Manual renewal failes: The ACME server was probably unable to reach


#1

Hi,

Today I tried to renew my certificate (I do this manually and succeeded before) and I get an error:
_The ACME server was probably unable to reach http:///.well-known/acme-challenge/Xf_2llzigIDLKLa_6gEEirsvOPJ-URPM55S9J8oOMg

If I copy this url in my browser I get the content.

In the Apache log I also see that one of theservers gets the file:

66.133.109.36) - - [09/Sep/2017:17:35:22 +0200] “GET /.well-known/acme-challenge/_Xf_2llzigIDLKLa_6gEEirsvOPJ-URPM55S9J8oOMg HTTP/1.1” 200 87

Can some help please?

Regards,
Jos


#2

What ACME client are you using?

“The ACME server was probably unable to reach …” is not an error that’s produced by the CA server, so it’ll likely be something coming from your ACME client. It’s probably a catch-all for all errors, so it’s hard to say what the issue is. If your ACME client shows the original error message, or logs them somewhere, or has a verbose/debug option, please post that output.


#3

Hi Patrick,

Thanks for taking this up.

I am on a Windows 10 machine and the only output I have is from the CMD box:

Let’s Encrypt (Simple Windows ACME Client)
Renewal Period: 60
Certificate Store: WebHosting

ACME Server: https://acme-v01.api.letsencrypt.org/
Config Folder: C:\Users\Jos\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org
Certificate Folder: C:\Users\Jos\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org
Loading Signer from C:\Users\Jos\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\Signer

Getting AcmeServerDirectory
Loading Registration from C:\Users\Jos\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\Registration

Scanning IIS Site Bindings for Hosts
_ IIS Version not found in windows registry. Skipping scan._
No targets found.

_ W: Generate a certificate via WebDav and install it manually._
_ F: Generate a certificate via FTP/ FTPS and install it manually._
_ M: Generate a certificate manually._
_ A: Get certificates for all hosts_
_ Q: Quit_
Which host do you want to get a certificate for: M
Enter a host name: a83-162-188-119.adsl.xs4all.nl
_Enter a site path (the web root of the host for http authentication): c:\Apache24\htdocs_

Authorizing Identifier a83-162-188-119.adsl.xs4all.nl Using Challenge Type http-01
_ Writing challenge answer to c:\Apache24\htdocs.well-known/acme-challenge/Xf_2llzigIDLKLa_6gEEirsvOPJ-URPM55S9J8oOMg
_ Answer should now be browsable at http://a83-162-188-119.adsl.xs4all.nl/.well-known/acme-challenge/Xf_2llzigIDLKLa_6gEEirsvOPJ-URPM55S9J8oOMg
_ Submitting answer_
_ Refreshing authorization_
_ Authorization Result: invalid_

******************************************************************************
_The ACME server was probably unable to reach http://a83-162-188-119.adsl.xs4all.nl/.well-known/acme-challenge/Xf_2llzigIDLKLa_6gEEirsvOPJ-URPM55S9J8oOMg

Check in a browser to see if the answer file is being served correctly.


#4

There is a missing slash here between htdocs and .well-known, which suggests that maybe with this particular client you need to specify the webroot path with a trailing slash, like c:\Apache24\htdocs\ instead of c:\Apache24\htdocs. However, I would consider that a bug in the client if so. :slight_smile:


#5

(Because programmers should generally combine directory paths using a path join function rather than via simple string concatenation.)


#6

I see that I copied the input for the webroot incomplete from the output. I entered:
Enter a site path (the web root of the host for http authentication): c:\Apache24\htdocs\

The specified url get’s you to the challenge file.

As my level of experience, consider me as just a dummy who needs an certificate for his website.


#7

I downloaded version 1.9.4.3 of https://github.com/Lone-Coder/letsencrypt-win-simple.

Now the output looks like:

[INFO] Let’s Encrypt (Simple Windows ACME Client)
[INFO] version 1.9.4.37724 (RELEASE)
[INFO] Please report issues at https://github.com/Lone-Coder/letsencrypt-win-simple

[INFO] Renewal period: 60
[INFO] Certificate store: WebHosting
[INFO] ACME Server: https://acme-v01.api.letsencrypt.org/
[WARN] IIS version not found in windows registry. Skipping scan.
[WARN] No targets found.
W: Generate a certificate via WebDav and install it manually.
F: Generate a certificate via FTP/ FTPS and install it manually.
M: Generate a certificate manually.
Q: Quit

Choose from one of the menu options above: M

Enter a host name: a83-162-188-119.adsl.xs4all.nl

Enter a site path (the web root of the host for http authentication): c:\Apache24\htdocs\

[INFO] Authorizing identifier a83-162-188-119.adsl.xs4all.nl using http-01 challenge
[INFO] Answer should now be browsable at http://a83-162-188-119.adsl.xs4all.nl/.well-known/acme-challenge/JGhmVpiUXoNKU0zA4XE8DrFskk-3_gkza8EpCkKiWLA
[INFO] Authorization result: invalid
[EROR] ACME server reported type urn:acme:error:connection
[EROR] ACME server reported detail CAA record for a83-162-188-119.adsl.xs4all.nl prevents issuance
[EROR] ACME server reported status 400
[EROR] Exception Er is een uitzondering opgetreden van het type LetsEncrypt.ACME.Simple.AuthorizationFailedException.


#8

XS4ALL has chosen to prevent all but two CAs from issuing certificates for that domain, and neither of them is Let’s Encrypt.

$ dig +short xs4all.nl caa
0 issue "comodoca.com"
0 issue "symantec.com"

https://letsencrypt.org/docs/caa/

You can take care of that if you’re able to change the CAA records for xs4all.nl, adsl.xs4all.nl or a83-162-188-119.adsl.xs4all.nl.

Otherwise, you’ll have to discuss it with XS4ALL, or use a different domain.

:sweat:


#9

Hi Matt,

Thanks for explaining.

Since I am just a customer at XS4ALL I have to start to discuss with XS4ALL.

Regards,
Jos


#10

Maybe you can get a dynamic DNS type FQDN to work.


#11

Thanks Rudy,

But this is going beyond my (limited) knowledge.

Regards,
Jos


#12

Hi Matt,

The people at XS4AlLL helpt me out and adjusted the CAA records.
Great.
Thank you once again for pointing in that direction.

Regards,
Jos


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.