Error getting validation data

Help
1

Hi all,

Have been troubleshooting this issue for a few days now. I had a server running in a data center for a while, which had third party software that would launch certbot and nginx as docker containers. Setting up my original certs was painless, and renewals happened without issue. Recently, I moved my server to a different location and IP. I updated my DNS records, and things seemed to run fine, until it was time to renew the certs. Turns out the most recent attemps to do so failed, and now they're expired.

My domain is: nodes.winskitech.com

I ran this command: docker run --rm
--name certbot
-v path-to/.node-pilot/config/letsencrypt/config:/etc/letsencrypt
-v path-to/.node-pilot/config/letsencrypt/log:/var/log/letsencrypt
-v path-to/.node-pilot/config/nginx/public:/public
certbot/certbot renew --agree-tos

It produced this output:
Domain: nodes.winskitech.com
Type: connection
Detail: 24.101.189.46: Fetching http://nodes.winskitech.com/.well-known/acme-challenge/c_gIVSR9yzCigmkkc6fW7vBceKTQJC2c8Xp1O-J2hXM: Error getting validation data

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided
--webroot-path/-w and that files created there can be downloaded from the internet.

My web server is (include version): Nginx

The operating system my web server runs on is (include version): 1.0.3

My hosting provider, if applicable, is: iwantmyname

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 3.0.1

2

sorry, can't edit, so it has to be a reply:

The O/S is ubuntu 24.04.1

3

Hello @Winskitech, welcome to the Let's Encrypt community. :slightly_smiling_face:

Using the online tool Let's Debug yields these results for the HTTP-01 challenge
https://letsdebug.net/nodes.winskitech.com/2304597

ANotWorking
Error
nodes.winskitech.com has an A (IPv4) record (24.101.189.46) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
Get "http://nodes.winskitech.com/.well-known/acme-challenge/letsdebug-test": net/http: HTTP/1.x transport connection broken: malformed HTTP status code "Ubuntu-3ubuntu13.5"

Trace:
@0ms: Making a request to http://nodes.winskitech.com/.well-known/acme-challenge/letsdebug-test (using initial IP 24.101.189.46)
@0ms: Dialing 24.101.189.46
@262ms: Experienced error: net/http: HTTP/1.x transport connection broken: malformed HTTP status code "Ubuntu-3ubuntu13.5"

IssueFromLetsEncrypt
Error
A test authorization for nodes.winskitech.com to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
24.101.189.46: Fetching http://nodes.winskitech.com/.well-known/acme-challenge/EJS3P274EifE_GTqiG-26y8-gtIboFET-TrcUdUF4ww: Error getting validation data

Here, Permanent link to this check report, is showing that HTTP Port 80 connection around the world are gettting "Connection reset by peer" results.

Edit

And this is what I get using curl

$ curl -i http://nodes.winskitech.com/.well-known/acme-challenge/sometestfile
curl: (1) Received HTTP/0.9 when not allowed

Definitely a problem serving HTTP on Port 80.

1 Like
4

You've got an SSH server listening on port 80..? That should not be the case.

1 Like
5

Thanks for the quick reply. From troubleshooting with chatgpt and looking at other posts, I am operating under the assumption that the issue with nginx. Here's a snippet from my configuration:

server {
  # Port 80 is the default port for accepting HTTP connections
  listen 80;

  # These are the domain names (including subdomains) which this configuration will accept connections for
  server_name nodes.winskitech.com;

  # This line is for permanently redirecting to SSL/TLS
  return 301 https://$host$request_uri;
}

server {
  listen 443 ssl;
  listen [::]:443 ssl;

  server_name nodes.winskitech.com;

  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
  ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED';
  ssl_prefer_server_ciphers on;
  ssl_dhparam /ssl/dhparams.pem;
  ssl_certificate /etc/letsencrypt/live/nodes.winskitech.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/nodes.winskitech.com/privkey.pem;

  location / {
    root /public;
    try_files $uri @app;
  }

  location @app {
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_ssl_verify off;
    proxy_pass http://host.docker.internal:34416;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
  }

}

I tried adding an exception for /.well-known, like this:

  location /.well-known/acme-challenge/ {
    root /public;  # Replace /public with the directory Certbot writes to
    allow all;     # Ensure requests from Let's Encrypt are allowed
  }

But it didn't work. Any ideas?

1 Like
6

Yes:

 

1 Like
7

Adding to Osiris' observation of

This is what I see trying ssh nodes.winskitech.com -p 80

$ ssh nodes.winskitech.com -p 80
The authenticity of host '[nodes.winskitech.com]:80 ([24.101.189.46]:80)' can't be established.
ED25519 key fingerprint is SHA256:XmZItKHtO5ENuBl051czO3eB8KcvNekd3sw9WgMEfpU.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
2 Likes
8

So this is the part where I sheepishly admit I'm not sure what to do with this information.

9

Usually SSH runs on port 22. And a webserver serves HTTP on port 80. These are the default ports.

For some reason you have your SSH server listening on port 80. I have no clue how that could have happened, but this must be deliberately done by human action. E.g. by modifying the configuration file of the sshd daemon or an incorrect portmap.

2 Likes
10

Interesting!

When I check the sshd config, I don't see port 80 mentioned. Only 22.

Running sudo lsof -i :80 gives me

COMMAND      PID USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
docker-pr 243098 root    4u  IPv4 15015173      0t0  TCP *:http (LISTEN)
docker-pr 243115 root    4u  IPv6 14886565      0t0  TCP *:http (LISTEN)

I am also working off a fresh install of the o/s. Could it be an issue with Docker then?

11

Supplemental suggestion change that to ssl_protocols TLSv1.3 TLSv1.2;

1 Like
12

I would think more likely the OS hosting Docker has already taken Port 80 for ssh for some weird reason.

Edit

Or possibly the router redirecting the public facing Port 80 to the internal facing Port 22.

3 Likes
13

DING DING DING!

Turns out I had screwed up the port mapping on my router, and was routing traffic from port 80 to 22. What a rookie move.

Anyhow, port forwarding was fixed, and the certs just renewed without issue.

Thanks a lot for your help, everyone! Will label Osiris' answer as the solution, even though it took a while for it to seep in.

3 Likes
14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.