Letsencrypt V2 : impossible to set up

cogidis · August 18, 2021, 3:19pm

Hello,

I had some letsencrypt certificate with acme-client, and since August 2021 it does not work any more.

I read that I had to try another client, I tested acme.sh and certbot, but they both produce the same errors as far as the challenging part is concerned.

However, I am able to access the folder (that is an alias :
Alias /.well-known/acme-challenge /usr/local/www/acme
<Directory /usr/local/www/acme>
Require all granted

)

http://www.cogidis.com/.well-known/acme-challenge/test.txt is readable, it makes me think that certbot does not generate the challenge.

Now, I made too many attempts and my domain is blocked, I do not even know how to use the test platform not to be blocked. I can try with another domain, but then I will have the same problem.

Please help !

Jérôme.

2021-08-18 16:26:52,980:DEBUG:certbot._internal.main:certbot version: 1.16.0
2021-08-18 16:26:52,980:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot
2021-08-18 16:26:52,980:DEBUG:certbot._internal.main:Arguments: ['--webroot']
2021-08-18 16:26:52,980:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-08-18 16:26:52,996:DEBUG:certbot._internal.log:Root logging level set at 30
2021-08-18 16:26:52,997:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2021-08-18 16:26:53,000:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x809634bb0>
Prep: True
2021-08-18 16:26:53,000:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x809634bb0> and installer None
2021-08-18 16:26:53,000:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2021-08-18 16:26:53,004:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_acc
ount_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/166750370', new_authzr_uri=None, terms_of_service=None), 39cdde53a56fa8726f50247386372447, Meta(creation_dt=datetime.datetime(2021, 8, 18, 13, 57, 23, tzinfo=),
creation_host='ns1.cogidis.com', register_to_eff=None))>
2021-08-18 16:26:53,004:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-08-18 16:26:53,006:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-08-18 16:26:53,545:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2021-08-18 16:26:53,545:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 18 Aug 2021 14:26:54 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"G1e2W0chOyM": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-08-18 16:26:53,546:DEBUG:certbot.display.ops:No installer, picking names manually
2021-08-18 16:27:02,177:DEBUG:certbot.display.util:Notifying user: Requesting a certificate for www.cogidis.com
2021-08-18 16:27:02,355:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): /usr/local/etc/letsencrypt/keys/0006_key-certbot.pem
2021-08-18 16:27:02,358:DEBUG:certbot.crypto_util:Creating CSR: /usr/local/etc/letsencrypt/csr/0006_csr-certbot.pem
2021-08-18 16:27:02,359:DEBUG:acme.client:Requesting fresh nonce
2021-08-18 16:27:02,359:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-08-18 16:27:02,502:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-08-18 16:27:02,503:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 18 Aug 2021 14:27:03 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0002avqvOmXc0gaNoaTCWnRE2sPcO7f5FycEB5JVDmWBsXo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

2021-08-18 16:27:02,503:DEBUG:acme.client:Storing nonce: 0002avqvOmXc0gaNoaTCWnRE2sPcO7f5FycEB5JVDmWBsXo
2021-08-18 16:27:02,503:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "www.cogidis.com"\n }\n ]\n}'
2021-08-18 16:27:02,505:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTY2NzUwMzcwIiwgIm5vbmNlIjogIjAwMDJhdnF2T21YYzBnYU5vYVRDV25SRTJzUGNPN2Y1RnljRUI1SlZEbVdCc1hvIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
"signature": "Qy6HQCerXJL5YlL48N78vkGgsPZrtaEdSrJ571F-WC3QOwu-P2owkVnXPnVZYkZg-aM8zsP32dxI6HNSnEEq_YtfA65Mb2l3__wj1ubdVeTTKrxIp3SCc4EWkKOBZbrCcokBaIuZIW1KraddGMJGSbKmKhX24aJH6577XW1xNxsyqzrMwLn6FP1EZxOHTuPUjXoC6IX0B8uWJ6lKo5QEv8kflYTkTCXYKB8_oWqji0VuEWB8LWt9r3l2VmzXibTcKAky0rvUGW5MWEeSuyAiOYlePLlLyZFa2vf-IMAngpZkclhlMvn-rs2RCeI6jXfhdwZpuV8MzA9ljbzfQzIqOw",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInd3dy5jb2dpZGlzLmNvbSIKICAgIH0KICBdCn0"
}
2021-08-18 16:27:02,826:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 429 201
2021-08-18 16:27:02,826:DEBUG:acme.client:Received response:
HTTP 429
Server: nginx
Date: Wed, 18 Aug 2021 14:27:04 GMT
Content-Type: application/problem+json
Content-Length: 201
Connection: keep-alive
Boulder-Requester: 166750370
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0001iEGDRm3BDe7kvhJZW4HWtrurilroCw-yifIG1FCBRYk

