Failed authorization procedure: Error getting validation data

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: practice.emotfit.com

I ran this command:
sudo certbot certonly --preferred-challenges http --webroot --staging --http-01-port 8000 -d practice.emotfit.com

It produced this output:
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for practice.emotfit.com
Input the webroot for practice.emotfit.com: (Enter 'c' to cancel): /var/www/community/current/html
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. practice.emotfit.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://practice.emotfit.com/.well-known/acme-challenge/0hlQeijoCxZL0qPRriumwLXlADUXyW_oDgJt7o7FfKM: Error getting validation data

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: practice.emotfit.com
    Type: connection
    Detail: Fetching
    http://practice.emotfit.com/.well-known/acme-challenge/0hlQeijoCxZL0qPRriumwLXlADUXyW_oDgJt7o7FfKM:
    Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): Debian 9 (Stretch)

The operating system my web server runs on is (include version): Apache 2.4

My hosting provider, if applicable, is: Sitehost, self managed

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.28.0

I have already created a number of letsencrypt SSL certs on the same server, including https://emotfit.com, which is the parent domain of this subdomain. I am running Varnish on port 80, http on 8000 and certbot on 8080. Further to above: I can no longer renew the emotfit.com domain; getting the same response.

Thanks, Kent

Something on your server makes your webserver reply with an empty response for paths starting with /.well-known/acme-challenge/. Example output:

osiris@erazer ~ $ curl -LIv http://practice.emotfit.com/.well-known/acme-challenge/
*   Trying 2403:7000:8000:900::ff:80...
*   Trying 223.165.64.65:80...
* Connected to practice.emotfit.com (2403:7000:8000:900::ff) port 80 (#0)
> HEAD /.well-known/acme-challenge/ HTTP/1.1
> Host: practice.emotfit.com
> User-Agent: curl/7.77.0
> Accept: */*
> 
* Empty reply from server
* Closing connection 0
curl: (52) Empty reply from server
osiris@erazer ~ $

IPv4 and IPv6 behave the same, so that's not the issue. The path /.well-known/ returns a 404 file not found error, so that's also not the issue. But when adding /acme-challenge/ to the path, it starts replying those empty replies.

Does your webserver have a special configuration for /.well-known/acme-challenge/ set up, so it gets treated differently?

1 Like

Thanks for your reply.

I am not aware of any special configuration. It is a Drupal site so there is a rewrite rule but it should only affect paths for which there is no actual directory present. When I installed certs with letsencrypt on 8 August, the emotfit one resolved no worries. However, I do notice that there is no directory called /.well-known in the html docs directory (webroot). Is that supposed to be the case? As you can see https://emotfit.com/ works correctly. I did half a dozen domain names on the same day, and now is the first time I've been back. I have used the same command lines I used previously so nothing changed from last time that I know.

Update: Does the certbot create the file temporarily on the server at the location specified, and then separately use the http protocol to attempt to retrieve it? Trying to understand how it works.

1 Like

I think it's worth trying to rule Varnish out as a potential culprit.

First, try requesting to Apache directly:

curl -i -H 'Host: practice.emotfit.com' localhost:8000/.well-known/acme-challenge/test

Does that produce the "Empty reply from server" error?

Then try requesting to Varnish directly:

curl -i -H 'Host: practice.emotfit.com' localhost/.well-known/acme-challenge/test

Does that produce the "Empty reply from server" error?

If you are expecting Certbot to be running a webserver (and you're going to proxy to Certbot from Varnish or Apache), then you want --standalone, not --webroot.

So you would try instead:

certbot certonly -d practice.emotfit.com --standalone --http-01-port 8080 --dry-run
2 Likes

Dang, so easy! I must have written down the command wrong last time I used it. Thanks very much for the help. I made a good donation to letsencrypt a month ago. I'll keep doing so. Thanks again.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.