Problem with verification urn:ietf:params:acme:error:connection

Lindworm · March 24, 2020, 4:11pm

Hi,
my problem is that all domains on my main server (about 80) can not update letsencrypt since about a month. I am using plesk as backand but it is not a plesk issue. The cert bot runs fine and all files (especially the verification files) are generated immediately. But I always get an

Detail: Fetching http://mircoblitz.de/.well-known/acme-challenge/sehiMs9DjRbD46dLs_zYO5oKLa1ITkfrK_SaHwt-VJE: Error getting validation data

whenever I try to update letsencrypt.
The error message is always “Error getting validation data”, but the verification files are there and accessible. Tested from a bunch of different network adresses)

Please help.
Best regards
Mirco

My domain is: mircoblitz.de

I ran this command: plesk bin extension --exec letsencrypt cli.php -d mircoblitz.de -d www.mircoblitz.de --email webmaster@lindworm.de (but thats a wrapper for certbot)

It produced this output:
[2020-03-24 16:44:55.643] ERR [extension/letsencrypt] Domain validation failed for www.mircoblitz.de: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/3542075514.
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: Fetching http://mircoblitz.de/.well-known/acme-challenge/sehiMs9DjRbD46dLs_zYO5oKLa1ITkfrK_SaHwt-VJE: Error getting validation data

My web server is (include version):
Apache with Nginx proxy

The operating system my web server runs on is (include version):
Ubuntu 16.04

My hosting provider, if applicable, is:
hosteurope.de

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
plesk onyx

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
No clue as I need to use the plesk manager. As I stated the problem is in verification and probably the access from letsencrypt to my server.

JuergenAuer · March 24, 2020, 4:34pm

Hi @Lindworm

looks like you have found a solution - https://check-your-website.server-daten.de/?q=mircoblitz.de

There

https://acme-v02.api.letsencrypt.org/acme/authz-v3/3542075514

are ipv4 and ipv6 addresses.

But checking your domain, the ipv6 is removed.

And there is a new certificate:

CN=mircoblitz.de
	24.03.2020
	22.06.2020
expires in 90 days	*.mircoblitz.de, mircoblitz.de - 2 entries

created today. But it’s a wildcard certificate, so you have used dns validation.

Ah - there are two new certificates:

Issuer	not before	not after	Domain names	LE-Duplicate
Let’s Encrypt Authority X3	2020-03-24	2020-06-22	*.mircoblitz.de, mircoblitz.de - 2 entries	duplicate nr. 1
Let’s Encrypt Authority X3	2020-03-24	2020-06-22	mircoblitz.de - 1 entries	duplicate nr. 1
Let’s Encrypt Authority X3	2020-02-20	2020-05-20	mircoblitz.de, www.mircoblitz.de - 2 entries

And a lot of older.

PS: Your http + /.well-known/acme-challenge/random-filename is redirected to /blog. That’s wrong.

If a file doesn’t exist, your server should send a http status 404 - Not Found, not a redirect.

Not a redirect. Google says, that’s a “softfail”.

Lindworm · March 24, 2020, 4:49pm

Hi, thank you.

The ipv6 I removed minutes ago, in a hunch that there might be a problem and I try again in 2Days. This new cert was created manualy to see if DNS auth works, so I could fallback to manual if possible

Which it does. The other problem still exists. Automatic authentication via http files does not work.

to: /.well-known/acme-challenge/random-filename is redirected to /blog
No if the file like you can see here (http://mircoblitz.de/.well-known/acme-challenge/sehiMs9DjRbD46dLs_zYO5oKLa1ITkfrK_SaHwt-VJE) is present it does not redirect, but if no file is there, which is needed for other purposes. Otherwise my IDS runs rage.

Thank you for your time.
Mirco