete the validation process.

3 Likes

But the errors are all about voice.temtrampo.com.br, right? video.temtrampo.com.br doesn't even have an IP address associated with it, so I'll assume the correct hostname is voice.temtrampo.com.br indeed.

Anyway, is there a firewall blocking requests for port 80 (and 443)? Because I can ping your server, but I cannot connect to port 80 nor port 443:

osiris@erazer ~ $ ping -c 3 voice.temtrampo.com.br
PING voice.temtrampo.com.br (152.67.41.225) 56(84) bytes of data.
64 bytes from 152.67.41.225 (152.67.41.225): icmp_seq=1 ttl=52 time=245 ms
64 bytes from 152.67.41.225 (152.67.41.225): icmp_seq=2 ttl=52 time=331 ms
64 bytes from 152.67.41.225 (152.67.41.225): icmp_seq=3 ttl=52 time=256 ms

--- voice.temtrampo.com.br ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 244.518/277.095/330.973/38.374 ms
osiris@erazer ~ $ 

So the host is up using ICMP packets.. But:

osiris@erazer ~ $ telnet voice.temtrampo.com.br 80
Trying 152.67.41.225...
telnet: connect to address 152.67.41.225: No route to host
osiris@erazer ~ $ 

and:

osiris@erazer ~ $ telnet voice.temtrampo.com.br 443
Trying 152.67.41.225...
telnet: connect to address 152.67.41.225: No route to host
osiris@erazer ~ $ 

A regular traceroute (which uses UDP I believe) also fails, without any error. Using ICMP (like ping) works again, no problem:

osiris@erazer ~ $ sudo traceroute -I voice.temtrampo.com.br
traceroute to voice.temtrampo.com.br (152.67.41.225), 30 hops max, 60 byte packets
 (...)
 5  nl-ams09c-ri1-ae50-0.core.as9143.net (213.51.64.62)  32.449 ms  32.834 ms  33.165 ms
 6  be4-grtamstc2.net.telefonicaglobalsolutions.com (213.140.55.34)  28.155 ms  15.957 ms  15.913 ms
 7  176.52.248.137 (176.52.248.137)  23.920 ms  24.579 ms  32.471 ms
 8  213.140.36.230 (213.140.36.230)  103.218 ms  102.822 ms  104.199 ms
 9  94.142.118.47 (94.142.118.47)  136.900 ms  136.895 ms  136.889 ms
10  94.142.98.154 (94.142.98.154)  249.849 ms  249.806 ms  250.484 ms
11  5.53.3.222 (5.53.3.222)  255.441 ms  255.802 ms  256.233 ms
12  140.91.208.10 (140.91.208.10)  246.638 ms  243.969 ms  243.923 ms
13  152.67.41.225 (152.67.41.225)  243.197 ms * *
osiris@erazer ~ $ 

But when using TCP port 80 (or 443): it gets blocked at your server:

osiris@erazer ~ $ sudo traceroute -T -p 80 voice.temtrampo.com.br
traceroute to voice.temtrampo.com.br (152.67.41.225), 30 hops max, 60 byte packets
 (...)
 5  nl-ams09c-ri1-ae50-0.core.as9143.net (213.51.64.62)  33.240 ms  32.491 ms  29.314 ms
 6  be4-grtamstc2.net.telefonicaglobalsolutions.com (213.140.55.34)  29.762 ms  19.557 ms  19.503 ms
 7  5.53.6.195 (5.53.6.195)  24.233 ms  29.124 ms 94.142.99.107 (94.142.99.107)  31.936 ms
 8  213.140.36.230 (213.140.36.230)  109.600 ms  109.585 ms  109.573 ms
 9  84.16.15.66 (84.16.15.66)  189.470 ms  181.338 ms 84.16.15.67 (84.16.15.67)  116.686 ms
10  84.16.15.66 (84.16.15.66)  165.699 ms 94.142.98.158 (94.142.98.158)  262.390 ms 94.142.98.82 (94.142.98.82)  269.774 ms
11  94.142.97.249 (94.142.97.249)  261.571 ms 5.53.5.242 (5.53.5.242)  260.938 ms 5.53.5.240 (5.53.5.240)  244.550 ms
12  140.91.208.15 (140.91.208.15)  231.554 ms 5.53.3.222 (5.53.3.222)  263.703 ms 140.91.208.22 (140.91.208.22)  263.645 ms
13  152.67.41.225 (152.67.41.225)  263.945 ms !X  263.931 ms !X  263.899 ms !X
osiris@erazer ~ $ 

Looking at the traceroute for TCP port 80 it looks like it's the server itself.

Alternatively, the dns-01 challenge could be an option. However, I have NO clue what so ever how to do that using Jitsi.

3 Likes

This is an example of the historical limitation I mentioned in my reply (in this case in the BSD sockets API, I believe): the operating system only has a way to report the ICMP type field that caused the error, but not the ICMP code field, which contains important additional information (confirming your guess that it was intentionally blocked by a firewall device or policy).

I am pretty sad about this, because it sometimes leads to error messages that are much less useful than they could otherwise have been.

1 Like

The !X in the last traceroute says it all:

After the trip time, some additional annotation can be printed: (…) !X (communication administratively prohibited) (…)

(source: man traceroute)

2 Likes

For this server i use the UFW and he has this rules:

root@voice:~# ufw status
Status: active

To Action From


OpenSSH ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
10000:20000/udp ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
10000:20000/udp (v6) ALLOW Anywhere (v6)

the Nginx is Listening the port 80, i think the webserver can't reply the request because any reason i don't understand:

root@voice:~# netstat -nap | grep 80
tcp 0 0 0.0.0.0:5280 0.0.0.0:* LISTEN 7110/lua5.2
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5090/nginx: master
tcp 0 0 10.0.0.142:38194 169.254.169.254:80 ESTABLISHED 1591/agent
tcp6 0 0 :::5280 :::* LISTEN 7110/lua5.2
tcp6 0 0 127.0.0.1:8080 :::* LISTEN 7114/java
tcp6 0 0 :::80 :::* LISTEN 5090/nginx: master

Osiris, you are correct i confused the names when i write the ticket, sorry!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.