Letsencrypt challenge failed

Help
1

Hi,
I have installed certbot version 1.24.0 on windows 10.
3 months ago I issued a certificate for anothher server using below command:
certbot certonly --manual
Everything worked perfectly.
Now the certificate is about to expiry. When I run the same command I get error below. I have to mention that I can access the token from the server using a browser.

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: foo.bar
  Type:   unauthorized
  Detail: ip address: Invalid response from http://foo.bar/.well-known/acme-challenge/1HTTF7ccgiTSDdEahjfCUOogBBmyULELCSD4k29rGRg: "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"><html x"

Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.

The log file is below:


2022-06-29 12:56:48,789:DEBUG:acme.client:JWS payload:
b'{}'
2022-06-29 12:56:48,797:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2847006024/KR2mfw:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC81OTA1NjM4NCIsICJub25jZSI6ICIwMDAyT0JsamlleTFlR1JFWmtyNmx1bExlaFhMQS1jb3dTa0pVN0tnaW9JNzBsSSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8yODQ3MDA2MDI0L0tSMm1mdyJ9",
  "signature": "NG2KWRapPWD0jCiS8fr89JUngxpVrOyCgrRcBz7zbeSjbZHg6PZslrHGzginRDXqnuxUllX0mhKY_AUbihbFBrXcGnY0GoyHK1cvRWe-09Lk8-SpZuBNAV0ZAOPXUUIqn8EWNEpWoUdphPCA-Ay1g0xeGVmYkkj_SeLa5-9881qJtVc69uDSq_vrqhujm0VtZuaqYw8XdpLWbhHwvsMbpTYXKWm1stqKDPoa7NqNwxMaFwCNx27zHENy5nzx5tREMr9LE2f8frW7A4wrgBx9VONJTttqk-Pkgt3YFR7eONl1qosMzQCtneJ5hJkCL7HVKLdrbRP0ai0tZ04GhAC2QQ",
  "payload": "e30"
}
2022-06-29 12:56:48,982:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/2847006024/KR2mfw HTTP/1.1" 200 193
2022-06-29 12:56:48,983:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 29 Jun 2022 10:56:48 GMT
Content-Type: application/json
Content-Length: 193
Connection: keep-alive
Boulder-Requester: 59056384
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/2847006024>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2847006024/KR2mfw
Replay-Nonce: 0001gDboCd5imYOjvNvVekvdjYVjn2UHzMWbS8qhA4eOECA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2847006024/KR2mfw",
  "token": "1HTTF7ccgiTSDdEahjfCUOogBBmyULELCSD4k29rGRg"
}
2022-06-29 12:56:48,983:DEBUG:acme.client:Storing nonce: 0001gDboCd5imYOjvNvVekvdjYVjn2UHzMWbS8qhA4eOECA
2022-06-29 12:56:48,983:INFO:certbot._internal.auth_handler:Waiting for verification...
2022-06-29 12:56:49,991:DEBUG:acme.client:JWS payload:
b''
2022-06-29 12:56:50,000:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/2847006024:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC81OTA1NjM4NCIsICJub25jZSI6ICIwMDAxZ0Rib0NkNWltWU9qdk52VmVrdmRqWVZqbjJVSHpNV2JTOHFoQTRlT0VDQSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yODQ3MDA2MDI0In0",
  "signature": "eeiyn4e3NvOJJfd16KevcWC8eE9efUjMp7DV0TAxJSsJF6cGulByu8QCu8uiAzdpUjYm2RmSSN5XhFPajH_83JuuYKPNw8YCNa5vyOleUdWcov2RnOg1euGJLWrRn7SzRLdrPUO09Bt5qWysdjOkF5FfGZQQJQEtmLbm-UDNsySnHjM4DUqZ2d-hvvzmabHAM1B8NLAi6b53gz0YYFM5efoSHi1U_YLjePxvzVx0e2ngT7iyAOc9TfLuOpmiCS_Gmix5W-uAzbiQXIAhogj3DxlYj_o3YuD17OZrQ_pTVV60PahrORwLevNf4Yg5bbGj4z4Y0jUm1XrzTf9I3O1Jiw",
  "payload": ""
}
2022-06-29 12:56:50,183:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/2847006024 HTTP/1.1" 200 1199
2022-06-29 12:56:50,184:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 29 Jun 2022 10:56:50 GMT
Content-Type: application/json
Content-Length: 1199
Connection: keep-alive
Boulder-Requester: 59056384
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 00023HK8fjWljZAUiwjzrSJKIMnpjXSPzRlOmOK0lm5ciEs
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "foo.bar"
  },
  "status": "invalid",
  "expires": "2022-07-06T10:55:17Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "ip_address: Invalid response from http://foo.bar/.well-known/acme-challenge/1HTTF7ccgiTSDdEahjfCUOogBBmyULELCSD4k29rGRg: \"\u003c!DOCTYPE html PUBLIC \\\"-//W3C//DTD XHTML 1.0 Transitional//EN\\\" \\\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\\\"\u003e\u003chtml x\"",
        "status": 403
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/2847006024/KR2mfw",
      "token": "1HTTF7ccgiTSDdEahjfCUOogBBmyULELCSD4k29rGRg",
      "validationRecord": [
        {
          "url": "http://foo.bar/.well-known/acme-challenge/1HTTF7ccgiTSDdEahjfCUOogBBmyULELCSD4k29rGRg",
          "hostname": "foo.bar",
          "port": "80",
          "addressesResolved": [
            "ip_address"
          ],
          "addressUsed": "ip_address"
        }
      ],
      "validated": "2022-06-29T10:56:48Z"
    }
  ]
}
2022-06-29 12:56:50,184:DEBUG:acme.client:Storing nonce: 00023HK8fjWljZAUiwjzrSJKIMnpjXSPzRlOmOK0lm5ciEs
2022-06-29 12:56:50,184:INFO:certbot._internal.auth_handler:Challenge failed for domain foo.bar
2022-06-29 12:56:50,184:INFO:certbot._internal.auth_handler:http-01 challenge for foo.bar
2022-06-29 12:56:50,185:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: foo.bar
  Type:   unauthorized
  Detail: ip_address: Invalid response from http://foo.bar/.well-known/acme-challenge/1HTTF7ccgiTSDdEahjfCUOogBBmyULELCSD4k29rGRg: "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"><html x"

Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.

2022-06-29 12:56:50,186:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "C:\Program Files (x86)\Certbot\pkgs\certbot\_internal\auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "C:\Program Files (x86)\Certbot\pkgs\certbot\_internal\auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-06-29 12:56:50,187:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-06-29 12:56:50,187:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-06-29 12:56:50,187:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "runpy.py", line 197, in _run_module_as_main
  File "runpy.py", line 87, in _run_code
  File "C:\Program Files (x86)\Certbot\bin\certbot.exe\__main__.py", line 29, in <module>
    sys.exit(main())
  File "C:\Program Files (x86)\Certbot\pkgs\certbot\main.py", line 19, in main
    return internal_main.main(cli_args)
  File "C:\Program Files (x86)\Certbot\pkgs\certbot\_internal\main.py", line 1679, in main
    return config.func(config, plugins)
  File "C:\Program Files (x86)\Certbot\pkgs\certbot\_internal\main.py", line 1538, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "C:\Program Files (x86)\Certbot\pkgs\certbot\_internal\main.py", line 139, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "C:\Program Files (x86)\Certbot\pkgs\certbot\_internal\client.py", line 513, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "C:\Program Files (x86)\Certbot\pkgs\certbot\_internal\client.py", line 441, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "C:\Program Files (x86)\Certbot\pkgs\certbot\_internal\client.py", line 493, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "C:\Program Files (x86)\Certbot\pkgs\certbot\_internal\auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "C:\Program Files (x86)\Certbot\pkgs\certbot\_internal\auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2022-06-29 12:56:50,190:ERROR:certbot._internal.log:Some challenges have failed.
2

Welcome to the community @pasinpasin

When you said you can access the file from a browser was that from the public internet? Or just your local network?

The above error shows what the Let's Encrypt server saw when it made that request. As you can see it is not the contents of the challenge file you created with the manual method.

3 Likes
3

I can browse token from the public internet.

4

Can you share the domain name? And, is the file in your first post still there?

Something is blocking Let's Encrypt server. Hard to help in this case without knowing the name. Could there be a geographic based firewall interfering with the request?

Maybe try using the Let's Debug test site. It might give a little more info.

5 Likes
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.