LetsEncrypt doesn't generate cert when link is accessible

Server
1

Hello,

I'm running

./letsencrypt-auto certonly -a manual --rsa-key-size 4096 -d my.sub.domain.com

which points to an ubuntu vm that i'm running at home.

I execute the shell that letsencrypt writes in the shell (with root user), and the url works both in browser and with curl -i, but letsencrypt keeps returning an error:

Failed authorization procedure. my.sub.domain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to http://my.sub.domain.com/.well-known/acme-challenge/foo

Domain: my.sub.domain.com
Type: connection
Detail: Could not connect to http://my.sub.domain.com
/.well-known/acme-
challenge/foo

with -vvvv I get the following msgs:

dns-01 was not recognized, full message: {u'status': u'pending',
u'token': u'V0qLMBvMjb6nbWBbi5NkRt3Iy79Fbu-4w6Pb39Q1_g4', u'type':
u'dns-01', u'uri':
u'https://acme-v01.api.letsencrypt.org/acme/challenge/E40C7kXPG3Gtkr
XXSZV0bFhepFMi0AQRh0CVEB-QH5U/69566801'}

Starting new HTTP connection (1): my.sub.domain.com
"GET
/.well-known/acme-challenge/gptSMBh6Zy-Uxpse9M0fDv969kXhqB6Cd2oWwoKn
To0 HTTP/1.1" 200 87
Received <Response [200]>:
gptSMBh6Zy-Uxpse9M0fDv969kXhqB6Cd2oWwoKnTo0.UzPQUff4DmcwMIQnkWokJ3k4
yp-rDeSN4Uf5giVleGY. Headers: {'Date': 'Tue, 03 May 2016 16:53:59
GMT', 'Last-Modified': 'Tue, 03 May 2016 16:53:42 GMT',
'Content-Length': '87', 'Content-type': 'application/octet-stream',
'Server': 'SimpleHTTP/0.6 Python/2.7.10'}

Can it be because the dns didn't yet propogate to letsencrypt servers, and even though the link works on computers in my vicinity, it isn't yet registered there?

2

Here is the whole log:

