Error getting validation data

Help
1

Hi, I'm getting the same error, on an Amazon Linux 2023.

Tried the test below:
certbot certonly --standalone --dry-run --debug-challenges -v -d (domain)
and pulsed at "Press Enter to Continue".
But the http://mydomain got me to a This site cannot be reached error.

Tried to start my web application using a self-signed cert, and it started fine on port 80 and 443. I guess port 80 and 443 should be opened up for certbot. Any other reason why I'm getting the error?

Error with Hint:
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: isam.astrion.us
Type: connection
Detail: 44.223.135.109: Fetching http://isam.astrion.us/.well-known/acme-challenge/9B_tg2mG0-6LgUh1eHva9ifehu3Ng-cv3DbhlT8JE7c: Error getting validation data

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Thanks!

2

For --standalone only HTTP and port 80 are involved. And, technically, not for Certbot. Certbot, as the ACME Client, makes the cert request to Let's Encrypt, the ACME Server. It is the LE Server that sends an HTTP request to your domain to prove you control it. It is this request that is failing and for which port 80 needs to be open.

While Certbot is running and paused can you open another session into that EC2 and show output of this?

sudo ss -pant | grep -i listen | grep ':80'

If ss is not available try same command but with netstat

We should see Certbot listening on port 80.

3 Likes
3

Thanks for your quick response, Mike.

Yes, I can see certbot is listening on port 80.

[root@ip-172-31-15-25 ~]# ss -pant | grep -i listen | grep ':80'
LISTEN   0      5                  *:80                 *:*     users:(("certbot",pid=227819,fd=8))
4

By the way, I have two EC2 instances in the same network with the same inbound rules. The cert got successfully installed and renewed on another EC2 instance, but right now failing on this one.

5

Is Certbot --standalone still running there? Because I am getting this error (from an AWS EC2 in Us-East)

curl -ik -m8 http://isam.astrion.us
curl: (7) Failed to connect to isam.astrion.us port 80 after 6 ms: 
No route to host

Are you sure your EC2 Security Group and any other VPC routing is correct?

2 Likes
6

Yes. certbot --standalone is still running (not pressed enter yet). I have the same security settings on both EC2 instances. What else should I look at?

7

The other one is isam-dev.astrion.us, with the same security group settings, which has been working fine.

8

It's definitely something with port 80.

Not many hops to you from my test server :slight_smile: Note the !X indicates failure

sudo traceroute -T -p80 isam.astrion.us
traceroute to isam.astrion.us (44.223.135.109), 30 hops max, 60 byte packets
 1  * * *
 2  ec2-44-223-135-109.compute-1.amazonaws.com (44.223.135.109)  0.630 ms !X  0.621 ms !X  0.610 ms !X

 sudo traceroute -T -p80 isam-dev.astrion.us
traceroute to isam-dev.astrion.us (3.223.15.137), 30 hops max, 60 byte packets
 1  * * *
 2  ec2-3-223-15-137.compute-1.amazonaws.com (3.223.15.137)  0.623 ms  0.613 ms  0.637 ms

Using port 443 in that traceroute works for both

Do you have anything like iptables setup?
Or any VPC ACL Rule?
Or Network Firewall?

Anything like that. Not much more I can do. Clearly a comms problem and not unique to Let's Encrypt as I can't reach it from a nearby EC2 instance.

3 Likes
9

Just checked the inbound rules for this VPC/Security Group,

sgr-0501b915cca24d3d5 IPv6 HTTP TCP 80 ::/0
sgr-0c8839958b6c8a0fe IPv4 HTTP TCP 80 0.0.0.0/0

I don't see any block on port 80. Plus, I was able to install/renew the cert on isam-dev.astrion.us successfully, which is on the same VPC. Anything else I can look into?

10

You said you had your webapp running on port 80 earlier. Were you able to connect to it using HTTP on port 80 from some device on the public internet?

You could stop Certbot and instead run your own app on port 80. Then if you can't connect to it from the public internet you know it's your networking problem. I am already convinced of that but it might help to be using your own app as you seek advice from networking specialists.

We are not a general purpose help site for networking problems. We often point out common reasons for those and educate about tools to help debug. We have already strayed well beyond that :slight_smile:

4 Likes
11

Can confirm port 80 is not responding but that may be because nothing is listening on port 80. Start a temporary web server and try connecting to it from an external network. Could also be a firewall on the host.

Once you get basic port 80 http working externally your HTTP domain validation will likely start working.

1 Like
12

Just tried the certbot dryrun on isam-dev.astrion.us, which is on the same VPC.
certbot certonly --standalone --dry-run --debug-challenges -v -d isam-dev.astrion.us

And got it thru successfully. So looks like the inbound rules are correct, and the issue is in this EC2 instance only. Did you mean the network issue only happens to this instance?

mentioned:

URL:
http://isam-dev.astrion.us/.well-known/acme-challenge/vZQMLL5FvLXUXGXMIOdCmIR9R-7ynmjsqxfcORJ9B4Y
Expected value:
vZQMLL5FvLXUXGXMIOdCmIR9R-7ynmjsqxfcORJ9B4Y.HqP0TZifuxRHrKf6szMg47cBLwzG4QlUvUnG4gRwSN8
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
The dry run was successful.```
13

It went through fine even though I was getting the same site can't be reached page while trying the http://isam-dev.astrion.us/.well-known/acme-challenge/vZQMLL5FvLXUXGXMIOdCmIR9R-7ynmjsqxfcORJ9B4Y before pressing the enter on isam-dev.astrion.us.

14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.