Fail to get cert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.giatt.ru

[2020-09-01 20:12:53] LEScript.INFO: Getting list of URLs for API
[2020-09-01 20:12:54] LEScript.INFO: Requesting new nonce for client communication
[2020-09-01 20:12:54] LEScript.INFO: Account already registered. Continuing.
[2020-09-01 20:12:54] LEScript.INFO: Sending registration to letsencrypt server
[2020-09-01 20:12:54] LEScript.INFO: Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-acct
[2020-09-01 20:12:55] LEScript.INFO: Account: https://acme-v02.api.letsencrypt.org/acme/acct/95373810
[2020-09-01 20:12:55] LEScript.INFO: Starting certificate generation process for domains
[2020-09-01 20:12:55] LEScript.INFO: Requesting challenge for mail.giatt.ru
[2020-09-01 20:12:55] LEScript.INFO: Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-order
[2020-09-01 20:12:57] LEScript.INFO: Sending signed request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/6888219127
[2020-09-01 20:12:58] LEScript.INFO: Got challenge token for mail.giatt.ru
[2020-09-01 20:12:58] LEScript.INFO: Token for mail.giatt.ru saved at /opt/www//.well-known/acme-challenge/2ZMl_2HFNPouIorRAK-4tCeQYcULS0ODUrDmbjSszuU and should be available at http://mail.giatt.ru/.well-known/acme-challenge/2ZMl_2HFNPouIorRAK-4tCeQYcULS0ODUrDmbjSszuU
[2020-09-01 20:12:58] LEScript.ERROR: Please check http://mail.giatt.ru/.well-known/acme-challenge/2ZMl_2HFNPouIorRAK-4tCeQYcULS0ODUrDmbjSszuU - token not available
[2020-09-01 20:12:58] LEScript.ERROR: #0 /opt/admin/src/AppBundle/Handler/LeHandler.php(62): Analogic\ACME\Lescript->signDomains()
[2020-09-01 20:12:58] LEScript.ERROR: #1 /opt/admin/src/AppBundle/Controller/LeController.php(71): AppBundle\Handler\LeHandler->renew()
[2020-09-01 20:12:58] LEScript.ERROR: #2 /opt/admin/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/HttpKernel.php(151): AppBundle\Controller\LeController->issueAction()
[2020-09-01 20:12:58] LEScript.ERROR: #3 /opt/admin/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/HttpKernel.php(68): Symfony\Component\HttpKernel\HttpKernel->handleRaw()
[2020-09-01 20:12:58] LEScript.ERROR: #4 /opt/admin/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/Kernel.php(200): Symfony\Component\HttpKernel\HttpKernel->handle()
[2020-09-01 20:12:58] LEScript.ERROR: #5 /opt/admin/web/app.php(16): Symfony\Component\HttpKernel\Kernel->handle()
[2020-09-01 20:12:58] LEScript.ERROR: #6 {main}

I can download token easy, but still error in LEScript.
Any help?

1 Like

Very strange… It looks like your script is “pre-checking” the token before it signals Let’s Encrypt to validate the authorization. I can download the token too…

If you look at the contents of your authorization at https://acme-v02.api.letsencrypt.org/acme/authz-v3/6888219127 (from your log), you’ll see all the statusses are “pending”: no success, but no failure either. If Let’s Encrypt wasn’t able to verify the hostname due to the same issue your ACME client has, it would result in a failure in that “status”, not pending.

How did you try to download the token yourself? From the same machine as where LEScript runs? If not, could you try downloading it from that machine?

2 Likes

I agree with @Osiris, based on this msg:

Please check http://mail.giatt.ru/.well-known/acme-challenge/2ZMl_2HFNPouIorRAK-4tCeQYcULS0ODUrDmbjSszuU - token not available

It would seem that your script can’t reach that site.
That could be due to:

  • split DNS (providing different IPs to to different nets)
  • localhost doesn’t know itself as also “mail.giatt.ru”
  • web server providing different content (paths) to different nets (internal/external)

So, yes, test that link from itself to be sure that is not part of the problem.

1 Like

Hi @HARDKoD

check, if there is an update of that script.

Or if it is possible to skip that pre-check.

If both isn’t possible: Switch to another client.

1 Like

Fix download problem. Thx guys, Problem was i cant download file from server itself. But now - next problem:

[2020-09-02 01:14:28] LEScript.INFO: Sending request to challenge
[2020-09-02 01:14:28] LEScript.INFO: Sending signed request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/6923593461/TVd-hA
[2020-09-02 01:14:29] LEScript.INFO: Verification pending, sleeping 1s
[2020-09-02 01:14:30] LEScript.INFO: Sending signed request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/6923593461/TVd-hA
[2020-09-02 01:14:31] LEScript.INFO: Verification pending, sleeping 1s
[2020-09-02 01:14:32] LEScript.INFO: Sending signed request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/6923593461/TVd-hA
[2020-09-02 01:14:33] LEScript.INFO: Verification pending, sleeping 1s
[2020-09-02 01:14:34] LEScript.INFO: Sending signed request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/6923593461/TVd-hA
[2020-09-02 01:14:35] LEScript.INFO: Verification pending, sleeping 1s
[2020-09-02 01:14:36] LEScript.INFO: Sending signed request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/6923593461/TVd-hA
[2020-09-02 01:14:37] LEScript.ERROR: 400 {   "type": "urn:ietf:params:acme:error:malformed",   "detail": "Unable to update challenge :: authorization must be pending",   "status": 400 }
[2020-09-02 01:14:37] LEScript.ERROR: #0 /opt/admin/vendor/analogic/lescript/Lescript.php(544): Analogic\ACME\Client->curl()
[2020-09-02 01:14:37] LEScript.ERROR: #1 /opt/admin/vendor/analogic/lescript/Lescript.php(422): Analogic\ACME\Client->post()
[2020-09-02 01:14:37] LEScript.ERROR: #2 /opt/admin/vendor/analogic/lescript/Lescript.php(165): Analogic\ACME\Lescript->signedRequest()
[2020-09-02 01:14:37] LEScript.ERROR: #3 /opt/admin/src/AppBundle/Handler/LeHandler.php(62): Analogic\ACME\Lescript->signDomains()
[2020-09-02 01:14:37] LEScript.ERROR: #4 /opt/admin/src/AppBundle/Controller/LeController.php(71): AppBundle\Handler\LeHandler->renew()
[2020-09-02 01:14:37] LEScript.ERROR: #5 /opt/admin/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/HttpKernel.php(151): AppBundle\Controller\LeController->issueAction()
[2020-09-02 01:14:37] LEScript.ERROR: #6 /opt/admin/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/HttpKernel.php(68): Symfony\Component\HttpKernel\HttpKernel->handleRaw()
[2020-09-02 01:14:37] LEScript.ERROR: #7 /opt/admin/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/Kernel.php(200): Symfony\Component\HttpKernel\HttpKernel->handle()
[2020-09-02 01:14:37] LEScript.ERROR: #8 /opt/admin/web/app.php(16): Symfony\Component\HttpKernel\Kernel->handle()
[2020-09-02 01:14:37] LEScript.ERROR: #9 {main}

The script should be posting to the challenge url once then repeatedly posting to the authorization url associated with the challenge in order to check status, NOT repeatedly posting to the challenge url.

1 Like

Your script is buggy. Update it or use another client. I don’t think you can fix that.

3 Likes