2016-05-03 16:30:01,415:DEBUG:letsencrypt.main:Root logging level set at 30
2016-05-03 16:30:01,416:INFO:letsencrypt.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-05-03 16:30:01,416:DEBUG:letsencrypt.main:letsencrypt version: 0.5.0
2016-05-03 16:30:01,416:DEBUG:letsencrypt.main:Arguments: ['-a', 'manual', '--rsa-key-size', '4096', '-d', 'my.sub.domain.com']
2016-05-03 16:30:01,416:DEBUG:letsencrypt.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-05-03 16:30:01,419:DEBUG:letsencrypt.plugins.selection:Requested authenticator manual and installer None
2016-05-03 16:30:01,422:DEBUG:letsencrypt.plugins.selection:Single candidate plugin: * manual
Description: Manually configure an HTTP server
Interfaces: IAuthenticator, IPlugin
Entry point: manual = letsencrypt.plugins.manual:Authenticator
Initialized: <letsencrypt.plugins.manual.Authenticator object at 0x7f7f6b617490>
Prep: True
2016-05-03 16:30:01,422:DEBUG:letsencrypt.plugins.selection:Selected authenticator <letsencrypt.plugins.manual.Authenticator object at 0x7f7f6b617490> and installer None
2016-05-03 16:30:01,542:DEBUG:letsencrypt.main:Picked account: <Account(8ab9eeed33bcfa7c201362c9a0b70913)>
2016-05-03 16:30:01,542:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2016-05-03 16:30:01,545:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-05-03 16:30:01,915:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 263
2016-05-03 16:30:01,916:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '263', 'Expires': 'Tue, 03 May 2016 16:30:01 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 03 May 2016 16:30:01 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'bK7FYzj2i1gnRiUYfmkQdkhZE634hTfPnoQxNBjzlUk'}. Content: '{"new-authz":"https://acme-v01.api.letsencrypt.org/acme/new-authz","new-cert":"https://acme-v01.api.letsencrypt.org/acme/new-cert","new-reg":"https://acme-v01.api.letsencrypt.org/acme/new-reg","revoke-cert":"https://acme-v01.api.letsencrypt.org/acme/revoke-cert"}'
2016-05-03 16:30:01,917:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '263', 'Expires': 'Tue, 03 May 2016 16:30:01 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 03 May 2016 16:30:01 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'bK7FYzj2i1gnRiUYfmkQdkhZE634hTfPnoQxNBjzlUk'}): '{"new-authz":"https://acme-v01.api.letsencrypt.org/acme/new-authz","new-cert":"https://acme-v01.api.letsencrypt.org/acme/new-cert","new-reg":"https://acme-v01.api.letsencrypt.org/acme/new-reg","revoke-cert":"https://acme-v01.api.letsencrypt.org/acme/revoke-cert"}'
2016-05-03 16:30:01,917:DEBUG:root:Requesting fresh nonce
2016-05-03 16:30:01,917:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {}
2016-05-03 16:30:01,918:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-05-03 16:30:02,281:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2016-05-03 16:30:02,283:DEBUG:root:Received <Response [405]>. Headers: {'Content-Length': '78', 'Pragma': 'no-cache', 'Expires': 'Tue, 03 May 2016 16:30:02 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Allow': 'POST', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 03 May 2016 16:30:02 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'CkfuTgTPkx9szz2DCKxD9AkDJwa_K8sJtVxYczUgsMs'}. Content: ''
2016-05-03 16:30:02,283:DEBUG:acme.client:Storing nonce: "\nG\xeeN\x04\xcf\x93\x1fl\xcf=\x83\x08\xacC\xf4\t\x03'\x06\xbf+\xcb\t\xb5\Xs5 \xb0\xcb"
2016-05-03 16:30:02,284:DEBUG:acme.jose.json_util:Omitted empty fields: combinations=None, challenges=None, expires=None, status=None
2016-05-03 16:30:02,284:DEBUG:acme.client:Serialized JSON: {"identifier": {"type": "dns", "value": "my.sub.domain.com"}, "resource": "new-authz"}
2016-05-03 16:30:02,284:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), alg=None, jku=None, x5t=None, typ=None, kid=None, cty=None, jwk=None, x5tS256=None, x5u=None
2016-05-03 16:30:02,286:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), jku=None, nonce=None, x5t=None, typ=None, kid=None, cty=None, x5tS256=None, x5u=None
