Let's Encrypt Failing to Generate Cert - Ubiquiti UNMS

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: unms.tcbns.com

I ran this command: None, through UNMS GUI

It produced this output:

Last refresh of SSL certificate had failed.

Timestamp: Today at 14:07
Error: Failed authorization procedure. unms.tcbns.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://unms.tcbns.com/.well-known/acme-challenge/XW8xuh_Mg9cSzPa-f5a-MsmEOJTl_6IUsLdXXH6pRj4 [167.99.161.166]: "\r {br} 404 Not Found\r {br} <body bgcolor=\“white\”>\r {br}

404 Not Found

\r {br}
" {br} Failed to generate or update Let’s Encrypt certificate. {br} Found default certificate for ‘localhost’. {br} Generating self-signed certificate for ‘unms.tcbns.com’. {br}

My web server is (include version): nginx, unsure of how to check, UNMS installtion is automatically scripted and uses Docker (not experienced with Docker, and AFAIK this is the only official way to set up UNMS according to Ubiquiti)

The operating system my web server runs on is (include version): Ubuntu Server 18.04

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot not found, assuming because of Docker.

This is a brand new Ubuntu Server 18.04 instance with a brand new install of UNMS following this guide

Also, I think I hit the cooldown yesterday when testing. How long does that last? I was going to try and do a --dry-run but I don’t understand how to do that within Docker.

Hi @diceman

looks like it is nearly impossible to see errors.

This

looks like a closed world.

The main configuration looks ok ( https://check-your-website.server-daten.de/?q=unms.tcbns.com ):

Domainname Http-Status redirect Sec. G
http://unms.tcbns.com/
167.99.161.166 301 https://unms.tcbns.com:443/ 0.340 A
https://unms.tcbns.com/
167.99.161.166 200 1.584 N
Certificate error: RemoteCertificateChainErrors
https://unms.tcbns.com:443/ 200 1.407 N
Certificate error: RemoteCertificateChainErrors
http://unms.tcbns.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
167.99.161.166 404 0.344 A
Not Found
Visible Content: 404 Not Found nginx

Port 80 is open, checking /.well-known/acme-challenge/unknown-file there is the expected result http status 404 - Not found.

Checking that

Do you use a reverse proxy with wrong settings? A wrong port forwarding? Or is your hostname wrong?

But the self signed certificate

CN=unms.tcbns.com
	30.04.2019
	06.04.2119
expires in 36499 days	unms.tcbns.com - 1 entry

has the correct domain name, not "localhost".

I have not performed any of the optional steps, only the installation guide. The IP you are seeing there is our old instance that is still in production, we are also running UniFi on that one. Today I was hoping to set both up on their own servers to save complexity (was getting the same error in UNMS on that instance as well).

Shouldn’t be an issue with them having the same host-names should it? I haven’t updated DNS records yet either

This

is your error.

Letsencrypt must check if you are the domain owner. So the file http://domainname/.well-known/acme-challenge/token is checked, if there is the correct content.

So if your dns entry points to another ip address / your old server and if you use http-01 validation, that can't work.

So if I update that entry it should work? Still wondering why the older server fails then

Sorry, I’m not really a web guy. These are my only web servers

Please read the basics:

And something about Challenges:

Every new certificate requires a new order, every order comes with new random tokens (one per domain name).

So the client creates a file /.well-known/acme-challenge/token-of-that-order and Letsencrypt checks that.

If the dns entry points to another server, it's (normally) impossible that this works (it's possible if the old server would have a redirect to the new server, but that's not a typical setting).

1 Like

Thanks for the resources. Typically I like to dive into subjects like this but I haven’t had the time… Will do.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.