Failed to create certificate order: Failed to begin certificate order

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
octopus.osvatmos.com
I ran this command:
was unable to import expired cert in certify
It produced this output:
Failed to create certificate order: Failed to begin certificate order. 2019-11-25 19:50:14.959 +00:00 [INF] Failed to create certificate order: Failed to begin certificate order.

The operating system my web server runs on is (include version):
server 2019
My hosting provider, if applicable, is:
octopus

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Hi @dfleskes

I don’t understand, why you want to import an expired certificate. And what’s “certify”?

But checking your domain your port 80 doesn’t answer - https://check-your-website.server-daten.de/?q=octopus.osvatmos.com

Only timeouts.

Domainname Http-Status redirect Sec. G
http://octopus.osvatmos.com/
52.27.95.15 -14 10.040 T
Timeout - The operation has timed out
https://octopus.osvatmos.com/
52.27.95.15 303 https://octopus.osvatmos.com/app 5.737 N
Certificate error: RemoteCertificateNameMismatch

Same with /.well-known/acme-challenge/random-filename.

If you want to create a certificate via http validation, your port 80 must be active. Perhaps start your http webserver or check your firewall.

i can generate new certs…

i need to renew the old cert but cant do that through certify because the old cert was generated via the octopus gui which is no longer an option.

i either need LE to delete the old cert or offer another renew solution.

Then create a new certificate and install it. It’s not required to use a special gui. Switch to another client.

im not wanting to change my bindings … so need to be able to generate the same cert as before … either new (which i cant because i get the error i posted) or be able to revew

That’s impossible. You must change your binding, so the new certificate is used.

A certificate is always new. The difference between “new” and “renew” is only local (using the same configuration again), Letsencrypt doesn’t know (and doesn’t need to know) details about your local configuration. Letsencrypt may only see: “Ah, that’s a certificate with the same set of domain names as an older certificate”.

So if your local configuration doesn’t work, you have to change your local configuration.

Then select a new client.

1 Like

do you work for LE, the error message is posted clear as day…

@dfleskes,

@JuergenAuer is a staple of our community.

As for your client, I assume this is the octopus you’re talking about and you’re self hosting it on Windows Server 2019. If that’s the case, there are several ACMEv2 Windows clients you can choose from on the link that Juergen provided.

1 Like

@dfleskes, are you currently using https://certifytheweb.com/?

yes, thats the option im currently using.

@JuergenAuer @Phil_LE it might be helpful to find someone who can help debug CertifyTheWeb rather than making @dfleskes switch clients, if possible.

2 Likes

@dfleskes, some of the confusion in cases like this comes in because there are dozens of different software applications that people can use to request certificates from Let’s Encrypt. Sometimes on this forum we find that people are using tools that few other people on the forum are very familiar with—or at least that nobody in the specific forum thread is an expert on.

It might be helpful to make the forum thread topic start with CertifyTheWeb to attract attention of people who are more knowledgeable about this tool.

2 Likes

@webprofusion, the author of Certify The Web, is active on this forum. And the client also has its own dedicated forum for support: https://community.certifytheweb.com/

I would guess that the error is the order creation failing due to too many failed validation attempts per hour, which are failing because of the firewall timeout on port 80, as already suggested by @JuergenAuer.

4 Likes

HI @dfleskes yes please email support at certifytheweb.com or post a question to https://community.certifytheweb.com

Without a complete log it’s hard to tell but for Failed to begin certificate order usually the log will then go on to output an error from the Let’s Encrypt API (such as rate limit exceeded etc), unless it’s failing to contact the Let’s Encrypt API at all, in which case open a web browser on your server and check you can access https://acme-v02.api.letsencrypt.org/ - if you can’t then you are blocking outgoing https requests in windows firewall and you need to open that up first.

As noted by @JuergenAuer above your website doesn’t appear to allow http requests to port 80 and you at least need port 80 open if you are going to use http validation, if you are use DNS validation then that’s not required. I used letsdebug to check: https://letsdebug.net/octopus.osvatmos.com/81301

2 Likes

Ah, now we know your client.

And your environment.

But checking Octopus, there is an integrated Letsencrypt solution.

Octopus 3.16 or newer can integrate with Let’s Encrypt to setup and manage the SSL certificate for the Octopus Portal. When the certificate nears its expiration date, Octopus will automatically renew the certificate with no intervention required.

That’s always the best solution.

Looks like you have used an older configuration with an additional client.

And the integrated Octopus-client supports ACME-v2:

Octopus 2019.10.3, 2019.9.6 LTS, 2019.6.12 LTS or newer use ACME v2, which is required after Let’s Encrypt retired the v1 APIs in November 2019.

Check, if it is possible to use that integrated solution.