2016-05-03 16:30:02,286:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "pwNrl304Y2_36dpaoR5X8isvJsHS4SGUPssaYGUNcsfrVMzL858QwNhmx-MOedwq2VvvO2S_l849mPWPaTrX7rDzzA8nJZSxs2uIcfvG-3K4EvVKOWu-DDF6qs_wwIAOESOxBJievZZ05PLyBYkh7BGTRZ_YZjDLCIDcIyD9RxZtuVE2g7tT6AQ27nKkqya4CI2pwcgSew4sn4fQJGJ_czbvUzEQh-9fRkd0bF-FCo1fTtGdG988oYYdyXqgPRMhP3WRYnB-bZ8WCAvElZuUD5HOgKjeyUjgJ9QuQchPdDx3hQmYSfWEDVorocBdck1dPreAjK5aJ9Nxgz0AOgH-QQ"}}, "protected": "eyJub25jZSI6ICJDa2Z1VGdUUGt4OXN6ejJEQ0t4RDlBa0RKd2FfSzhzSnRWeFljelVnc01zIn0", "payload": "eyJpZGVudGlmaWVyIjogeyJ0eXBlIjogImRucyIsICJ2YWx1ZSI6ICJiYWNrZW5kZXUuZGlza29uY2xvdWQubmV0In0sICJyZXNvdXJjZSI6ICJuZXctYXV0aHoifQ", "signature": "KQ6a8Z1EjAwsLeEFRxsi5TSg6nDI1OSVFf3r2evAFXCCU-356spYZQCjKh5o1nLx089WqrsMxqCEc2-xTGrHgss_KwrWlZF6nAvylSNK78F_BEq6-q75puuWbqc-2W6zUvAFW4njA8yTbPwk8N38HjdE2tkk7ZrLSMYd3uicPCBpeAH3dMGmje5uJImzeZyf8pcY_IRFVEPe6I-RqPSnbnBGAiVQ7e41jp8eSI13UQ02l8RzisHVdZm2FVOGzyWAut1pJu3hyT0JkOp9xg_oXM4vTZbyzS6guGK225je90DO4pgW6sSVRVFb5nNafxT3nwknuEvij_RR0r4Fp-80A"}'}
2016-05-03 16:30:02,287:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-05-03 16:30:02,681:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 788
2016-05-03 16:30:02,683:DEBUG:root:Received <Response [201]>. Headers: {'Content-Length': '788', 'Expires': 'Tue, 03 May 2016 16:30:02 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/authz/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 03 May 2016 16:30:02 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'w7xZP97ZSIF7vB-sKIZKMlmg7BREpAR6OPCotBaH4bs'}. Content: '{"identifier":{"type":"dns","value":"my.sub.domain.com"},"status":"pending","expires":"2016-05-10T16:30:02.544827942Z","challenges":[{"type":"dns-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530316","token":"y0htkf9ZHznGLBedSU9GtaFAwYlFSxXYrKSH2i4okxw"},{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530317","token":"1oUrljkjJfAPgiP04YBBdI-DtqaUlDnrMgRU70GWH3Q"},{"type":"tls-sni-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530318","token":"ZlbqGngjytCl1_rjM_T-N6z5b8VAoVlSvfrFQ1NrioI"}],"combinations":[[0],[1],[2]]}'
2016-05-03 16:30:02,683:DEBUG:acme.client:Storing nonce: '\xc3\xbcY?\xde\xd9H\x81{\xbc\x1f\xac(\x86J2Y\xa0\xec\x14D\xa4\x04z8\xf0\xa8\xb4\x16\x87\xe1\xbb'
2016-05-03 16:30:02,683:DEBUG:acme.client:Received response <Response [201]> (headers: {'Content-Length': '788', 'Expires': 'Tue, 03 May 2016 16:30:02 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/authz/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 03 May 2016 16:30:02 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'w7xZP97ZSIF7vB-sKIZKMlmg7BREpAR6OPCotBaH4bs'}): '{"identifier":{"type":"dns","value":"my.sub.domain.com"},"status":"pending","expires":"2016-05-10T16:30:02.544827942Z","challenges":[{"type":"dns-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530316","token":"y0htkf9ZHznGLBedSU9GtaFAwYlFSxXYrKSH2i4okxw"},{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530317","token":"1oUrljkjJfAPgiP04YBBdI-DtqaUlDnrMgRU70GWH3Q"},{"type":"tls-sni-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530318","token":"ZlbqGngjytCl1_rjM_T-N6z5b8VAoVlSvfrFQ1NrioI"}],"combinations":[[0],[1],[2]]}'
2016-05-03 16:30:02,684:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'y0htkf9ZHznGLBedSU9GtaFAwYlFSxXYrKSH2i4okxw', u'type': u'dns-01', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530316'}
2016-05-03 16:30:02,684:INFO:letsencrypt.auth_handler:Performing the following challenges:
2016-05-03 16:30:02,684:INFO:letsencrypt.auth_handler:http-01 challenge for my.sub.domain.com
2016-05-03 16:30:38,471:DEBUG:acme.challenges:Verifying http-01 at http://my.sub.domain.com/.well-known/acme-challenge/1oUrljkjJfAPgiP04YBBdI-DtqaUlDnrMgRU70GWH3Q...
2016-05-03 16:30:38,472:INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): my.sub.domain.com
2016-05-03 16:30:38,476:DEBUG:requests.packages.urllib3.connectionpool:"GET /.well-known/acme-challenge/1oUrljkjJfAPgiP04YBBdI-DtqaUlDnrMgRU70GWH3Q HTTP/1.1" 200 87
2016-05-03 16:30:38,481:DEBUG:acme.challenges:Received <Response [200]>: 1oUrljkjJfAPgiP04YBBdI-DtqaUlDnrMgRU70GWH3Q.UzPQUff4DmcwMIQnkWokJ3k4yp-rDeSN4Uf5giVleGY. Headers: {'Date': 'Tue, 03 May 2016 16:30:38 GMT', 'Last-Modified': 'Tue, 03 May 2016 16:30:16 GMT', 'Content-Length': '87', 'Content-type': 'application/octet-stream', 'Server': 'SimpleHTTP/0.6 Python/2.7.10'}
2016-05-03 16:30:38,483:INFO:letsencrypt.auth_handler:Waiting for verification...
2016-05-03 16:30:38,483:DEBUG:acme.client:Serialized JSON: {"keyAuthorization": "1oUrljkjJfAPgiP04YBBdI-DtqaUlDnrMgRU70GWH3Q.UzPQUff4DmcwMIQnkWokJ3k4yp-rDeSN4Uf5giVleGY", "type": "http-01", "resource": "challenge"}
2016-05-03 16:30:38,487:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), alg=None, jku=None, x5t=None, typ=None, kid=None, cty=None, jwk=None, x5tS256=None, x5u=None
