Lets encrypt failed to reassign

Let's Encrypt Reissue Certificate failed cannot reassign certificate after it expiry .

I have tried [Click here]] but it wont resolve my issue

Could not issue an SSL/TLS certificate for example.com
Details
Could not issue a Let's Encrypt SSL/TLS certificate for example.com . Authorization for the domain failed.

Details
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/13702377123.

Details:

Type: urn:ietf[image]arams:acme:error:tls

Status: 400

Detail: Fetching https:// example.com /.well-known/acme-challenge/VhE1uDRybB2LF4ULjNeJOHW-JgUik56ZPaflfM9yXqQ: remote error: tls: handshake failure

2 Likes

The IP addresses your hostname resolves to are from CloudFlare. It's very weird that LE nor I nor SSLLabs can make a TLS connection to CloudFlare, but I'm not sure if there's anything we can do. I think this is something happening on CloudFlares end.

3 Likes

Above error was before using cloud flare , when i couldn't find solution then i have used cloud flare

2 Likes

If the error is from before Cloudflare, howcome the IP addresses from your error are from Cloudflare?

From the failed authorization you've linked:

          "addressesResolved": [
            "104.21.37.110",
            "172.67.207.134",
            "2606:4700:3032::ac43:cf86",
            "2606:4700:3031::6815:256e"
          ],

Those are the same IP addresses I see now at your hostname and they are all from Cloudflare.

3 Likes

Its totally messed up, tried everything found on different site,
the major problem i was facing was , i couldn't renew my SSL with Let's Encrypt .

at first tried

then certbot this cannot solve renew of SSl(Let's Encrypt)

then removed from hosting setting and mail setting

added cloud flare ...

all are messed up

2 Likes

Perhaps you should focus at the moment on getting your website operating again without Cloudflare.

3 Likes

i have remove cloudflare ,

and after removing i have changed all the status as previous as it is ..

then i tried to use lets encrypt then the error arise as


Could not issue an SSL/TLS certificate for example.com
Details

Could not issue a Let's Encrypt SSL/TLS certificate for example.com .

The authorization token is not available at http://example.com/.well-known/acme-challenge/JkoXoheAS3zJqrYBGw3-mUDDVoFnMBLFM3MEDw0mraE.

To resolve the issue, make sure that the token file can be downloaded via the above URL.

See the related Knowledge Base article for details.

Details

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/13708723285.

Details:

Type: urn:ietf:params:acme:error:unauthorized

1 Like

So at least your site is, except for the expired certificate, working again, so that's good.

There's a HTTP to HTTPS redirect in place for almost all requests to your site, but not for the ACME challenge on /.well-known/acme-challenge/, so it seems something knows about those validation requests and handles them differently, but apparently not good enough.

You said you've followed the steps in the link from Plesk provided with the error message. Did you also try the following part?

  • create a test.txt file in the \.well-known\acme-challenge\ folder (where Let's Encrypt stores its temporary files) and put some text into it. Then open this file in a web-browser at http://example.com/.well-known/acme-challenge/test.txt and make sure it is accessible from the Internet over HTTP without www prefix. If the file is not accessible, check website's configuration.

Because at the moment, a request for /.well-known/acme-challenge/test.txt fails..

3 Likes

i have checked, please see the screenshot below

When i keep https:// then

2 Likes

Welcome to the Let's Encrypt Community, Manjil :slightly_smiling_face:

I've looked over everything presented in this topic and can confirm that I can access the test.txt file, but only over https.

I think a clue may be found in the Physical Path in the Detailed Error Information section shown in the following screenshot:

Where's the .well-known?

3 Likes

file manager > .well-known

1 Like

How though does that relate to the Physical Path shown in the screenshot I referenced? Perhaps more importantly, what's the difference in file service location or options between http and https? Clearly file service works for https, so what is either preventing it from working for http or causing IIS to look elsewhere for http?

3 Likes

http://example.com/httpdocs/.well-known/... is not the path where certbot is looking. It expects the challenge folder containing the test file here:
http://example.com/.well-known/acme-challenge/test.txt

[/quote]

See the folder structure in the error message you received for the location of the token where the token was expected - no httpdocs folder is in the expected path.

Move the /.well-known folder out of the httpdocs folder and make it a first level folder directly below the domain. Then see if you can access/download the test file from the above URL.

2 Likes

It looks like IIS/Plesk/whatever is handeling the requests for /.well-known/acme-challenge/ in a whole different matter than "just" a physical place? If you look at the following line from the error message when you try to open the test.txt through HTTP:

Requested URL http://acme-challenge.localhost:80/test.txt

This suggests to me that there's some kind of reverse proxy thing going on? Might be a Plesk thing?

That said, this is way above my head (Windows, IIS, Plesk..), so I won't be able to help with this unfortunately..

2 Likes

So it looks like Plesk uses a "common challenge directory" and you may need to configure that - see the Resolution section of this article: Unable to issue Let’s Encrypt certificate for domain in Plesk: misconfiguration of the Common Challenge Directory – Plesk Help Center

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.