Http-01 challenge fails

dwelch · April 5, 2016, 9:12pm

I have been trying to manually get a new certificate signed to replace one that is about to expire. I can place challenge files on the server and have confirmed they can be externally accessed. I keep getting the following error:

2016-04-05 20:53:20,566:INFO:letsencrypt.reporter:Reporting to user: The following errors were reported by the server:

Domain: omdcheck.mysite.com
Type:   connection
Detail: Could not connect to http://omdcheck.mysite.com/.well-known/acme-challenge/lIF-jg9OCCNaKtrk7xonPunIM05-m4RdeMe8Dl_6o8Q

I get this error with https redirects turned off even. Apache logs on the server do not show any LE servers. 

let's encrypt logs (on my workstation, not the server): 

> 2016-04-05 20:53:13,928:DEBUG:acme.challenges:Verifying http-01 at http://omdcheck.mysite.com/.well-known/acme-challenge/lIF-jg9OCCNaKtrk7xonPunIM05-m4RdeMe8Dl_6o8Q...
>     2016-04-05 20:53:13,933:INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): omdcheck.mysite.com
>     2016-04-05 20:53:13,940:DEBUG:requests.packages.urllib3.connectionpool:"GET /.well-known/acme-challenge/lIF-jg9OCCNaKtrk7xonPunIM05-m4RdeMe8Dl_6o8Q HTTP/1.1" 200 88
>     2016-04-05 20:53:13,959:DEBUG:acme.challenges:Received <Response [200]>: lIF-jg9OCCNaKtrk7xonPunIM05-m4RdeMe8Dl_6o8Q.o5UaFdoYU_GiKb2Ym95NBcg0_h-bD4QFN0Yig6i6knk
>     . Headers: {'Content-Length': '88', 'Accept-Ranges': 'bytes', 'Keep-Alive': 'timeout=5, max=100', 'Server': 'Apache/2.4.7 (Ubuntu)', 'Last-Modified': 'Tue, 05 Apr 2016 20:51:51 GMT', 'Connection': 'Keep-Alive', 'ETag': '"58-52fc303bc07e9"', 'Date': 'Tue, 05 Apr 2016 20:52:38 GMT'}
>     2016-04-05 20:53:13,964:INFO:letsencrypt.auth_handler:Waiting for verification...
>     2016-04-05 20:53:13,969:DEBUG:acme.client:Serialized JSON: {"keyAuthorization": "lIF-jg9OCCNaKtrk7xonPunIM05-m4RdeMe8Dl_6o8Q.o5UaFdoYU_GiKb2Ym95NBcg0_h-bD4QFN0Yig6i6knk", "type": "http-01", "resource": "challenge"}
>     2016-04-05 20:53:13,974:DEBUG:acme.jose.json_util:Omitted empty fields: cty=None, x5t=None, crit=(), x5tS256=None, x5u=None, x5c=(), alg=None, jku=None, typ=None, kid=None, jwk=None
>     2016-04-05 20:53:13,979:DEBUG:acme.jose.json_util:Omitted empty fields: cty=None, x5t=None, crit=(), x5tS256=None, x5u=None, x5c=(), jku=None, typ=None, kid=None, nonce=None
>     2016-04-05 20:53:13,983:DEBUG:root:Sending POST request to https://acme-staging.api.letsencrypt.org/acme/challenge/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0/3024629. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "3Xhb25exJF5kT9SnqUVMeBOxjdlYZZWdgRzBDvarVokeizTTxxwSeh6vtwcNsE4oYB7wmqhfpLrPBmHnmjxIH891680OhYaA9nBr_4f4NhHthpEotWL2Ac4gMkyxaOi4IJF-lmovoQlzR27Wy4VIQLRM9aKSoM1JkyDJT77gI4KEW-1y43hoNcjBTcZDAV2y20QfkO_hQ5P7NwRYMza-aTZVZWVEXcFBBD4BVyq8HOy3XYg4OGU7EZuG696IX0aJ2ucsR0I8cyarjypjYvSAiZqZFZ8F1bsE2vxUlzY4a9jvMMX7zh2SUKPUD0z2Eo5NQKcPjd6dzxNKjLLArViOXQ"}}, "protected": "eyJub25jZSI6ICJqSnJrd3dzRldSYnJfRlhCQnN0ZHNDQVZDbFo0b184U0FNYUd4RVlKb0pvIn0", "payload": "eyJrZXlBdXRob3JpemF0aW9uIjogImxJRi1qZzlPQ0NOYUt0cms3eG9uUHVuSU0wNS1tNFJkZU1lOERsXzZvOFEubzVVYUZkb1lVX0dpS2IyWW05NU5CY2cwX2gtYkQ0UUZOMFlpZzZpNmtuayIsICJ0eXBlIjogImh0dHAtMDEiLCAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIn0", "signature": "pfJPtWyf5CIYGQNLOmEwluhmS4ZyEfRtgxeA00RL38K9Y8yNhnhnNPyoVGgoVPRfRRpyXXUqp8X7vat81Seun9dYztGTi59Wr4SrelsW2rra-zWnk837KS4VcKHUB-gm7ZxATB-elFF5HcjFP9BeDO6yQNzkuWDAlGZEUJEoMx93N6VLDdxlWE1wm6fCvWS8V4z1Jksin1PD3_tt5MtdaFPegxU7FLx4NkhZ5ODS1JriPzD81iexvKRjsa6R5FNz9LKfCcTtKRt74hLItO5ucOlZBZOe4K3JYhtdTjiL5FfA6sWvMRnUGFqUA1CXcQ9uD-yFMqN7r_wIvYUFp7dBAA"}'}
