Not able to generate the certificate-using linux docker image of letsencrypt

I am using it for the very first time, in turn has very limited knowledge about letsencrypt.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:privykloud.ddnsfree.com

I ran this command:docker logs -f letsencrypt

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.privykloud.ddnsfree.com
Waiting for verification…
Challenge failed for domain www.privykloud.ddnsfree.com
http-01 challenge for www.privykloud.ddnsfree.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.privykloud.ddnsfree.com
    Type: connection
    Detail: Fetching
    http://www.privykloud.ddnsfree.com/.well-known/acme-challenge/7SVw_OXVIBpG2MDhRQf9nq9iyNXX4c9jd_O8M0CL_Zc:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.
    ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

And when i tried to find the logs it displays as
HTTP 200
Server: nginx
Date: Mon, 30 Dec 2019 05:37:10 GMT
Content-Type: application/json
Content-Length: 1943
Connection: keep-alive
Boulder-Requester: 74795662
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0002WmSsG0-ZKEc-AjElsVhqf5I5yvenxVlHs9D2zMWjMfs
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“identifier”: {
“type”: “dns”,
“value”: “www.privykloud.ddnsfree.com
},
“status”: “invalid”,
“expires”: “2020-01-06T05:36:46Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://www.privykloud.ddnsfree.com/.well-known/acme-challenge/7SVw_OXVIBpG2MDhRQf9nq9iyNXX4c9jd_O8M0CL_Zc: Timeout during connect (likely firewall problem)”,
“status”: 400
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/2005679771/aay9BA”,
“token”: “7SVw_OXVIBpG2MDhRQf9nq9iyNXX4c9jd_O8M0CL_Zc”,
“validationRecord”: [
{
“url”: “http://www.privykloud.ddnsfree.com/.well-known/acme-challenge/7SVw_OXVIBpG2MDhRQf9nq9iyNXX4c9jd_O8M0CL_Zc”,
“hostname”: “www.privykloud.ddnsfree.com”,
“port”: “80”,
“addressesResolved”: [
“68.228.199.61”,
“2600:8800:d01:bb00:6868:a468:e249:a1bb”
],
“addressUsed”: “2600:8800:d01:bb00:6868:a468:e249:a1bb”
},
{
“url”: “http://www.privykloud.ddnsfree.com/.well-known/acme-challenge/7SVw_OXVIBpG2MDhRQf9nq9iyNXX4c9jd_O8M0CL_Zc”,
“hostname”: “www.privykloud.ddnsfree.com”,
“port”: “80”,
“addressesResolved”: [
“68.228.199.61”,
“2600:8800:d01:bb00:6868:a468:e249:a1bb”
],
“addressUsed”: “68.228.199.61”
}
]
},
{
“type”: “dns-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/2005679771/K2wdAQ”,
“token”: “7SVw_OXVIBpG2MDhRQf9nq9iyNXX4c9jd_O8M0CL_Zc”
},
{
“type”: “tls-alpn-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/2005679771/uxegrA”,
“token”: “7SVw_OXVIBpG2MDhRQf9nq9iyNXX4c9jd_O8M0CL_Zc”
}
]
}
2019-12-29 22:37:10,266:DEBUG:acme.client:Storing nonce: 0002WmSsG0-ZKEc-AjElsVhqf5I5yvenxVlHs9D2zMWjMfs
2019-12-29 22:37:10,268:WARNING:certbot._internal.auth_handler:Challenge failed for domain www.privykloud.ddnsfree.com
2019-12-29 22:37:10,269:INFO:certbot._internal.auth_handler:http-01 challenge for www.privykloud.ddnsfree.com
2019-12-29 22:37:10,269:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: www.privykloud.ddnsfree.com
Type: connection
Detail: Fetching http://www.privykloud.ddnsfree.com/.well-known/acme-challenge/7SVw_OXVIBpG2MDhRQf9nq9iyNXX4c9jd_O8M0CL_Zc: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2019-12-29 22:37:10,271:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
certbot.errors.AuthorizationError: Some challenges have failed.

