Failed authorization procedure. domain.org (http-01): urn:acme:error:connection

Failed authorization procedure. domain.org (http-01): urn:acme:error:connection

I used to renew my domains with no issues. I am renewing them early because I won’t be in to do the renew at the date. I tried with all the possible commands without success. It all (time out) on the acme challenge. At the same time I could access the code at the server’s address from the web without any issues. I am running my own client server on Apache/BIND/Mac OS X. Letsencrypt CA is valid until August 6, 2017. OBs: I had to trimm the logs because the body post have a restriction in the number of characters to post.

Relevant information:

  1. OS = Mac OS X Mavericks
  2. Apache = Bitnami Apache 2.4.xx (Not the original OS X Apache Conf or path)
  3. Server is accessible thru the domain.
  4. ACME challenge is also accessible thru the web address.

Here are the (terminal logs) and bellow the (/var/log/letsencrypt/letsencrypt.log)


— Mac OS X terminal logs start —

[server:~] root# cd /Users/user02/letsencrypt
[server:~/letsencrypt] root# ./letsencrypt-auto certonly -a manual --rsa-key-size 4096 -d domain.org -d www.domain.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/domain.org.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. domain.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://domain.org/.well-known/acme-challenge/fDjNSMdaG4Ugr_s6uKr8UdAmslGPwPcPE4GgUQ3nItQ: Timeout

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: domain.org
    Type: connection
    Detail: Fetching
    http://domain.org/.well-known/acme-challenge/fDjNSMdaG4Ugr_s6uKr8UdAmslGPwPcPE4GgUQ3nItQ:
    Timeout

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    [server:~/letsencrypt] root#

— Mac OS X terminal logs ends —



I did researched other similar topics but the answers were for a particular issue.

The Apache virtual hosts is configured as follows:

<VirtualHost *:443>
DocumentRoot "/Users/user2/Sites"
ServerName domain.org
ServerAlias www.domain.org
ServerAdmin webmaster@domain.org
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLEngine on
    SSLCertificateFile "/etc/letsencrypt/live/domain.org/cert.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/domain.org/privkey.pem"
    SSLCertificateChainFile "/etc/letsencrypt/live/domain.org/chain.pem"

    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"
    # Always ensure Cookies have "Secure" set (JAH 2012/1)
    Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"


    ErrorLog "/usr/local/apps/apache2/logs/error_log"
    TransferLog "/usr/local/apps/apache2/logs/access_log"
    CustomLog /usr/local/apps/apache2/logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

Sounds like a DNS issue. Are you absolutely sure that the DNS is correctly configured? I have to ask, because I had a very similar sounding problem, and it turned out to be because someone had added an incorrect IPv6 entry for the domain I was trying to renew. You might find dig domain.org, dig aaaa domain.org, dig www.domain.org and dig aaaa www.domain.org useful.

Thanks for your answer @Kitserve,

DNS is responding fine both for IPV4 and IPV6 addresses.

[server:~] root# dig domain.org AAAA

; <<>> DiG 9.xxxx <<>> domain.org AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39010
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;domain.org.			IN	AAAA

;; ANSWER SECTION:
domain.org.		3600	IN	AAAA	2X02:306:ce87:x
domain.org.		3600	IN	AAAA	2X02:306:ce87:x
domain.org.		3600	IN	AAAA	2X02:306:ce87:x

;; Query time: 26 msec
;; SERVER: 192.168.x.xx#53(192.168.x.xx)
;; WHEN: Tue Jul 04 10:11:38 PDT 2017
;; MSG SIZE  rcvd: 122

if I use certbot to renew the domains, this is what I get;

[server:~] root# sudo certbot --apache certonly -d domain.org -d www.domain.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/domain.org.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for domain.org
tls-sni-01 challenge for www.domain.org
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. domain.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 706097348ac72ff6ed29eabb08be0652.d898b760ab70f8840a70403f1d5b153f.acme.invalid from 10x.xxx.xxx.xx:443. Received 2 certificate(s), first certificate had names “domain.org, www.domain.org”, www.domain.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested be74dc262acb71cec836e512982946bf.63fd8c4f165b462eed9995b74243f63d.acme.invalid from 10x.xxx.xxx.xx:443. Received 2 certificate(s), first certificate had names “domain.org, www.domain.org

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: domain.org
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    706097348ac72ff6ed29eabb08be0652.d898b760ab70f8840a70403f1d5b153f.acme.invalid
    from 10x.xxx.xxx.xx:443. Received 2 certificate(s), first
    certificate had names “domain.org, www.domain.org

    Domain: www.domain.org
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    be74dc262acb71cec836e512982946bf.63fd8c4f165b462eed9995b74243f63d.acme.invalid
    from 10x.xxx.xxx.xx:443. Received 2 certificate(s), first
    certificate had names “domain.org, www.domain.org

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

Hi @ebonsi,

Are you sure that your server can also accept inbound connections with IPv6? I don’t think that the test site that you used checked that part.

Hi @schoen,

I did not wanted to put the real address out but through this point I have no choice since none of the LE/Certbot or even the recent installed Certbot Homebrew thru commands are working as it should. Let us remind ourselves that Letsencrypt worked before without any hard issues.

The Server is http://domain.org or www.domain.org
DNS is responding fine without any errors!
The Server is hosting multiple domains names in an single ip address.
You can also check if acme is reachable thru the internet. I check both servers and acme with Tor and they are reachable without a problem.

https://domain.org/.well-known/acme-challenge/

I also performed a ping, nslookup and traceroute on both ipv4 and ipv6 without any issues.

Here is another IPV6 test. If that does not satisfy you, you can give me another address to test.

Thanks for sharing the domain name.

Both of the test sites that you used are testing whether you can browse the web with IPv6 connectivity, not whether a particular server has IPv6 connectivity. By running curl -6 http://bonsi.org/ on a machine with IPv6 connectivity, I can see that bonsi.org itself does not its have IPv6 connectivity working properly. (Testing in a browser is not quite a strict enough test because the browser is usually willing to fall back to IPv4 if an IPv6 connection fails, which our CA is not willing to do.)

A tester you could use that will confirm the problem is

http://ipv6-test.com/validate.php

You have to put in the domain name. You’ll see that the AAAA DNS record is provided but that connections to your server fail over IPv6.

This is probably why your renewal stopped working; some weeks ago, the Let’s Encrypt CA was updated to prefer IPv6 over IPv4 for domain control checks, while before that, the behavior was the opposite.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.