>     2016-04-05 20:53:13,988:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
>     2016-04-05 20:53:14,268:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0/3024629 HTTP/1.1" 202 316
>     2016-04-05 20:53:14,274:DEBUG:root:Received <Response [202]>. Headers: {'Content-Length': '316', 'Expires': 'Tue, 05 Apr 2016 20:53:14 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-staging.api.letsencrypt.org/acme/authz/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0>;rel="up"', 'Location': 'https://acme-staging.api.letsencrypt.org/acme/challenge/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0/3024629', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 05 Apr 2016 20:53:14 GMT', 'Content-Type': 'application/json', 'Replay-Nonce': 'eJCq9XAyEx6BE5sXmNHdrQp3Cqwp-Oh4EoqPl0QLjjA'}. Content: '{"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0/3024629","token":"lIF-jg9OCCNaKtrk7xonPunIM05-m4RdeMe8Dl_6o8Q","keyAuthorization":"lIF-jg9OCCNaKtrk7xonPunIM05-m4RdeMe8Dl_6o8Q.o5UaFdoYU_GiKb2Ym95NBcg0_h-bD4QFN0Yig6i6knk"}'
>     2016-04-05 20:53:14,278:DEBUG:acme.client:Storing nonce: 'x\x90\xaa\xf5p2\x13\x1e\x81\x13\x9b\x17\x98\xd1\xdd\xad\nw\n\xac)\xf8\xe8x\x12\x8a\x8f\x97D\x0b\x8e0'
>     2016-04-05 20:53:14,282:DEBUG:acme.client:Received response <Response [202]> (headers: {'Content-Length': '316', 'Expires': 'Tue, 05 Apr 2016 20:53:14 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-staging.api.letsencrypt.org/acme/authz/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0>;rel="up"', 'Location': 'https://acme-staging.api.letsencrypt.org/acme/challenge/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0/3024629', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 05 Apr 2016 20:53:14 GMT', 'Content-Type': 'application/json', 'Replay-Nonce': 'eJCq9XAyEx6BE5sXmNHdrQp3Cqwp-Oh4EoqPl0QLjjA'}): '{"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0/3024629","token":"lIF-jg9OCCNaKtrk7xonPunIM05-m4RdeMe8Dl_6o8Q","keyAuthorization":"lIF-jg9OCCNaKtrk7xonPunIM05-m4RdeMe8Dl_6o8Q.o5UaFdoYU_GiKb2Ym95NBcg0_h-bD4QFN0Yig6i6knk"}'
>     2016-04-05 20:53:17,291:DEBUG:root:Sending GET request to https://acme-staging.api.letsencrypt.org/acme/authz/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0. args: (), kwargs: {}
>     2016-04-05 20:53:17,297:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
>     2016-04-05 20:53:17,406:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0 HTTP/1.1" 200 891
