I work with a hosting company and we use Let's Encrypt quite a lot.
By the way, here is a chance to thank all the people involved in this.
There is a particular server and domaine name that caused an unusual amout of frustration.
- http-01 challenge never worked, even if direct GET on the challenge URL is working perfectly
- dns-01 challenge worked
When we try to make a certificate with an http-01 challenge, in verbose mode, we can see the challenge file being created, permissions are OK, we can GET the challenge URL without firewall issues (and no special firewall permissions on source IP) and we have the proper content (same as file name).
But the challenge ends in a timeout error :
Failed authorization procedure. yest.app (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://yest.app/.well-known/acme-challenge/ufaExU4ADFLBRpz48ONumaM9xFOkWB0o_wxGo1U9640: Timeout during connect (likely firewall problem) IMPORTANT NOTES: - The following errors were reported by the server: Domain: yest.app Type: connection Detail: Fetching http://yest.app/.well-known/acme-challenge/ufaExU4ADFLBRpz48ONumaM9xFOkWB0o_wxGo1U9640: Timeout during connect (likely firewall problem) To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
During the challenge (before the timeout) we were able to GET the challenge URL from multiple sources.
The Apache log file showed our GET requests but also Let's Encrypt requests :
$ grep ufaExU4ADFLBRpz48ONumaM9xFOkWB0o_wxGo1U9640 /home/yest/log/*.log /home/yest/log/access.log:184.108.40.206 - - [19/Jul/2021:16:14:23 +0200] "GET /.well-known/acme-challenge/ufaExU4ADFLBRpz48ONumaM9xFOkWB0o_wxGo1U9640 HTTP/1.1" 200 292 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" /home/yest/log/access.log:220.127.116.11 - - [19/Jul/2021:16:14:23 +0200] "GET /.well-known/acme-challenge/ufaExU4ADFLBRpz48ONumaM9xFOkWB0o_wxGo1U9640 HTTP/1.1" 200 292 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org) /home/yest/log/access.log:31.x.y.z - - [19/Jul/2021:16:14:32 +0200] "GET /.well-known/acme-challenge/ufaExU4ADFLBRpz48ONumaM9xFOkWB0o_wxGo1U9640 HTTP/1.1" 200 273 "-" "curl/7.64.0"
I've put a (fake) persistent file at http://yest.app/.well-known/acme-challenge/HWAQkCfF9F4C9smqhb2s1dZLu3ULLHpuMwVZ4GCkpDo in case anyone would like to investigate "from outside". You should get a "200 OK" return code like this :
$ curl -v http://yest.app/.well-known/acme-challenge/HWAQkCfF9F4C9smqhb2s1dZLu3ULLHpuMwVZ4GCkpDo * […] * Trying 18.104.22.168... * TCP_NODELAY set * Expire in 200 ms for 4 (transfer 0x56524ddbcfb0) * Connected to yest.app (22.214.171.124) port 80 (#0) > GET /.well-known/acme-challenge/HWAQkCfF9F4C9smqhb2s1dZLu3ULLHpuMwVZ4GCkpDo HTTP/1.1 > Host: yest.app > User-Agent: curl/7.64.0 > Accept: */* > < HTTP/1.1 200 OK < Date: Mon, 19 Jul 2021 14:28:01 GMT < Server: Apache < Last-Modified: Mon, 19 Jul 2021 14:16:51 GMT < ETag: "2c-5c77a96af37b7" < Accept-Ranges: bytes < Content-Length: 44 < HWAQkCfF9F4C9smqhb2s1dZLu3ULLHpuMwVZ4GCkpDo * Connection #0 to host yest.app left intact
We arrived at the conclusion that there might be a connectivity issue between Let's Encrypt servers and ours.
If anyone has the lightest clue regarding this mystery we would appreciate greatly.