2016-05-03 16:30:38,489:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), jku=None, nonce=None, x5t=None, typ=None, kid=None, cty=None, x5tS256=None, x5u=None
2016-05-03 16:30:38,493:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530317. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "pwNrl304Y2_36dpaoR5X8isvJsHS4SGUPssaYGUNcsfrVMzL858QwNhmx-MOedwq2VvvO2S_l849mPWPaTrX7rDzzA8nJZSxs2uIcfvG-3K4EvVKOWu-DDF6qs_wwIAOESOxBJievZZ05PLyBYkh7BGTRZ_YZjDLCIDcIyD9RxZtuVE2g7tT6AQ27nKkqya4CI2pwcgSew4sn4fQJGJ_czbvUzEQh-9fRkd0bF-FCo1fTtGdG988oYYdyXqgPRMhP3WRYnB-bZ8WCAvElZuUD5HOgKjeyUjgJ9QuQchPdDx3hQmYSfWEDVorocBdck1dPreAjK5aJ9Nxgz0AOgH-QQ"}}, "protected": "eyJub25jZSI6ICJ3N3haUDk3WlNJRjd2Qi1zS0laS01sbWc3QlJFcEFSNk9QQ290QmFINGJzIn0", "payload": "eyJrZXlBdXRob3JpemF0aW9uIjogIjFvVXJsamtqSmZBUGdpUDA0WUJCZEktRHRxYVVsRG5yTWdSVTcwR1dIM1EuVXpQUVVmZjREbWN3TUlRbmtXb2tKM2s0eXAtckRlU040VWY1Z2lWbGVHWSIsICJ0eXBlIjogImh0dHAtMDEiLCAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIn0", "signature": "lGHOsPxY3BvSxnmGpzLTWWJtqFZ3Z2wfnMka-WOYg3_ohfGYTrMUHw5r0JaP_SjFMr-ceQ8D3pV_0phpy4gPHQ7-0hmxAIdbWfJcIl8dzLOJqB0EmO9OXky8AT-N6mlDZqxb8mRB6YHzJ-8z8nov-tqB9_R9vapZFDib_15WJMNjj-s0NOI6lX7wCgBlH-W6RMk6BSusi_s5fBdh9_3u1A1lqjVwQbLf-Htd9kUIQSyVhEbpFfTb2EN9Cu4kIOJcVgInHL8lyZXMgeKDd0iCgydEsP19CM4CURQBgofT1fElfvJakYlQ8g6twp2Q6szsGtEzYQ8iAQa4lNJY4LsdVg"}'}
2016-05-03 16:30:38,494:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-05-03 16:30:39,176:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530317 HTTP/1.1" 202 313
2016-05-03 16:30:39,178:DEBUG:root:Received <Response [202]>. Headers: {'Content-Length': '313', 'Expires': 'Tue, 03 May 2016 16:30:39 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/authz/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg>;rel="up"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530317', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 03 May 2016 16:30:39 GMT', 'Content-Type': 'application/json', 'Replay-Nonce': 'G5b3it4PW5yQjhLmOIOaXyQf-GTEgYOzGJldYpaES-M'}. Content: '{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530317","token":"1oUrljkjJfAPgiP04YBBdI-DtqaUlDnrMgRU70GWH3Q","keyAuthorization":"1oUrljkjJfAPgiP04YBBdI-DtqaUlDnrMgRU70GWH3Q.UzPQUff4DmcwMIQnkWokJ3k4yp-rDeSN4Uf5giVleGY"}'
2016-05-03 16:30:39,178:DEBUG:acme.client:Storing nonce: '\x1b\x96\xf7\x8a\xde\x0f[\x9c\x90\x8e\x12\xe68\x83\x9a$\x1f\xf8d\xc4\x81\x83\xb3\x18\x99]b\x96\x84K\xe3'
2016-05-03 16:30:39,178:DEBUG:acme.client:Received response <Response [202]> (headers: {'Content-Length': '313', 'Expires': 'Tue, 03 May 2016 16:30:39 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/authz/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg>;rel="up"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530317', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 03 May 2016 16:30:39 GMT', 'Content-Type': 'application/json', 'Replay-Nonce': 'G5b3it4PW5yQjhLmOIOaXyQf-GTEgYOzGJldYpaES-M'}): '{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530317","token":"1oUrljkjJfAPgiP04YBBdI-DtqaUlDnrMgRU70GWH3Q","keyAuthorization":"1oUrljkjJfAPgiP04YBBdI-DtqaUlDnrMgRU70GWH3Q.UzPQUff4DmcwMIQnkWokJ3k4yp-rDeSN4Uf5giVleGY"}'
2016-05-03 16:30:42,182:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg. args: (), kwargs: {}
2016-05-03 16:30:42,183:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-05-03 16:30:42,542:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg HTTP/1.1" 200 887
2016-05-03 16:30:42,544:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '887', 'Expires': 'Tue, 03 May 2016 16:30:42 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 03 May 2016 16:30:42 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'zEGAisx5sAhyba5XxM0lqPDBfIKC4E5hoQUA8JGIFrc'}. Content: '{"identifier":{"type":"dns","value":"my.sub.domain.com"},"status":"pending","expires":"2016-05-10T16:30:02Z","challenges":[{"type":"dns-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530316","token":"y0htkf9ZHznGLBedSU9GtaFAwYlFSxXYrKSH2i4okxw"},{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530317","token":"1oUrljkjJfAPgiP04YBBdI-DtqaUlDnrMgRU70GWH3Q","keyAuthorization":"1oUrljkjJfAPgiP04YBBdI-DtqaUlDnrMgRU70GWH3Q.UzPQUff4DmcwMIQnkWokJ3k4yp-rDeSN4Uf5giVleGY"},{"type":"tls-sni-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530318","token":"ZlbqGngjytCl1_rjM_T-N6z5b8VAoVlSvfrFQ1NrioI"}],"combinations":[[0],[1],[2]]}'