>     2016-04-05 20:53:17,412:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '891', 'Expires': 'Tue, 05 Apr 2016 20:53:17 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 05 Apr 2016 20:53:17 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'LSlqUIoIZvL7DEbfyp53tZeZ4eYD-YgW4V7OivKh8J8'}. Content: '{"identifier":{"type":"dns","value":"omdcheck.mysite.com"},"status":"pending","expires":"2016-04-12T20:51:58Z","challenges":[{"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0/3024629","token":"lIF-jg9OCCNaKtrk7xonPunIM05-m4RdeMe8Dl_6o8Q","keyAuthorization":"lIF-jg9OCCNaKtrk7xonPunIM05-m4RdeMe8Dl_6o8Q.o5UaFdoYU_GiKb2Ym95NBcg0_h-bD4QFN0Yig6i6knk"},{"type":"dns-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0/3024630","token":"n--MYw3pp7MET9g3dzI0afCv4J3p-oykXbn5zruTiJI"},{"type":"tls-sni-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0/3024631","token":"fpoz2sxtThuYdau0NmvbONuCXYEZQ8iM8MeMq1R5Mpo"}],"combinations":[[0],[1],[2]]}'
>     2016-04-05 20:53:17,417:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '891', 'Expires': 'Tue, 05 Apr 2016 20:53:17 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 05 Apr 2016 20:53:17 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'LSlqUIoIZvL7DEbfyp53tZeZ4eYD-YgW4V7OivKh8J8'}): '{"identifier":{"type":"dns","value":"omdcheck.mysite.com"},"status":"pending","expires":"2016-04-12T20:51:58Z","challenges":[{"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0/3024629","token":"lIF-jg9OCCNaKtrk7xonPunIM05-m4RdeMe8Dl_6o8Q","keyAuthorization":"lIF-jg9OCCNaKtrk7xonPunIM05-m4RdeMe8Dl_6o8Q.o5UaFdoYU_GiKb2Ym95NBcg0_h-bD4QFN0Yig6i6knk"},{"type":"dns-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0/3024630","token":"n--MYw3pp7MET9g3dzI0afCv4J3p-oykXbn5zruTiJI"},{"type":"tls-sni-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0/3024631","token":"fpoz2sxtThuYdau0NmvbONuCXYEZQ8iM8MeMq1R5Mpo"}],"combinations":[[0],[1],[2]]}'
>     2016-04-05 20:53:17,422:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'n--MYw3pp7MET9g3dzI0afCv4J3p-oykXbn5zruTiJI', u'type': u'dns-01', u'uri': u'https://acme-staging.api.letsencrypt.org/acme/challenge/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0/3024630'}
>     2016-04-05 20:53:20,430:DEBUG:root:Sending GET request to https://acme-staging.api.letsencrypt.org/acme/authz/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0. args: (), kwargs: {}
>     2016-04-05 20:53:20,435:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
>     2016-04-05 20:53:20,541:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0 HTTP/1.1" 200 1309
>     2016-04-05 20:53:20,549:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '1309', 'Expires': 'Tue, 05 Apr 2016 20:53:20 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 05 Apr 2016 20:53:20 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'DLOahtxXE5wlHmX87_a8e2e9H1So1tq6Tr1IO1xcVc8'}. Content: '{"identifier":{"type":"dns","value":"omdcheck.mysite.com"},"status":"invalid","expires":"2016-04-12T20:51:58Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:connection","detail":"Could not connect to