Need fail count reset

I was attempting to use letsencrypt for cyanpages.info www.cyanpages.info lists.cyanpages.info and ldap.cyanpages.info but the dns challenge failed. I tried again for just www.cyanpages.info lists.cyanpages.info because I am sure those address work and the dns challenge still failed.

I am here to verify my domains and my fail count reset and get my certs. Would you like an email from my registrar to confirm that I have cyanpages.info? Would that be good enough autnetication?

What was the error message you got? If you ran into the “Failed Validation” rate limit, waiting one hour will resolve this. There’s no way to expedite this process.

More details about the rate limits can be found here. I would recommend using the staging environment for further testing.

We’d be happy to help you determine why the DNS authorizations are failing, could you describe the steps you took?

If you hit the too many failed authorizations limit, you’ll have to wait for that to expire after an hour - this cannot be reset manually. Using the staging environment while you test is the best route. Which client are you using? Certbot has the --staging flag for this purpose.

As for email verification, that is not an available challenge type for Let’s Encrypt. The allowable challenges are http-01 (webroot, placing a specific file in a directory on your web server), dns-01 (creating a specific TXT record), and tls-sni-01 (the most complex, serves a specific dummy certificate in response to a specific SNI request.)

I was following the Upcloud guide and I was using the apache method because I am running an apache web server. https://www.upcloud.com/support/install-lets-encrypt-apache/ do it must have been using the default verification method. I was running the command on the server with the public address.

It looks like I can’t upload the log file because I am a “a new user”. I will paste the part that seems relevant.


HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1504
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel="next"
Replay-Nonce: d1-5YZo7KgQYqQtABdcEsYUuCpADL4l4L0iZmyGGhLI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 30 Nov 2017 18:29:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 30 Nov 2017 18:29:25 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “cyanpages.info
},
“status”: “invalid”,
“expires”: “2017-12-07T18:29:13Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/s6DbhOty8cky5zoqKF9kIeOPgm-czpbqkEncUsBdFZo/2606376914”,
“token”: “pUOGjUOnyM6i82tNNmbUCUk2vFYgiDEU4ulzMdrwLAo”
},
{
“type”: “http-01”,
“status”: “pending”,
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/s6DbhOty8cky5zoqKF9kIeOPgm-czpbqkEncUsBdFZo/2606376918”,
“token”: “XYtFc9bMglROrBSVG9XDQedI8xgqts0Fkh1sAPR3HBM”
},
{
“type”: “tls-sni-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:connection”,
“detail”: “Timeout”,
“status”: 400
},
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/s6DbhOty8cky5zoqKF9kIeOPgm-czpbqkEncUsBdFZo/2606376919”,
“token”: “YrLD66TUSXBViQPIq5lmq8ioEasxQXs7oec38GolVSg”,
“keyAuthorization”: “YrLD66TUSXBViQPIq5lmq8ioEasxQXs7oec38GolVSg.WW-_Q-C95z2AuzlX-yVwDgxdBYR55WPvGqNTft-INsI”,
“validationRecord”: [
{
“hostname”: “cyanpages.info”,
“port”: “443”,
“addressesResolved”: [
“162.255.119.156”
],
“addressUsed”: “162.255.119.156”,
“addressesTried”: []
}
]
}
],
“combinations”: [
[
1
],
[
2
],
[
0
]
]
}
2017-11-30 18:29:25,405:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: cyanpages.info
Type: connection
Detail: Timeout

Domain: www.cyanpages.info
Type: connection
Detail: Timeout

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2017-11-30 18:29:25,405:INFO:certbot.auth_handler:Cleaning up challenges
2017-11-30 18:29:25,714:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/letsencrypt”, line 11, in
load_entry_point(‘certbot==0.10.2’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 849, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 575, in run
action, lineage = _auth_from_available(le_client, config, domains, certname)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 107, in _auth_from_available
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python2.7/dist-packages/certbot/client.py”, line 291, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python2.7/dist-packages/certbot/client.py”, line 262, in obtain_certificate
self.config.allow_subset_of_names)
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 77, in get_authorizations
self._respond(resp, best_effort)
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 134, in _respond
self._poll_challenges(chall_update, best_effort)
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 198, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. cyanpages.info (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout, www.cyanpages.info (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout

Very good info! So, first off, you are not using the DNS challenge. You are using the default for the Apache plugin, which is tls-sni-01. This challenge type operates over port 443 (the HTTPS port), but your server is not responding on that port. Do you have any firewalls enabled that might be blocking this traffic?