2016-05-03 16:30:42,544:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '887', 'Expires': 'Tue, 03 May 2016 16:30:42 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 03 May 2016 16:30:42 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'zEGAisx5sAhyba5XxM0lqPDBfIKC4E5hoQUA8JGIFrc'}): '{"identifier":{"type":"dns","value":"my.sub.domain.com"},"status":"pending","expires":"2016-05-10T16:30:02Z","challenges":[{"type":"dns-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530316","token":"y0htkf9ZHznGLBedSU9GtaFAwYlFSxXYrKSH2i4okxw"},{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530317","token":"1oUrljkjJfAPgiP04YBBdI-DtqaUlDnrMgRU70GWH3Q","keyAuthorization":"1oUrljkjJfAPgiP04YBBdI-DtqaUlDnrMgRU70GWH3Q.UzPQUff4DmcwMIQnkWokJ3k4yp-rDeSN4Uf5giVleGY"},{"type":"tls-sni-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530318","token":"ZlbqGngjytCl1_rjM_T-N6z5b8VAoVlSvfrFQ1NrioI"}],"combinations":[[0],[1],[2]]}'
2016-05-03 16:30:42,544:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'y0htkf9ZHznGLBedSU9GtaFAwYlFSxXYrKSH2i4okxw', u'type': u'dns-01', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530316'}
2016-05-03 16:30:45,548:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg. args: (), kwargs: {}
2016-05-03 16:30:45,549:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-05-03 16:30:45,913:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg HTTP/1.1" 200 1322
2016-05-03 16:30:45,915:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '1322', 'Expires': 'Tue, 03 May 2016 16:30:45 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 03 May 2016 16:30:45 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'uPpdYFwAahL2uncPJv4cohsVuvVFxW3NRKWsyTKIfRg'}. Content: '{"identifier":{"type":"dns","value":"my.sub.domain.com"},"status":"invalid","expires":"2016-05-10T16:30:02Z","challenges":[{"type":"dns-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530316","token":"y0htkf9ZHznGLBedSU9GtaFAwYlFSxXYrKSH2i4okxw"},{"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:connection","detail":"Could not connect to http://my.sub.domain.com/.well-known/acme-challenge/1oUrljkjJfAPgiP04YBBdI-DtqaUlDnrMgRU70GWH3Q"},"uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530317","token":"1oUrljkjJfAPgiP04YBBdI-DtqaUlDnrMgRU70GWH3Q","keyAuthorization":"1oUrljkjJfAPgiP04YBBdI-DtqaUlDnrMgRU70GWH3Q.UzPQUff4DmcwMIQnkWokJ3k4yp-rDeSN4Uf5giVleGY","validationRecord":[{"url":"http://my.sub.domain.com/.well-known/acme-challenge/1oUrljkjJfAPgiP04YBBdI-DtqaUlDnrMgRU70GWH3Q","hostname":"my.sub.domain.com","port":"80","addressesResolved":["93.173.50.140"],"addressUsed":"93.173.50.140"}]},{"type":"tls-sni-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530318","token":"ZlbqGngjytCl1_rjM_T-N6z5b8VAoVlSvfrFQ1NrioI"}],"combinations":[[0],[1],[2]]}'
2016-05-03 16:30:45,915:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '1322', 'Expires': 'Tue, 03 May 2016 16:30:45 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 03 May 2016 16:30:45 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'uPpdYFwAahL2uncPJv4cohsVuvVFxW3NRKWsyTKIfRg'}): '{"identifier":{"type":"dns","value":"my.sub.domain.com"},"status":"invalid","expires":"2016-05-10T16:30:02Z","challenges":[{"type":"dns-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530316","token":"y0htkf9ZHznGLBedSU9GtaFAwYlFSxXYrKSH2i4okxw"},{"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:connection","detail":"Could not connect to http://my.sub.domain.com/.well-known/acme-challenge/1oUrljkjJfAPgiP04YBBdI-DtqaUlDnrMgRU70GWH3Q"},"uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530317","token":"1oUrljkjJfAPgiP04YBBdI-DtqaUlDnrMgRU70GWH3Q","keyAuthorization":"1oUrljkjJfAPgiP04YBBdI-DtqaUlDnrMgRU70GWH3Q.UzPQUff4DmcwMIQnkWokJ3k4yp-rDeSN4Uf5giVleGY","validationRecord":[{"url":"http://my.sub.domain.com/.well-known/acme-challenge/1oUrljkjJfAPgiP04YBBdI-DtqaUlDnrMgRU70GWH3Q","hostname":"my.sub.domain.com","port":"80","addressesResolved":["93.173.50.140"],"addressUsed":"93.173.50.140"}]},{"type":"tls-sni-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530318","token":"ZlbqGngjytCl1_rjM_T-N6z5b8VAoVlSvfrFQ1NrioI"}],"combinations":[[0],[1],[2]]}'
2016-05-03 16:30:45,916:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'y0htkf9ZHznGLBedSU9GtaFAwYlFSxXYrKSH2i4okxw', u'type': u'dns-01', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/Jjuh9tKNYkGJm3Eh6Icw52PzLVWvZlUJjEEvclGsgBg/69530316'}
2016-05-03 16:30:45,916:INFO:letsencrypt.reporter:Reporting to user: The following errors were reported by the server:

