My domain is: wallbee.nhl.dk (for testing)http://wallbee.nhl.dk/.well-known/acme-challenge/OwQNDbPCBrR3Sloh56qZkFee5LFAJb1JNC0zObwxUpo - please check it manually
Hi,
So I have set up Letsencrypt on a number of Linux servers now, and I have never had this issue before. I’m using the GetSSL ACME client.
As a test domain I’m using wallbee.nhl.dk - and the getssl client issues the challange token and stores the token fil just fine, however when it asks letsencrypt to confirm it, letsencrypt fails with getssl: for some reason could not reach http://wallbee.nhl.dk/.well-known/acme-challenge/OwQNDbPCBrR3Sloh56qZkFee5LFAJb1JNC0zObwxUpo
THe URL works just fine, I have tried from several computers on different locations and the DNS record has existed for 4-5 days now…
How can I debug further with the Letsencrypt service is unable to hit my challange URL ?
/Haggren
Hi @haggren
haggren:
ACME Client: GetSSL
what's the error message? Checking your domain (via https://check-your-website.server-daten.de/?q=wallbee.nhl.dk ) I don't see a problem.
Your url works, a not-existing file (via /.well-known/acme-challenge) has a 404, no dnssec or CAA problems.
And the content of your validation file looks good - the token, the dot and a hash value with the correct length.
PS: Is there an order url? Something like
https://acme-v02.api.letsencrypt.org/acme/order/yourAccount/yourOrder
This is helpful to get the correct error message.
Hi Jurgen,
Thanks for your participation - I completely agree. I don’t see anything should be wrong, I mean the URL it reports that it cannot visit works fine and the response is correct.
The only difference between this server and the 4 others I have running is that it located in another Public IP subnet AND that it has a Cisco ASA firewall in front, however the ports (http/80 + https/443) are opened and working.
What do you mean by order URL ? In my getssl conf I only have the following conf items:
CA=“https://acme-v01.api.letsencrypt.org ”
#AGREEMENT=“https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf ”
Set an email address associated with your account - generally set at account level rather than domain.
#ACCOUNT_EMAIL=“me@example.com”
The command needed to reload apache / nginx or whatever you use
#RELOAD_CMD=""
The time period within which you want to allow renewal of a certificate
this prevents hitting some of the rate limits.
RENEW_ALLOW=“30”
Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
will be checked for certificate expiry and also will be checked after
an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
SERVER_TYPE=“https”
Use the following 3 variables if you want to validate via DNS
#VALIDATE_VIA_DNS=“true”
_az
January 8, 2019, 9:16am
4
If you are behind NAT or anything like that, then disabling getssl’s preflight check may help. Add to the config file above:
SKIP_HTTP_TOKEN_CHECK="true"
2 Likes
If you create a new order, the ACME server sends an order url. It's possible to visit this url with a browser.
There are the authorizations listet. And - if the challenge fails - the exact reason why Letsencrypt can't verify your domain name.
Certbot has a protocol where this order url is listed.
So if a client doesn't show the exact reason, the order url helps.
Thanks for the clarification
SKIP_HTTP_TOKEN_CHECK=“true” did the trick. The script still takes a long time (a call to openssl needs to time out I guess) but eventually it gets through. I will investigate this setting further. Thanks for your help.
system
February 7, 2019, 5:46pm
8
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.