I didn’t tell the server to listen on port 443 because I don’t have a TLS certificate to serve on the port yet.

Certbot will automatically configure Apache to listen here and apply the dummy certificate to send, but the server needs to be accessible on this port. You should go ahead and open up the firewall for 443, as well as put in place any port forwarding necessary.

When is the next time I should even attempt to execute certbot again and expect it to to not be at the limit?

Port 443 is open and apache is listening, but I had the following error. I ran the following command.

letsencrypt --apache -d cyanpages.info -d www.cyanpages.info -d lists.cyanpages.info --staging

2017-11-30 20:54:24,585:DEBUG:root:Sending GET request to https://acme-staging.api.letsencrypt.org/acme/authz/Wf3PEen90hdibVMosTAuWq3f3wRhkJ2BYKVljK2UnNI.
2017-11-30 20:54:24,653:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 “GET /acme/authz/Wf3PEen90hdibVMosTAuWq3f3wRhkJ2BYKVljK2UnNI HTTP/1.1” 200 1510
2017-11-30 20:54:24,654:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1510
Link: https://acme-staging.api.letsencrypt.org/acme/new-cert;rel="next"
Replay-Nonce: kVyAQpKmMTgm0tgTZZKk8k_E7c7PmJPUDQ-W6N8QZAo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 30 Nov 2017 20:54:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 30 Nov 2017 20:54:24 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “cyanpages.info
},
“status”: “invalid”,
“expires”: “2017-12-07T20:52:24Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/Wf3PEen90hdibVMosTAuWq3f3wRhkJ2BYKVljK2UnNI/80196866”,
“token”: “t50wm3u_7mB6n2f9Uz0jmWqC6DflQtQ8V08mQ77FG4I”
},
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/Wf3PEen90hdibVMosTAuWq3f3wRhkJ2BYKVljK2UnNI/80196867”,
“token”: “aXIMytByBWU6-F2VEUkiJA2F5HCsCGsPmrc50HP0Naw”
},
{
“type”: “tls-sni-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:connection”,
“detail”: “Timeout”,
“status”: 400
},
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/Wf3PEen90hdibVMosTAuWq3f3wRhkJ2BYKVljK2UnNI/80196868”,
“token”: “xtLYDLJ1VFWeGelNiX7MwUDESnlQzlv2tD1ZrOMZMco”,
“keyAuthorization”: “xtLYDLJ1VFWeGelNiX7MwUDESnlQzlv2tD1ZrOMZMco.KGDbIOOY2mu1cwmIfouqkXmQrB97O-v_AV6taz-gbq0”,
“validationRecord”: [
{
“hostname”: “cyanpages.info”,
“port”: “443”,
“addressesResolved”: [
“162.255.119.156”
],
“addressUsed”: “162.255.119.156”,
“addressesTried”: []
}
]
}
],
“combinations”: [
[
0
],
[
1
],
[
2
]
]
}
2017-11-30 20:54:24,655:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: cyanpages.info
Type: connection
Detail: Timeout

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2017-11-30 20:54:24,655:INFO:certbot.auth_handler:Cleaning up challenges
2017-11-30 20:54:24,975:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/letsencrypt”, line 11, in
load_entry_point(‘certbot==0.10.2’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 849, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 575, in run
action, lineage = _auth_from_available(le_client, config, domains, certname)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 107, in _auth_from_available
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python2.7/dist-packages/certbot/client.py”, line 291, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python2.7/dist-packages/certbot/client.py”, line 262, in obtain_certificate
self.config.allow_subset_of_names)
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 77, in get_authorizations
self._respond(resp, best_effort)
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 134, in _respond
self._poll_challenges(chall_update, best_effort)
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 198, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. cyanpages.info (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout

I have a cert now. Thank you for your help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.