{
"type": "urn:ietf:params:acme:error:rateLimited",
"detail": "Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt",
"status": 429
}
2021-08-18 16:27:02,826:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/local/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==1.16.0', 'console_scripts', 'certbot')())
File "/usr/local/lib/python3.8/site-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/local/lib/python3.8/site-packages/certbot/_internal/main.py", line 1552, in main
return config.func(config, plugins)
File "/usr/local/lib/python3.8/site-packages/certbot/_internal/main.py", line 1414, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/local/lib/python3.8/site-packages/certbot/_internal/main.py", line 128, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/local/lib/python3.8/site-packages/certbot/_internal/client.py", line 445, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/local/lib/python3.8/site-packages/certbot/_internal/client.py", line 375, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/local/lib/python3.8/site-packages/certbot/_internal/client.py", line 407, in _get_order_and_authorizations
orderr = self.acme.new_order(csr_pem)
File "/usr/local/lib/python3.8/site-packages/acme/client.py", line 880, in new_order
return cast(ClientV2, self.client).new_order(csr_pem)
File "/usr/local/lib/python3.8/site-packages/acme/client.py", line 658, in new_order
response = self._post(self.directory['newOrder'], order)
File "/usr/local/lib/python3.8/site-packages/acme/client.py", line 86, in _post
return self.net.post(*args, **kwargs)
File "/usr/local/lib/python3.8/site-packages/acme/client.py", line 1198, in post
return self._post_once(*args, **kwargs)
File "/usr/local/lib/python3.8/site-packages/acme/client.py", line 1211, in _post_once
response = self._check_response(response, content_type=content_type)
File "/usr/local/lib/python3.8/site-packages/acme/client.py", line 1068, in _check_response
raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt
2021-08-18 16:27:02,828:ERROR:certbot._internal.log:An unexpected error occurred:
2021-08-18 16:27:02,828:ERROR:certbot._internal.log:There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt

--

My domain is: cogidis.com

I ran this command:certbot certonly --webroot

It produced this output: Detail: Invalid response from http://www.cogidis.com/.well-known/acme-challenge/xKyORbYFEipEcF94yRmTj4ndyLvS2h9-OzYVhWj2LdQ [62.73.5.186]: "\n\n404 Not Found\n\n

Not Found

\n<p"

My web server is (include version): Apache/2.4.48 (FreeBSD)

The operating system my web server runs on is (include version): FreeBSD 11.2-RELEASE-p9

My hosting provider, if applicable, is:dedicated physical server

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.16.0

jvanasco · August 18, 2021, 4:33pm

You hit the ratelimit for failed authorizations - it's 5 per account per name per hour. You'll have to try this again without the ratelimit and share the error, because it is not possible for anyone to help you based on this limit's error information.

That can be done by either:

wait 1 hour, try again
switch to the staging endpoint, which does not share the ratelimit

cogidis · August 19, 2021, 1:28pm

Well, I finally found the solution on another newsgroup : the problem comes from the apache verification mode.

I tried in standalone mode :

certbot certonly --standalone

It worked at once. No tweak, no weird configuration, it just worked ! I do not know, however, the nature of the bug with the apache check. The problem with the standalone mode is that I have to shutdown apache... and all the websites at once !

Osiris · August 19, 2021, 4:48pm

That probably would require a look at your Apache configuration.

system · September 18, 2021, 4:48pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.