Domain: my.sub.domain.com
Type: connection
Detail: Could not connect to http://my.sub.domain.com/.well-known/acme-challenge/1oUrljkjJfAPgiP04YBBdI-DtqaUlDnrMgRU70GWH3Q

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2016-05-03 16:30:45,916:INFO:letsencrypt.auth_handler:Cleaning up challenges
2016-05-03 16:30:45,917:DEBUG:letsencrypt.main:Exiting abnormally:
Traceback (most recent call last):
File "/home/user/.local/share/letsencrypt/bin/letsencrypt", line 11, in
sys.exit(main())
File "/home/user/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/main.py", line 692, in main
return config.func(config, plugins)
File "/home/user/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/main.py", line 509, in obtain_cert
_, action = _auth_from_domains(le_client, config, domains, lineage)
File "/home/user/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/main.py", line 93, in _auth_from_domains
lineage = le_client.obtain_and_enroll_certificate(domains)
File "/home/user/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 274, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File "/home/user/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 246, in obtain_certificate
self.config.allow_subset_of_names)
File "/home/user/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 74, in get_authorizations
self._respond(resp, best_effort)
File "/home/user/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 131, in _respond
self._poll_challenges(chall_update, best_effort)
File "/home/user/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 195, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. my.sub.domain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to http://my.sub.domain.com/.well-known/acme-challenge/1oUrljkjJfAPgiP04YBBdI-DtqaUlDnrMgRU70GWH3Q

