Getssl secondary validation error on virtual host server

rwh0345 · July 4, 2023, 3:09am

Hi,

v2.48 of getssl is giving a verify error during secondary validation saying "timeout during connect".

My Apache is configuration is set up to run a number of virtual hosts. In particular, trying to access the raw IP address isn't supported. An Apache log file shows that getssl is making http requests using the raw IP address.

There are different directories for each virtual host and a mostly empty directory for the site the IP address refers to.

My question is how to stop getssl from trying the raw IP address? Or is there another utility that won't use it? Or is this something new required by letsencrypt?

I have run some tests with ufw disabled. They seemed to put out more output but ultimately failed.

Thanks,
Bill

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
rushdatalog.com

I ran this command:
(v 2.48 as local user) ./getssl rushdatalog.com

It produced this output:
Registering account
Verify each domain
Verifying rushdatalog.com
copying challenge token to /var/www/www.rushdatalog.com/html/.well-known/acme-challenge/gEgNQBRui8HKhcujV8bHxNGZy_ZJD6RqV_0ET0erMeY
sending request to ACME server saying we're ready for challenge
checking if challenge is complete
Pending
checking if challenge is complete
Pending
checking if challenge is complete
getssl: rushdatalog.com:Verify error: "detail": "During secondary validation: 159.203.171.39: Fetching http://rushdatalog.com/.well-known/acme-challenge/gEgNQBRui8HKhcujV8bHxNGZy_ZJD6RqV_0ET0erMeY:
Timeout during connect (likely firewall problem)",

My web server is (include version):
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2023-03-08T17:32:54

The operating system my web server runs on is (include version):
NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"

My hosting provider, if applicable, is:
VPN Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
getssl 2.48

_az · July 4, 2023, 3:34am

It looks really likely to me that you have some kind of aggressive firewall installed, such as fail2ban or mod_security or similar.

It didn't take much effort for your server to block my home internet connection. All I had to do was make 4 or 5 requests using curl, and boom I was blocked.

Disable it. It's not going to play nice with Let's Encrypt's HTTP validation.

rg305 · July 4, 2023, 4:41am

Why "403 Forbidden" on challenge location?

curl -Ii http://rushdatalog.com/.well-known/acme-challenge/gEgNQBRui8HKhcujV8bHxNGZy_ZJD6RqV_0ET0erMeY
HTTP/1.1 403 Forbidden
Date: Tue, 04 Jul 2023 04:40:40 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=iso-8859-1

timkimber · July 4, 2023, 2:50pm

Hi,

The detail section of the error message shown in the line:

getssl: rushdatalog.com:Verify error: "detail": "During secondary validation: 159.203.171.39: Fetching http://rushdatalog.com/.well-known/acme-challenge/gEgNQBRui8HKhcujV8bHxNGZy_ZJD6RqV_0ET0erMeY:
Timeout during connect (likely firewall problem)",

is coming from the LetsEncrypt server, not from getssl, and there's nothing in the log extracts that you've posted which indicates that getssl is sending the ip address to the server.

Tim
getssl maintainer

rwh0345 · July 5, 2023, 3:00pm

Thanks for all your replies.

I tried getssl again this morning and it worked;it retrieved the renewed certificate. The ufw firewall was enabled.

Yes, the server uses aggressive anti-hacking measures.

Thanks for the data point of a forbidden response. My tests succeeded.

You are right; I don't know that getssl was using the IP address. I only saw in the Apache log file that an http request was made using the IP address. It could be that something was specified somewhere that Apache was remapping to the IP address. I was starting to investigate this when the problem resolved itself.

Differences between Monday and today:
Monday:
159.203.171.39 - - [03/Jul/2023:18:27:18 -0500] "GET /.well-known/acme-challenge/k6U2HHuTkaKCt5C-RTgg3yijrb6dtxdU5SXdyhasL8k HTTP/1.1" 200 347 "-" "getssl/2.48"
23.178.112.202 - - [03/Jul/2023:18:27:18 -0500] "GET /.well-known/acme-challenge/k6U2HHuTkaKCt5C-RTgg3yijrb6dtxdU5SXdyhasL8k HTTP/1.1" 200 366 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
Today:
159.203.171.39 - - [05/Jul/2023:07:22:46 -0500] "GET /.well-known/acme-challenge/emSpMfXZvjWLJs-mcwji8Iy5LIoguzj0iD4BX1IjCoY HTTP/1.1" 200 347 "-" "getsslt1/2.48"
13.59.62.81 - - [05/Jul/2023:07:22:46 -0500] "GET /.well-known/acme-challenge/emSpMfXZvjWLJs-mcwji8Iy5LIoguzj0iD4BX1IjCoY HTTP/1.1" 200 366 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
23.178.112.102 - - [05/Jul/2023:07:22:47 -0500] "GET /.well-known/acme-challenge/emSpMfXZvjWLJs-mcwji8Iy5LIoguzj0iD4BX1IjCoY HTTP/1.1" 200 366 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

Monday:
The SSL certificate was valid
Today:
The SSL certifcate had expired.

Both days at least these IP addresses beginning with 13.59 were blocked:
13.59.250.246
13.59.195.163
13.59.240.241
13.59.24.15
13.59.236.209
13.59.224.121

Status: Problem resolved by trying later, possibly caused by blocked IP address.

Thanks again for your input.

Bill

system · August 4, 2023, 3:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.