Failing acme-challenge


I'm trying to issue a certificate for one of our subdomains and would need some help debugging since Google is not my friend on this one.
It does not want to go past the acme-challenge. To be sure my webserver (nginx) is serving the directory I created a testfile and was able to access it from my browser.

The command that I'm running is
letsencrypt certonly --webroot -w /xxxx/portus/www/ -d --staging

My website is an application running in a docker container. Nginx is installed on the machine itself and serves as a proxy that will have to add ssl (currently I only have port 80 in my nginx config)

Below are the last lines of the letsencrypt log. If anything more is needed to give you an idea, let me know.

P.S. I had to add some characters before links since I could not post otherwise, I put mostly a '

2016-05-18 14:41:48,018:DEBUG:acme.client:Storing nonce: '\x17\xb6\xc8B\x14\x83\x9b5yP\xe5\x145>\x84\xf1\x845\x84T\xc5Z\xb7\xc93m\x86\x17\xe8 \xbf\xd0'
2016-05-18 14:41:48,018:DEBUG:acme.client:Received response <Response [202]> (headers: {'Content-Length': '337', 'Expires': 'Wed, 18 May 2016 14:41:48 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '>;rel="up"', 'Location': '', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Wed, 18 May 2016 14:41:48 GMT', 'Content-Type': 'application/json', 'Replay-Nonce': 'F7bIQhSDmzV5UOUUNT6E8YQ1hFTFWrfJM22GF-ggv9A'}): '{\n "type": "http-01",\n "status": "pending",\n "uri": "",\n "token": "EufBYQfNZm5LI81ozaMRdy8pGWmvt2TxLQTKyk3185I",\n "keyAuthorization": "EufBYQfNZm5LI81ozaMRdy8pGWmvt2TxLQTKyk3185I.C0gHb7qCBwY7LPEKolQT3bf4x-TZSPcK5o6hxL-Sx2U"\n}'
2016-05-18 14:41:51,022:DEBUG:root:Sending GET request to ' args: (), kwargs: {}
2016-05-18 14:41:51,024:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1):
2016-05-18 14:41:51,346:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/lFPMM-F_C9UkpfBmcm0JFxUe2AAXwgxuX5jYvqM9tMc HTTP/1.1" 200 1698
2016-05-18 14:41:51,348:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '1698', 'Expires': 'Wed, 18 May 2016 14:41:51 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': ';rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Wed, 18 May 2016 14:41:51 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'iRmIZocSKIxTN31qEnRMJOOTCp92Fy-0uEpNIRBcWIk'}. Content: '{\n "identifier": {\n "type": "dns",\n "value": ""\n },\n "status": "invalid",\n "expires": "2016-05-25T14:41:47Z",\n "challenges": [\n {\n "type": "tls-sni-01",\n "status": "pending",\n "uri": "",\n "token": "___D5eoCyrZTjESBaf9Ig_Cstfd7AGqGRdx71ktGvUg"\n },\n {\n "type": "dns-01",\n "status": "pending",\n "uri": "",\n "token": "9rSlCCYUilXhk1W9H8YTC-LdZmpAxbMV4dFroe36Od4"\n },\n {\n "type": "http-01",\n "status": "invalid",\n "error": {\n "type": "urn:acme:error:connection",\n "detail": "Could not connect to '"\n },\n "uri": "",\n "token": "EufBYQfNZm5LI81ozaMRdy8pGWmvt2TxLQTKyk3185I",\n "keyAuthorization": "EufBYQfNZm5LI81ozaMRdy8pGWmvt2TxLQTKyk3185I.C0gHb7qCBwY7LPEKolQT3bf4x-TZSPcK5o6hxL-Sx2U",\n "validationRecord": [\n {\n "url": "",\n "hostname": "",\n "port": "80",\n "addressesResolved": [\n ""\n ],\n "addressUsed": ""\n }\n ]\n }\n ],\n "combinations": [\n [\n 1\n ],\n [\n 2\n ],\n [\n 0\n ]\n ]\n}'
2016-05-18 14:41:51,350:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '1698', 'Expires': 'Wed, 18 May 2016 14:41:51 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<'>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Wed, 18 May 2016 14:41:51 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'iRmIZocSKIxTN31qEnRMJOOTCp92Fy-0uEpNIRBcWIk'}): '{\n "identifier": {\n "type": "dns",\n "value": ""\n },\n "status": "invalid",\n "expires": "2016-05-25T14:41:47Z",\n "challenges": [\n {\n "type": "tls-sni-01",\n "status": "pending",\n "uri": "",\n "token": "___D5eoCyrZTjESBaf9Ig_Cstfd7AGqGRdx71ktGvUg"\n },\n {\n "type": "dns-01",\n "status": "pending",\n "uri": "",\n "token": "9rSlCCYUilXhk1W9H8YTC-LdZmpAxbMV4dFroe36Od4"\n },\n {\n "type": "http-01",\n "status": "invalid",\n "error": {\n "type": "urn:acme:error:connection",\n "detail": "Could not connect to '"\n },\n "uri": "",\n "token": "EufBYQfNZm5LI81ozaMRdy8pGWmvt2TxLQTKyk3185I",\n "keyAuthorization": "EufBYQfNZm5LI81ozaMRdy8pGWmvt2TxLQTKyk3185I.C0gHb7qCBwY7LPEKolQT3bf4x-TZSPcK5o6hxL-Sx2U",\n "validationRecord": [\n {\n "url": "",\n "hostname": "",\n "port": "80",\n "addressesResolved": [\n ""\n ],\n "addressUsed": ""\n }\n ]\n }\n ],\n "combinations": [\n [\n 1\n ],\n [\n 2\n ],\n [\n 0\n ]\n ]\n}'
2016-05-18 14:41:51,350:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'9rSlCCYUilXhk1W9H8YTC-LdZmpAxbMV4dFroe36Od4', u'type': u'dns-01', u'uri': u''}
2016-05-18 14:41:51,352:INFO:letsencrypt.reporter:Reporting to user: The following errors were reported by the server:

