Http-01 challenge fails

s-trooper · April 9, 2019, 10:11am

Hi, i got a problem by try to switch from “TLS-SNI-01” to “HTTP-01” challenge. certbot says that it cannot access: “http://jupiter.cocq.de/.well-known/acme-challenge/caC8YqHsj0dpEXXhortW5u3qhOT9zdXJFntGMQlTUxo”, but i have made a copy of those file during a test/debug runs and it is publicly accessible from web!

My domain is:
jupiter.cocq.de

I ran this command:
certbot run -a webroot -i apache -w /var/www/html -d jupiter.cocq.de --debug-challenges

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jupiter.cocq.de
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…

Challenges loaded. Press continue to submit to CA. Pass “-v” for more info about
challenges.

Press Enter to Continue
Cleaning up challenges
Failed authorization procedure. jupiter.cocq.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://jupiter.cocq.de/.well-known/acme-challenge/caC8YqHsj0dpEXXhortW5u3qhOT9zdXJFntGMQlTUxo: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: jupiter.cocq.de
Type: connection
Detail: Fetching
http://jupiter.cocq.de/.well-known/acme-challenge/caC8YqHsj0dpEXXhortW5u3qhOT9zdXJFntGMQlTUxo:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

My web server is (include version):
Server version: Apache/2.4.25 (Debian)

The operating system my web server runs on is (include version):
Debian GNU/Linux 9 (stretch)

My hosting provider, if applicable, is:
I don’t know

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0

JuergenAuer · April 9, 2019, 10:22am

Hi @s-trooper

there is a check-result of your domain, 40 minutes old ( https://check-your-website.server-daten.de/?q=jupiter.cocq.de ):

Domainname	Http-Status	redirect	Sec.	G
• http://jupiter.cocq.de/
212.60.194.24	-14		10.026	T
Timeout - The operation has timed out

• https://jupiter.cocq.de/
212.60.194.24	302	https://jupiter.cocq.de/Login.aspx?ReturnUrl=%2F	0.246	B

• https://jupiter.cocq.de/Login.aspx?ReturnUrl=%2F	200		0.383	I

• http://jupiter.cocq.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
212.60.194.24	-14		10.040	T
Timeout - The operation has timed out
Visible Content:

If you want to use http-01 validation, an open port 80 is required.

Your port 80 doesn't answer, so that can't work.

Open port 80 and configure your webserver, so Letsencrypt can fetch the validation file (in /.well-known/acme-challenge).

s-trooper · April 9, 2019, 11:43am

thank you for response, but port 80 is open you can access to “http://jupiter.cocq.de/.well-known/acme-challenge/”.
curl -IkL -m20 http://jupiter.cocq.de:80/.well-known/acme-challenge/
give me:
HTTP/1.1 200 OK
Date: Tue, 09 Apr 2019 11:41:03 GMT
Server: Apache/2.4.25 (Debian)
Content-Type: text/html;charset=UTF-8

is the problem that apache web server listen to port 80?

cpu · April 9, 2019, 12:06pm

Hi @s-trooper,

How did you test this? When I try it seems as though I get the same result as @JuergenAuer - the website is not accessible and times out.

s-trooper · April 9, 2019, 12:07pm

omg, my admin has tell me that port 80 is blocked! but not for my pc. really sorry guys

cpu · April 9, 2019, 12:18pm

D’oh!

Unfortunately that means you won’t be able to use HTTP-01 to authorize your domain name.

Have you looked at the option of using a DNS-01 challenges? Who provides the authoritative DNS for jupiter.cocq.de and do they provide some kind of API for changing TXT records? Certbot has a selection of DNS plugins for this.

s-trooper · April 9, 2019, 1:12pm

now we know what the issue is i just got port 80 open from my admin, thank you for help.

cpu · April 9, 2019, 1:13pm

Even better! Glad to hear you were able to find a solution that worked

system · May 9, 2019, 1:13pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Http-01 challenge fails Server	2	2153	May 5, 2016
Failed http-01 challenge Help	11	4708	September 8, 2021
HTTP-01 Challenge Failed Help	3	442	June 18, 2021
Failed authorization procedure. (http-01) Help	2	1247	April 13, 2018
Certbot - Cannot Pass HTTP-01 Challenge Help	4	2214	June 14, 2017

Http-01 challenge fails

Related topics