New cert for Surgemail -acme_authorize required

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.lintons.com

I ran this command: tellmail ssl_update

It produced this output: ot newAccount = https://acme-v02.api.letsencrypt.org/acme/new-acct
Account status: Account found/created https://acme-v02.api.letsencrypt.org/acme/acct/110739176
acme_authorize required for domain lintons.com
Challenge http-01 pending
Created www/.well-known/acme-challenge/aPmKdGQBALg5WAJ3PwIMWxDWQXFHd6ovDApmvJsd8FA
Challenge: error: Invalid response from https://lintons.com/.well-known/acme-challenge/aPmKdGQBALg5WAJ3PwIMWxDWQXFHd6ovDApmvJsd8FA [2606:4700:3035::ac43:8cef]: "\n\n\n\t\n\t

My mail server is (include version): SurgeMail Version 7.4e-1

The operating system my web server runs on is (include version): Fedora Core 23

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi and welcome to the LE community forum :slight_smile:

I see two different names:

Some missing/overlooked details:
The IP shown is from CloudFlare
Where you got "tellmail ssl_update" from - and is there a version number?

I opened port 80 and now I'm not getting the error on the mail server. Unfortunately when I try to connect via browser it still complains of a non secured page.

lintons.com: lets//lintons.com/surge_cert.pem
lintons.com: subj(/CN=lintons.com) issued(/CN=lintons.com) Expires Fri Jan 24 00:26:30 2031

That is a self-signed cert that expires in 2031.
Not an LE signed cert.

I tried rerunning the ssl_update on my mail server to generate the new cert. It looks as though it's pointing to my web server lintons.com and not to my mx.mail.lintons.com.

Existing cert check: lintons.com Self signed certificate /CN=lintons.com
Got newAccount = https://acme-v02.api.letsencrypt.org/acme/new-acct
Account status: Account found/created https://acme-v02.api.letsencrypt.org/acme/acct/110739176
acme_authorize required for domain lintons.com
Challenge http-01 pending
Created www/.well-known/acme-challenge/82kgPbTGZXKq08-Yn5U3sjcSZWAnI3rWUeJx1itXVps
Challenge: error: Invalid response from https://lintons.com/.well-known/acme-challenge/82kgPbTGZXKq08-Yn5U3sjcSZWAnI3rWUeJx1itXVps [2606:4700:3036::6815:1b19]: "\n\n\n\t\n\t

The script is definitely not even trying to do what you are expecting.
And it is failing at whatever it is actually doing.
Did it ever work?
Do you recall how it did work?
Are there any config files or ini settings type file?

This is the first time that I've used LE so I don't have any prior experience. I was using Digi-Cert before this.

Here is the log file:

