Letsencrypt fails to get the response (solved, it was nginx not restarting properly)

goury · October 21, 2022, 3:16pm

https://acme-v02.api.letsencrypt.org/acme/chall-v3/167099611386/e_WE9A

I ran this command: acme-nginx -o secret/megumin.ninamori.org.pem --domain-private-key secret/megumin.ninamori.org.key --domain megumin.ninamori.org --domain www.megumin.ninamori.org --virtual-host /etc/nginx/conf.d/0-letsencrypt.conf

It produced this output: https://acme-v02.api.letsencrypt.org/acme/chall-v3/167099611386/e_WE9A

My web server is (include version): Nginx 1.18.0

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: 163.172.189.79

I can login to a root shell on my machine (yes or no, or I don't know): I own it

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.3.2

WTF?
Server does respond correctly and there's no problems with hundreds domains I certify the same way on the same server.
What is going on?

UPD: nginx bad, acme-nginx bad too, will patch.
Thanks everybody and special thanks to Osiris.
＼（＾∀＾）メ（＾∀＾）ノ

goury · October 21, 2022, 3:24pm

https://acme-v02.api.letsencrypt.org/acme/chall-v3/167105233386/MeYGeA

ლ(ಠ_ಠლ)

Bruce5051 · October 21, 2022, 3:45pm

Hello @goury, welcome to the Let's Encrypt community.

That is a very old version of Certbot

And to assist with debugging there is a great place to start is Let's Debug.

goury · October 21, 2022, 3:46pm

https://acme-v02.api.letsencrypt.org/acme/chall-v3/167110496686/CZg3cQ

ლ(ಠ_ಠლ)

very old version of Certbot

I ran this command: acme-nginx

Do you even read?

UPD: so I was frustrated and my point was that I said that I am using a different tool and also done this initial debugging, but now I feel ahsamed for being slightly aggressive.
Let it be a lesson to me and let it shame me forever.

Bruce5051 · October 21, 2022, 3:48pm

Yes. Here is it's contents:

{
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "163.172.189.79: Invalid response from http://megumin.ninamori.org/.well-known/acme-challenge/RUza89uyOihewga4LMt3XvfuJuPDrtBbzX07ehXGklI: 404",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/167110496686/CZg3cQ",
  "token": "RUza89uyOihewga4LMt3XvfuJuPDrtBbzX07ehXGklI",
  "validationRecord": [
    {
      "url": "http://megumin.ninamori.org/.well-known/acme-challenge/RUza89uyOihewga4LMt3XvfuJuPDrtBbzX07ehXGklI",
      "hostname": "megumin.ninamori.org",
      "port": "80",
      "addressesResolved": [
        "163.172.189.79"
      ],
      "addressUsed": "163.172.189.79"
    }
  ],
  "validated": "2022-10-21T15:44:55Z"
}

goury · October 21, 2022, 3:48pm

Now what?

Bruce5051 · October 21, 2022, 3:59pm

Did you read the above?

Here is what I see for the URL

Which means you are not serving up the Challenge Response.

goury · October 21, 2022, 4:04pm

That's a lie, it was there when it was challenging

https://acme-v02.api.letsencrypt.org/acme/chall-v3/167113372046/sqKS0g

Am I supposed to keep this challenge file forever?

Can you please stop falsely blaming me?

Bruce5051 · October 21, 2022, 4:05pm

No, not at all; but can be helpful during debugging to keep the file around for a bit of time.

Bruce5051 · October 21, 2022, 4:06pm

Also testing and debugging are best done using the Staging Environment as the Rate Limits are much higher. Rate Limits are per week (rolling).

Bruce5051 · October 21, 2022, 4:07pm

I am not falsely blaming anyone, merely showing my observations.

goury · October 21, 2022, 4:08pm

I've tried both and there's no difference.
It fails to verify challenge for this particular domain and not any other domain.

Bruce5051 · October 21, 2022, 4:09pm

How do the domains differ?

goury · October 21, 2022, 4:14pm

They don't, except that it worked for those other domains many times in the past.

I'll keep this one for a while:

https://acme-v02.api.letsencrypt.org/acme/chall-v3/167114680006/AcGs3w

Bruce5051 · October 21, 2022, 4:16pm

So they are identical and the same exact domain is what you are telling me.

goury · October 21, 2022, 4:21pm

You can have ninamori.org and eri.ninamori.org as an example.
The only difference is in the names.

Bruce5051 · October 21, 2022, 4:28pm

Both ninamori.org and eri.ninamori.org are presently having IP Addressing issues with https://letsdebug.net/ HTTP-01 Challenge.
Let's Debug
Let's Debug

Presently I have seeing another on this forum today with the same https://letsdebug.net/ HTTP-01 Challenge issue.
Here: IP blocked? (New server, new IP, just in setup phase)

Possible there is an Internet issue causing some wider troubles.

Obviously I am not providing the help you seek, I am going to sit on the sidelines now.
Please wait for another, more helpful, community volunteer's assistance.

goury · October 21, 2022, 4:31pm

It seems someone've changed server's ipv6 address, but this shouldn't be an issue for ipv4-only domains

Bruce5051 · October 21, 2022, 4:33pm

Yet both IPv4 And IPv6 are having issue presently from https://letsdebug.net/ perspective.

Osiris · October 21, 2022, 4:34pm

While I understand that some IT issues can lead to frustration, please be more considerate to the volunteers on this Community, even if they've got something incorrect.

We're not obliged to help you as volunteers, so a more friendly tone might attract more volunteers to your thread.