Problems with the Challenge File


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: intern.geberl.com

I ran this command: They name it Step 4 (Verify the Challenge File - 28. August 2018 about 20:00 - 23:00 GMT?)

It produced this output:

Error: Domain challenge failed. Please start back at Step 1. {“identifier”:{“type”:“dns”,“value”:“intern.geberl.com”},“status”:“invalid”,“expires”:“2018-09-04T20:20:57Z”,“challenges”:[{“type”:“http-01”,“status”:“invalid”,“error”:{“type”:“urn:ietf:params:acme:error:connection”,“detail”:“Fetching http://intern.geberl.com/.well-known/acme-challenge/YBGwi_N_iJSo0nJnPP18ZfoEEFss-LX2aWjwM0-5pR8: Timeout during connect (likely firewall problem)”,“status”:400},“url”:“https://acme-v02.api.letsencrypt.org/acme/challenge/h_3QSnDJtp9Aa4jngnkSdHi-9yP3WmUyB7nIUaNM67k/6854698119",“token”:“YBGwi_N_iJSo0nJnPP18ZfoEEFss-LX2aWjwM0-5pR8”,“validationRecord”:[{“url”:“http://intern.geberl.com/.well-known/acme-challenge/YBGwi_N_iJSo0nJnPP18ZfoEEFss-LX2aWjwM0-5pR8”,“hostname”:“intern.geberl.com”,“port”:“80”,“addressesResolved”:[“82.117.2.154”],“addressUsed”:“82.117.2.154”}]},{“type”:“tls-alpn-01”,“status”:“invalid”,“url”:“https://acme-v02.api.letsencrypt.org/acme/challenge/h_3QSnDJtp9Aa4jngnkSdHi-9yP3WmUyB7nIUaNM67k/6854698120”,“token”:“fPaOHJMLko3j4fnQRqJZTqeIk9T6UCyHTO9G5O2WRg0”},{“type”:“dns-01”,“status”:“invalid”,“url”:“https://acme-v02.api.letsencrypt.org/acme/challenge/h_3QSnDJtp9Aa4jngnkSdHi-9yP3WmUyB7nIUaNM67k/6854698121”,“token”:"bS2LXpqcsN7nZhgjw_hXfiC8Gt1bgzrn5X7LAN4xu80”}]} ===================================================

My web server is (include version): I used the python script for testing
python2 -c “import BaseHTTPServer;
h = BaseHTTPServer.BaseHTTPRequestHandler;
h.do_GET = lambda r: r.send_response(200) or r.end_headers() or r.wfile.write(‘YBGwi_N_iJSo0nJnPP18ZfoEEFss-LX2aWjwM0-5pR8.2Y-aR_qhG1VHT_oSHyuILsBwD3zadia0F81t_-J8yRs’);
s = BaseHTTPServer.HTTPServer((‘0.0.0.0’, 80), h);
s.serve_forever()”

The operating system my web server runs on is (include version): debian 9

My hosting provider, if applicable, is: hoiLi, DNS is Krypton - just a little bit complicate

I can login to a root shell on my machine (yes or no, or I don’t know): yes but I cannot see/access the DNS

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Network Structure: (static IP: 82.117.2.154)
-> ADSL
-> ADSL-Modem (Zyxel 660-HN-I)
-> IP-Fire (rot: IP: 82.117.2.154 Gateway: 82.117.20.31 DNS: 82.117.12.24, 82.117.12.25)
-> Interface DMZ: 192.168.30.1/24
-> Debian Server IP: 192.168.30.6 (DNS: 82.117.12.24, 82.117.12.25) (virtualisiert auf Proxmox)

I tried the procedure shown at https://gethttpsforfree.com/ because I got permanent failures with certbot and wanted to debug this. I’am wondering why I can browse the Challenge File from outside with a firefox browser (the phyton script logs the access) but LetsEncrypt does not find the file (also no access-log from phyton). Is there any difference?

Thank you and regards
Stephan Geberl

PS.: In the moment the firewall is not open any more, just in case


#2

Hi,

Can you please try to open the firewall for a brief time (more than 10 minutes) so we could take a look?
(For now, the connections are all filtered)

Thank you


#3

Thanks for the reply
I opened the firewall and startet the phyton server. I got the following log (from within the firewall)
192.168.10.1 - - [30/Aug/2018 06:51:56] “GET /.well-known/acme-challenge/YBGwi_N_iJSo0nJnPP18ZfoEEFss-LX2aWjwM0-5pR8 HTTP/1.1” 200 -
192.168.10.1 - - [30/Aug/2018 06:51:56] “GET /favicon.ico HTTP/1.1” 200 -

Thank you
Stephan Geberl


#4

Hi,

Have you tried to test the file outside your network (aka from a far away address… Not in your WiFi / Ethernet )

Since from outside of network (uses Comcast Xfinity IP in U.S), I’m receiving a timeout issue (with portqry shows filtered on 80 & 443)…you might need to setup port forwarding on your ADSL modem in order for outside world to visit your site (and more importantly get a certificate from let’s encrypt using HTTP-01 validation)

Thank you


#5

Hi,
thank you very much, “far away” was the right hint. I activated the GeoIP Blocking some time ago so I had access from outside the Network but LetsEncrypt not (I think the servers are not in europe). Now everything is working fine.

best regards
Stephan Geberl


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.