25 23:02:31.00:Info:1405265664: verify: depth=0:/CN=acme-v01.api.letsencrypt.org
"agMWvD8-NpA": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"letsencrypt.org"
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
25 23:02:31.00:Info:1405265664: lets: Got newAccount = https://acme-v02.api.letsencrypt.org/acme/new-acct
25 23:02:31.00:Info:1405265664: http: Open (acme-v02.api.letsencrypt.org)
25 23:02:31.00:Info:1405265664: tcp: open (acme-v02.api.letsencrypt.org) binding to ()
25 23:02:31.00:Info:1405265664: tcp_lookup(acme-v02.api.letsencrypt.org)
25 23:02:31.00:Info:1405265664: http: ssl init: https://acme-v02.api.letsencrypt.org/acme/new-nonce
25 23:02:31.00:Info:1405265664: verify: depth=0:/CN=acme-v01.api.letsencrypt.org
25 23:02:51.00:Info:1405265664: http: Open (acme-v02.api.letsencrypt.org)
25 23:02:51.00:Info:1405265664: tcp: open (acme-v02.api.letsencrypt.org) binding to ()
25 23:02:51.00:Info:1405265664: tcp_lookup(acme-v02.api.letsencrypt.org)
25 23:02:51.00:Info:1405265664: http: ssl init: https://acme-v02.api.letsencrypt.org/acme/new-acct
25 23:02:51.00:Info:1405265664: verify: depth=0:/CN=acme-v01.api.letsencrypt.org
25 23:02:52.00:Info:1405265664: lets: Account status: Account found/created https://acme-v02.api.letsencrypt.org/acme/acct/110739176
25 23:02:52.00:Info:1405265664: http: Open (acme-v02.api.letsencrypt.org)
25 23:02:52.00:Info:1405265664: tcp: open (acme-v02.api.letsencrypt.org) binding to ()
25 23:02:52.00:Info:1405265664: tcp_lookup(acme-v02.api.letsencrypt.org)
25 23:02:52.00:Info:1405265664: http: ssl init: https://acme-v02.api.letsencrypt.org/acme/new-order
25 23:02:52.00:Info:1405265664: verify: depth=0:/CN=acme-v01.api.letsencrypt.org
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/10362024461"
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/110739176/7528582460"
25 23:02:52.00:Info:1405265664: acme: Finalize (https://acme-v02.api.letsencrypt.org/acme/finalize/110739176/7528582460)
25 23:02:52.00:Info:1405265664: lets: acme_authorize required for domain lintons.com
25 23:02:52.00:Info:1405265664: http: Open (acme-v02.api.letsencrypt.org)
25 23:02:52.00:Info:1405265664: tcp: open (acme-v02.api.letsencrypt.org) binding to ()
25 23:02:52.00:Info:1405265664: tcp_lookup(acme-v02.api.letsencrypt.org)
25 23:02:52.00:Info:1405265664: http: ssl init: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10362024461
25 23:02:52.00:Info:1405265664: verify: depth=0:/CN=acme-v01.api.letsencrypt.org
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/10362024461/1lSRTw",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/10362024461/ATLL6Q",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/10362024461/jVT9Hg",
25 23:02:52.00:Info:1405265664: lets: Challenge http-01 pending
25 23:02:52.00:Info:1405265664: lets: Created www/.well-known/acme-challenge/82kgPbTGZXKq08-Yn5U3sjcSZWAnI3rWUeJx1itXVps
25 23:02:53.00:Info:1405265664: http: Open (acme-v02.api.letsencrypt.org)
25 23:02:53.00:Info:1405265664: tcp: open (acme-v02.api.letsencrypt.org) binding to ()
25 23:02:53.00:Info:1405265664: tcp_lookup(acme-v02.api.letsencrypt.org)
25 23:02:53.00:Info:1405265664: http: ssl init: https://acme-v02.api.letsencrypt.org/acme/chall-v3/10362024461/1lSRTw
25 23:02:54.00:Info:1405265664: verify: depth=0:/CN=acme-v01.api.letsencrypt.org
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/10362024461/1lSRTw",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/10362024461/1lSRTw",
25 23:02:59.00:Info:1405265664: acme: check if finished https://acme-v02.api.letsencrypt.org/acme/chall-v3/10362024461/1lSRTw
25 23:02:59.00:Info:1405265664: http: Open (acme-v02.api.letsencrypt.org)
25 23:02:59.00:Info:1405265664: tcp: open (acme-v02.api.letsencrypt.org) binding to ()
25 23:02:59.00:Info:1405265664: tcp_lookup(acme-v02.api.letsencrypt.org)
25 23:02:59.00:Info:1405265664: http: ssl init: https://acme-v02.api.letsencrypt.org/acme/chall-v3/10362024461/1lSRTw
25 23:02:59.00:Info:1405265664: verify: depth=0:/CN=acme-v01.api.letsencrypt.org
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/10362024461/1lSRTw",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/10362024461/1lSRTw",
25 23:02:59.00:Info:1405265664: lets: Challenge: error: Invalid response from https://lintons.com/.well-known/acme-challenge/82kgPbTGZXKq08-Yn5U3sjcSZWAnI3rWUeJx1itXVps [2606:4700:3036::6815:1b19]: "\n<html lang="en">\n<meta http-equiv="Content-Type" content="text/html; charset=utf-8">\n\t\n\tLinton's En"
25 23:02:59.00:Info:1405265664: lets: HINT: Check your setting url_host points to your mail server for this domain!!
25 23:02:59.00:Info:1405265664: lets: HINT: Surgemail must have g_webmail_port set to 80, and IIS/apache must be stopped at least during this first verification!!
25 23:02:59.00:Info:1405265664: lets: acme_do_auth failed lintons.com
25 23:02:59.00:Info:1405265664: lets: Update finished, 0 good, 1 bad
25 23:02:59.00:Info:1405265664: ssl: loading (lintons.com) (lets/lintons.com/)
25 23:02:59.00:Info:1405265664: myssl: myssl_use_certificate lets/lintons.com/
25 23:02:59.00:Info:1405265664: SSL init domains failed {lintons.com} (use_certificate_file failed (lets/lintons.com/)(error:0906D06C:PEM routines:PEM_read_bio:no start line))
25 23:02:59.00:Info:1405265664: SSL init domains failed (lintons.com) (use_certificate_file failed (lets/lintons.com/)(error:0906D06C:PEM routines:PEM_read_bio:no start line))
25 23:02:59.00:Info:1405265664: ssl: loading (none) (lets/)
25 23:02:59.00:Info:1405265664: myssl: myssl_use_certificate lets/
25 23:02:59.00:Info:1405265664: SSL init domains failed {none} (use_certificate_file failed (lets/)(error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib))
25 23:02:59.00:Info:1405265664: SSL init domains failed (none) (use_certificate_file failed (lets/)(error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib))
Cpu time used 0 cpu seconds

This is an interesting entry:

Also, when exactly did you start using CloudFlare?

Port 80 is open on the mail server with the g_webmail_port set. I'm not running a web server on that server.

My system says that the Challenge is still pending:

http-01 pending
Created www/.well-known/acme-challenge/hM0U3DWRShDj6XX8J5udC_NTSwx3bmLREojrt_-d0Jw
Challenge: error: Invalid response from https://lintons.com/.well-known/acme-challenge/hM0U3DWRShDj6XX8J5udC_NTSwx3bmLREojrt_-d0Jw [2606:4700:3036::6815:1b19]: "\n\n\n\t\n\t

HTTP request passes thru CloudFlare and becomes HTTPS request

Did this ever work after you started using CloudFlare?
[it obviously worked before that]

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.