Letsencrypt is for some reason unable to reach the challenge token URL


#1

My domain is: wallbee.nhl.dk (for testing)
ACME Client: GetSSL
output: getssl: for some reason could not reach http://wallbee.nhl.dk/.well-known/acme-challenge/OwQNDbPCBrR3Sloh56qZkFee5LFAJb1JNC0zObwxUpo - please check it manually
My web server is (include version): Apache

Hi,

So I have set up Letsencrypt on a number of Linux servers now, and I have never had this issue before. I’m using the GetSSL ACME client.

As a test domain I’m using wallbee.nhl.dk - and the getssl client issues the challange token and stores the token fil just fine, however when it asks letsencrypt to confirm it, letsencrypt fails with getssl: for some reason could not reach http://wallbee.nhl.dk/.well-known/acme-challenge/OwQNDbPCBrR3Sloh56qZkFee5LFAJb1JNC0zObwxUpo

THe URL works just fine, I have tried from several computers on different locations and the DNS record has existed for 4-5 days now…

How can I debug further with the Letsencrypt service is unable to hit my challange URL ?

/Haggren


#2

Hi @haggren

what’s the error message? Checking your domain (via https://check-your-website.server-daten.de/?q=wallbee.nhl.dk ) I don’t see a problem.

Your url works, a not-existing file (via /.well-known/acme-challenge) has a 404, no dnssec or CAA problems.

And the content of your validation file looks good - the token, the dot and a hash value with the correct length.

PS: Is there an order url? Something like

https://acme-v02.api.letsencrypt.org/acme/order/yourAccount/yourOrder

This is helpful to get the correct error message.


#3

Hi Jurgen,

Thanks for your participation - I completely agree. I don’t see anything should be wrong, I mean the URL it reports that it cannot visit works fine and the response is correct.

The only difference between this server and the 4 others I have running is that it located in another Public IP subnet AND that it has a Cisco ASA firewall in front, however the ports (http/80 + https/443) are opened and working.

What do you mean by order URL ? In my getssl conf I only have the following conf items:

CA=“https://acme-v01.api.letsencrypt.org

#AGREEMENT=“https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf

Set an email address associated with your account - generally set at account level rather than domain.

#ACCOUNT_EMAIL=“me@example.com”
ACCOUNT_KEY_LENGTH=4096
ACCOUNT_KEY="/home/letsencrypt/.getssl/account.key"
PRIVATE_KEY_ALG=“rsa”
#REUSE_PRIVATE_KEY=“true”

The command needed to reload apache / nginx or whatever you use

#RELOAD_CMD=""

The time period within which you want to allow renewal of a certificate

this prevents hitting some of the rate limits.

RENEW_ALLOW=“30”

Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,

smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which

will be checked for certificate expiry and also will be checked after

an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true

SERVER_TYPE=“https”
CHECK_REMOTE=“true”

Use the following 3 variables if you want to validate via DNS

#VALIDATE_VIA_DNS=“true”
#DNS_ADD_COMMAND=
#DNS_DEL_COMMAND=


#4

If you are behind NAT or anything like that, then disabling getssl’s preflight check may help. Add to the config file above:

SKIP_HTTP_TOKEN_CHECK="true"

#5

If you create a new order, the ACME server sends an order url. It’s possible to visit this url with a browser.

There are the authorizations listet. And - if the challenge fails - the exact reason why Letsencrypt can’t verify your domain name.

Certbot has a protocol where this order url is listed.

So if a client doesn’t show the exact reason, the order url helps.


#6

Thanks for the clarification


#7

SKIP_HTTP_TOKEN_CHECK=“true” did the trick. The script still takes a long time (a call to openssl needs to time out I guess) but eventually it gets through. I will investigate this setting further. Thanks for your help.


closed #8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.