3

Did you try accessing your site from outside your own network (i.e. a VPS or something like Tor)? The error you’re seeing is a general connection error, meaning Let’s Encrypt is unable to connect to port 80 of your IP. Make sure your firewall is forwarding traffic to your VM, etc.

I believe the IP address as resolved by Let’s Encrypt’s DNS is included somewhere in /var/log/letsencrypt/letsencrypt.log, if you want to rule out any DNS propagation issues (look for addressUsed). Generally, it shouldn’t happen unless your authoritative DNS server is returning the wrong IP (Let’s Encrypt doesn’t cache DNS entries).

// edit: Based on the IP included in your full log above I can confirm that I’m unable to connect to port 80.

4

I changed my url to my.sub.domain.com in the logs… I can PM you the real url.
I tried from another laptop that is on a different ISP and it worked… Also, the dns resolution is correct, according to the log.

EDIT: Damn, how do I PM here?

EDIT^2: My server is a vm on my computer… I opened port 80 on my router for incoming requests. Maybe my address is only accessible within my country :\

5

The log you posted has your IP address. I’m unable to connect to port 80.

1 Like
6

Crap. My IP isn’t accessible from outside my country -_-
I will try running it on a host instead. Thanks!

7

If your ISP is blocking port 80 or 443, you could use DNS-based validation, which works by creating a TXT record for your domain. The reference client doesn't quite support this yet, but there are some alternatives like the bash clients or lego that do.

1 Like
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.