Owncloud: "Error creating new order :: too many failed authorizations recently

peter2cfu · October 16, 2019, 10:46pm

I am new to this and may have tried to many time as I was getting several errors until I sorted out the firewall, was not aware that I required the appliance to be accessible from outside.

we already have our own wildcard certificate, but would like to use the Let’s encrypt for this server?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=cfts.co), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cfts.co,

I ran this command: via owncloud ‘let’s encrypt’ plugin

It produced this output: "Error creating new order :: too many failed authorizations recently

My web server is (include version): Apache 2.4.25

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is: on-premise

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
owncloud 10

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

rg305 · October 16, 2019, 11:20pm

Try honing your cert skills on the staging environment first.

schoen · October 17, 2019, 12:33am

This rate limit will reset after an hour (and then your subsequent attempts will give a more specific error message if they fail).

peter2cfu · October 17, 2019, 6:41am

Thanks that’s good advice on both accounts

peter2cfu · October 17, 2019, 6:43am

OK so the error I get is:

ValueError: Challenge did not pass for owncloud.cfts.co: {u’status’: u’invalid’, u’challenges’: [{u’status’: u’invalid’, u’validationRecord’: [{u’url’: u’http://owncloud.cfts.co/.well-known/acme-challenge/uGSNdyG125ILGc5esJUfrwxFRXfTTiPCFv7zdySuwvQ’, u’hostname’: u’owncloud.cfts.co’, u’addressUsed’: u’41.190.132.252’, u’port’: u’80’, u’addressesResolved’: [u’41.190.132.252’]}], u’url’: u’https://acme-v02.api.letsencrypt.org/acme/chall-v3/815122557/CnqZ4g’, u’token’: u’uGSNdyG125ILGc5esJUfrwxFRXfTTiPCFv7zdySuwvQ’, u’error’: {u’status’: 400, u’type’: u’urn:ietf:params:acme:error:connection’, u’detail’: u’Fetching http://owncloud.cfts.co/.well-known/acme-challenge/uGSNdyG125ILGc5esJUfrwxFRXfTTiPCFv7zdySuwvQ: Timeout during connect (likely firewall problem)’}, u’type’: u’http-01’}, {u’status’: u’invalid’, u’url’: u’https://acme-v02.api.letsencrypt.org/acme/chall-v3/815122557/7JgMSA’, u’token’: u’uGSNdyG125ILGc5esJUfrwxFRXfTTiPCFv7zdySuwvQ’, u’type’: u’dns-01’}, {u’status’: u’invalid’, u’url’: u’https://acme-v02.api.letsencrypt.org/acme/chall-v3/815122557/PNuNxQ’, u’token’: u’uGSNdyG125ILGc5esJUfrwxFRXfTTiPCFv7zdySuwvQ’, u’type’: u’tls-alpn-01’}], u’identifier’: {u’type’: u’dns’, u’value’: u’owncloud.cfts.co’}, u’expires’: u’2019-10-24T06:37:39Z’}

Not sure what to make of it I have port 80 and 443 open for now

peter2cfu · October 17, 2019, 7:31am

OK I may have found the issue. Looks like Diaban (stretch) does not support python-virtualenv, and seems no way I can find (keep in mind that im unfamiliar with diaban) to make it support.

Seems owncloud lets encrypt cannot be used with the current version of owncloud as when
certbot-auto is run I get the following:

Package python-virtualenv is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'python-virtualenv' has no installation candidate

apt-get update does not solve the issue and when apt-cache search python-virtualenv a null result is returned.

_az · October 17, 2019, 7:36am

Whether or not you can fix your Python package issues, I think this issue is still outstanding.

I cannot connect on 80 to owncloud.cfts.co. But I can find other hosts in your /24 that have 80 open.

So it seems like a potential firewalling or port forwarding issue.

Edit: scanned the wrong IP range -_-

peter2cfu · October 17, 2019, 7:46am

seems my issues maybe with the owncloud VM, I will do a fresh VM using centos im really not very familiar with Debian, and it seems the documentation for owncloud is also not aimed at Debian.

edit @_az you were right about port 80 I forgot we have 2 firewalls edge and internal, my bad I forgot the internal one, I really feel silly.

However seems the site is still insecure even though the certificate is clearly present.

_az · October 17, 2019, 8:01am

Before I could connect on 443 but not 80.

Now I can’t connect on either port.

peter2cfu · October 17, 2019, 8:11am

interesting as im connecting fine from outside, just to be clear the url is: https://owncloud.cfts.co

_az · October 17, 2019, 8:14am

Looks like it was just temporary (or you did something). I can see both ports now - so Let's Encrypt should be able to perform HTTP validation now.

Your certificate looks fine. What did you mean by:

Is it possible you are talking about a mixed content warning? (Though I can't see such a warning myself).

JuergenAuer · October 17, 2019, 8:34am

Hi @peter2cfu

there is no redirect http -> https.

Domainname	Http-Status	redirect	Sec.	G
• http://owncloud.cfts.co/ 41.190.132.252	302	http://owncloud.cfts.co/univention/ Html is minified: 100,00 %	0.374	D

• http://owncloud.cfts.co/univention/	302	http://owncloud.cfts.co/univention/portal/ Html is minified: 100,00 %	0.384	D

• http://owncloud.cfts.co/univention/portal/ GZip used - 798 / 2082 - 61,67 %	200	Html is minified: 140,68 %	0.377	H

So a new user starts with http -> and uses http.

The certificate is good:

CN=owncloud.cfts.co
	17.10.2019
	15.01.2020
expires in 90 days	owncloud.cfts.co - 1 entry

Two are created.

peter2cfu · October 17, 2019, 8:38am

I’m guessing just timings and thanks for the heads up on redirect I need to do that anyway,

as to the insecure warnings, i don’t get it on Android but do on my PC using chrome.

JuergenAuer · October 17, 2019, 8:42am

Add https in the url. That may be the missing redirect.

peter2cfu · October 17, 2019, 9:18am

not sure seems the redirect is not working, I’m guessing I done something wrong here: I made a .httacess file in the /var/www directory

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]

Have I the correct location, from what I see it looks likes the right place

peter2cfu · October 18, 2019, 1:53pm

Just for completeness:

main issue was the firewall, both port 80 and 443 needed to be exposed to the outside world.in order for ‘lets’ encrypt to do its thing.

note: hon your cert skills on the staging environment first! avoid all the delays.

in order to get http to https redirect working correctly, I created a .httacess file in the /var/www directory (root of my owncloud installation)

 ##### HTTP to HTTPS redirection
 ## Since you have enabled HSTS the first redirection rule will instruct the browser to visit the HTTPS version of your
 ## site, this prevents unsafe redirections through HTTP.
 RewriteCond %{HTTPS} !=on [OR]
 RewriteCond %{HTTP:X-Forwarded-Proto} =http
 RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

 ## HSTS Header - See http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
 <IfModule mod_headers.c>
 Header always set Strict-Transport-Security "max-age=31536000" env=HTTPS
 </IfModule>

after that, all worked a treat! thank you all

peter2cfu · October 18, 2019, 2:17pm

Thank you very informative

system · November 17, 2019, 2:17pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.