2019-12-29 22:37:10,271:DEBUG:certbot._internal.error_handler:Calling registered functions
2019-12-29 22:37:10,271:INFO:certbot._internal.auth_handler:Cleaning up challenges
2019-12-29 22:37:10,273:DEBUG:certbot._internal.plugins.standalone:Stopping server at :::80…
2019-12-29 22:37:10,759:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 8, in
sys.exit(main())
File “/usr/lib/python3.8/site-packages/certbot/main.py”, line 14, in main
return internal_main.main(cli_args)
File “/usr/lib/python3.8/site-packages/certbot/_internal/main.py”, line 1350, in main
return config.func(config, plugins)
File “/usr/lib/python3.8/site-packages/certbot/_internal/main.py”, line 1237, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/lib/python3.8/site-packages/certbot/_internal/main.py”, line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python3.8/site-packages/certbot/_internal/client.py”, line 416, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python3.8/site-packages/certbot/_internal/client.py”, line 347, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3.8/site-packages/certbot/_internal/client.py”, line 395, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
certbot.errors.AuthorizationError: Some challenges have failed.

My web server is (include version): ngnix

The operating system my web server runs on is (include version): It is raspberry pi with Debian buster- Raspbian Buster

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): it is 1.0.0

Hi @andy26

read your output. Your port 80 doesn’t answer.

There are older checks of your domain, ~~4 hours old - https://check-your-website.server-daten.de/?q=privykloud.ddnsfree.com

Same picture - only timeouts.

A working port 80 is required.

You have ipv4 and ipv6. Letsencrypt prefers ipv6, so your ipv6 has to work.

1 Like

Thank you @JuergenAuer for your response .
However I am not sure if that is the only reason.
Few days back I used another subdomain with duckdns
privykloud.duckdns.org
And after few invalid attempts, I was able to create certificate once and i was able to access my site using https
At that time, i encountered another issue because of which I deleted/recreated the environment and then I came to know about the rate-limits error, as I was trying to create duplicates.
At that time also all the other environment parameters are same.
So not sure at that time also the ISP was same with the same IP, but I was able to generate the certs.
Is it because, while creating the letsencrypt – I provided subdomains =wildcard…?
Any thoughts…?

1 Like

I think now i know why my cert creation is failing and how it was passed earlier.
I will try to create it again with the ones where challenge dns01 should be checked and passed.

Thanks @JuergenAuer for your help.
Finally using duckdns as my domain, I was able to successfully generate the cert for the subdomain privykloud.duckdns.org
Now it seems I am stuck in an unusual problem
i am able to access my site using https @ my home network
however when I am trying to connect the same site @https from outside my network
i am always getting error message as
The site can’t provide a secure connection + Err_SSL_Protocol_Error

Is there is any cert issue because of which I am getting the error
Can someone shed some light on the same, appreciate your help .

Thanks,
Andy

If https works internal, it’s not a certificate-creation or a certificate installation problem.

Then it’s only a routing / port forwarding / firewall problem.

Your last check, ~~5 hours old - https://check-your-website.server-daten.de/?q=privykloud.duckdns.org

Only timeouts.

You have ipv4 and ipv6 (that’s good). But it looks that nothing works, no tracert / traceroute.

Ping works with ipv4, not with ipv6.

Perhaps first step: Remove your ipv6 and try to fix your ipv4. If that works, add your ipv6 again and fix that.

thanks @JuergenAuer
I have removed my ipv6, and yes you are right that http or https they both r showing timeouts at the website
https://check-your-website.server-daten.de

Do i have to generate the certs back again after removing the IPv6, i think not…
And i have no clue to how to enable/fix for ip4 first.
Any pointer will be gr8ly appreciated.

Thanks,
Andy

No, it’s not a certificate problem. Completely independend.

Firewall, your hoster may block it, wrong / not existing port forwarding. There are a lot of things to create a buggy configuration.

Thanks for the pointers,
Using a pi4, it might have a firewall,but that is not configured or active by default
hoster - my hoster is duckdns as I am using a sub domain created on it, so it is highly unlikely that they will block the request as they are giving the capability.
W.r.t to port forwarding-- i did the same on my router that 443 of my external ip is forwarded to 444 of my internal IP.
Not sure if I can share more info…on this platform, is there a way i can DM u.

you are absolutely right as it is a buggy configuration…not sure bug is lying where…still trying to figure it out.
Appreciate your support.

Thanks,
Andy

Thanks @JuergenAuer
I was able to resolve this problem…it lies underneath the port forwarding and opening of ports…
Finally after lot many tries…glad it is working.

Thanks,
Andy

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.