http://omdcheck.mysite.com/.well-known/acme-challenge/lIF-jg9OCCNaKtrk7xonPunIM05-m4RdeMe8Dl_6o8Q"},"uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0/3024629","token":"lIF-jg9OCCNaKtrk7xonPunIM05-m4RdeMe8Dl_6o8Q","keyAuthorization":"lIF-jg9OCCNaKtrk7xonPunIM05-m4RdeMe8Dl_6o8Q.o5UaFdoYU_GiKb2Ym95NBcg0_h-bD4QFN0Yig6i6knk","validationRecord":[{"url":"http://omdcheck.mysite.com/.well-known/acme-challenge/lIF-jg9OCCNaKtrk7xonPunIM05-m4RdeMe8Dl_6o8Q","hostname":"omdcheck.mysite.com","port":"80","addressesResolved":["66.YY.ZZ.XXX"],"addressUsed":"66.YY.ZZ.XXX"}]},{"type":"dns-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0/3024630","token":"n--MYw3pp7MET9g3dzI0afCv4J3p-oykXbn5zruTiJI"},{"type":"tls-sni-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0/3024631","token":"fpoz2sxtThuYdau0NmvbONuCXYEZQ8iM8MeMq1R5Mpo"}],"combinations":[[0],[1],[2]]}'
>     2016-04-05 20:53:20,554:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '1309', 'Expires': 'Tue, 05 Apr 2016 20:53:20 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 05 Apr 2016 20:53:20 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'DLOahtxXE5wlHmX87_a8e2e9H1So1tq6Tr1IO1xcVc8'}): '{"identifier":{"type":"dns","value":"omdcheck.mysite.com"},"status":"invalid","expires":"2016-04-12T20:51:58Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:connection","detail":"Could not connect to http://omdcheck.mysite.com/.well-known/acme-challenge/lIF-jg9OCCNaKtrk7xonPunIM05-m4RdeMe8Dl_6o8Q"},"uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0/3024629","token":"lIF-jg9OCCNaKtrk7xonPunIM05-m4RdeMe8Dl_6o8Q","keyAuthorization":"lIF-jg9OCCNaKtrk7xonPunIM05-m4RdeMe8Dl_6o8Q.o5UaFdoYU_GiKb2Ym95NBcg0_h-bD4QFN0Yig6i6knk","validationRecord":[{"url":"http://omdcheck.mysite.com/.well-known/acme-challenge/lIF-jg9OCCNaKtrk7xonPunIM05-m4RdeMe8Dl_6o8Q","hostname":"omdcheck.mysite.com","port":"80","addressesResolved":["66.YY.ZZ.XXX"],"addressUsed":"66.YY.ZZ.XXX"}]},{"type":"dns-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0/3024630","token":"n--MYw3pp7MET9g3dzI0afCv4J3p-oykXbn5zruTiJI"},{"type":"tls-sni-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0/3024631","token":"fpoz2sxtThuYdau0NmvbONuCXYEZQ8iM8MeMq1R5Mpo"}],"combinations":[[0],[1],[2]]}'
>     2016-04-05 20:53:20,560:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'n--MYw3pp7MET9g3dzI0afCv4J3p-oykXbn5zruTiJI', u'type': u'dns-01', u'uri': u'https://acme-staging.api.letsencrypt.org/acme/challenge/AnkhjBOtP-zcal60KeL5d7JWhuk_-BcqnguFeFdK2m0/3024630'}
>     2016-04-05 20:53:20,566:INFO:letsencrypt.reporter:Reporting to user: The following errors were reported by the server:

Is this caused by the current keys on server? Or apache host config? I believe our DNS is configured correctly.

thanks,
David

sahsanu · April 5, 2016, 11:00pm

Hello @dwelch,

I suppose your real domain is omdcheck.arZZZom.com ( as you want to hide it I’ve replaced 3 characters by Z) and you said that you can access it externally, well I can’t. I tested it from 4 different countries and the result is always the same, timeout.

$ curl -i http://omdcheck.arZZZom.com
curl: (7) Failed to connect to omdcheck.arZZZom.com port 80: Connection timed out

Double check that your site is reachable from internet, web server is up and running, firewall has the right rules, etc.

Cheers,
sahsanu

system · May 5, 2016, 11:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.