Error Getting Validation Data

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
area51.mynetstuff.com

I ran this command:
sudo certbot --nginx -d area51.mynetstuff.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for area51.mynetstuff.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. area51.mynetstuff.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://area51.mynetstuff.com/.well-known/acme-challenge/ahazTqRH09E8hDatGMGff0LDt5orXd_2lJHDrQq5RQw: Error getting validation data

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: area51.mynetstuff.com
    Type: connection
    Detail: Fetching
    http://area51.mynetstuff.com/.well-known/acme-challenge/ahazTqRH09E8hDatGMGff0LDt5orXd_2lJHDrQq5RQw:
    Error getting validation data

    To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.

My web server is (include version):
nginx/1.10.3

The operating system my web server runs on is (include version):
Ubuntu 16.04 (I’m happy to run this on 18, but I thought that might be part of the problem)

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
N/A

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0

/facedesk I’m out of ideas

Of note, I believe this is something I’m missing on my new ubuntu instance, as if I boot up my old one (with lots of extra services on it), it still renews just fine (when I checked 2mo ago). Any new instance I have set up (trying to clean up my containerization) I can’t get a cert to validate :frowning: HALP! :slight_smile:

I have tried and checked several of the things listed in the numerous other “Error Getting Validation Data” posts, with no luck. :frowning:

I shall send you a beer/coffee of choice!

Hi @area51tazz

there is a check of your website this morning ( https://check-your-website.server-daten.de/?q=area51.mynetstuff.com ):

Your port 80 is closed, has a timeout.

So http validation can't work.

Domainname Http-Status redirect Sec. G
• http://area51.mynetstuff.com/
110.21.200.151 -14 10.024 T
Timeout - The operation has timed out
• https://area51.mynetstuff.com/
110.21.200.151 -4 1.557 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
• http://area51.mynetstuff.com:443/
110.21.200.151 -3 2.563 A
ReceiveFailure - The underlying connection was closed: An unexpected error occurred on a receive. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
Visible Content:
• http://area51.mynetstuff.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
110.21.200.151 -14 10.026 T
Timeout - The operation has timed out
Visible Content:

If you want to create a certificate using http-01 validation, an open port 80 is required. Certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks that file.

But that can't work if port 80 is closed.

Looks like a firewall problem. When I try to connect with curl, it says "No route to host". When I try to traceroute with TCP port 80, I'm getting:

(...)
16  198.142.139.115 (198.142.139.115)  303.706 ms  304.205 ms  304.414 ms
17  * * *
18  carlnfd2-tg1-0.cm.optusnet.com.au (198.142.164.18)  309.948 ms carlnfd2-tg3-0.cm.optusnet.com.au (198.142.164.22)  311.516 ms carlnfd2-tg1-0.cm.optusnet.com.au (198.142.164.18)  307.562 ms
19  carlnfd2-tg1-0.cm.optusnet.com.au (198.142.164.18)  312.687 ms !X 210.49.119.2 (210.49.119.2)  413.323 ms !X carlnfd2-tg3-0.cm.optusnet.com.au (198.142.164.22)  412.314 ms !X

Where !X according to the man page of traceroute means:

!X (communication administratively prohibited)

So I'm guessing somewhere in the path, perhaps on your server, there's a firewall giving trouble.

Well that was working last night, but upon both of you mentioning it, I checked to see if my home internet provider was blocking port 80 or 443, and it turns out they randomly block requests to it. So sometimes it’ll work, sometimes it won’t.

WHAT YEAR IS IT?!?

How would you like your beer/coffee?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.