Type: connection
Detail: Could not connect to

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2016-05-18 14:41:51,352:INFO:letsencrypt.auth_handler:Cleaning up challenges
2016-05-18 14:41:51,352:DEBUG:letsencrypt.plugins.webroot:Removing /applications/portus/www/.well-known/acme-challenge/EufBYQfNZm5LI81ozaMRdy8pGWmvt2TxLQTKyk3185I
2016-05-18 14:41:51,353:DEBUG:letsencrypt.plugins.webroot:All challenges cleaned up, removing /applications/portus/www/.well-known/acme-challenge
2016-05-18 14:41:51,355:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/letsencrypt", line 9, in
load_entry_point('letsencrypt==0.4.1', 'console_scripts', 'letsencrypt')()
File "/usr/lib/python2.7/dist-packages/letsencrypt/", line 1986, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/dist-packages/letsencrypt/", line 706, in obtain_cert
_, action = _auth_from_domains(le_client, config, domains, lineage)
File "/usr/lib/python2.7/dist-packages/letsencrypt/", line 474, in _auth_from_domains
lineage = le_client.obtain_and_enroll_certificate(domains)
File "/usr/lib/python2.7/dist-packages/letsencrypt/", line 269, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python2.7/dist-packages/letsencrypt/", line 252, in obtain_certificate
return self.obtain_certificate_from_csr(domains, csr) + (key, csr)
File "/usr/lib/python2.7/dist-packages/letsencrypt/", line 225, in obtain_certificate_from_csr
authzr = self.auth_handler.get_authorizations(domains)
File "/usr/lib/python2.7/dist-packages/letsencrypt/", line 84, in get_authorizations
self._respond(cont_resp, dv_resp, best_effort)
File "/usr/lib/python2.7/dist-packages/letsencrypt/", line 142, in _respond
self._poll_challenges(chall_update, best_effort)
File "/usr/lib/python2.7/dist-packages/letsencrypt/", line 204, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to '`

Could it be a firewall issue ? What’s the configuration / setup you have for ? and when you tested did you test from a general IP on the internet ?

When I test I get a connection refused to your domain.

curl -I 
curl: (7) Failed to connect to port 80: Connection refused

Thank you for pointing me into the right direction.
The machine is indeed behind a firewall and there was one rule missing.
It was working for me since I am onsite but your comment made me check with nibbler which confirmed your findings.

The command is working now.

Thanks again.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.