I have been trying to renew one of our domains. I get various error messages, but I suspect an issue with our site blocking one or more LE IP addresses. Is there a way to determine which IPs were used for HTTP queries for a specific renewal request? I was hoping these might be included in the debug logs, but I did not find them at first glance. (Perhaps I overlooked them.)
I know that in general LE does not publish a canonical list of IPs; I only want to know the IPs used for one transaction, so that I can ask my security group to look them up.
I tested our domain with letsdebug.net, and it responded “all OK”. And I can query our web server from various IP addresses, so I do not suspect a general firewall issue.
My domain is: rancher.berkeley.kbase.us
I ran this command:
docker run -it --rm --name certbot -v /certs/certs:/certs/certs -v “/certs/letsencrypt:/etc/letsencrypt” -v “/certs/var:/var/log/letsencrypt” certbot/certbot:latest renew -w /certs/certs --webroot --debug
It produced this output:
[attempt A; from letsencrypt.log:]
2020-02-25 23:45:14,994:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:
Domain: rancher.berkeley.kbase.us
Type: connection
Detail: During secondary validation: Fetching http://rancher.berkeley.kbase.us/.well-known/acme-challenge/wqc0T2jTqQX9ZjErsGiMMzGa6uTRJcefmCJZ1vX2cYk:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP
address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communic
ating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
[attempt B:]
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: rancher.berkeley.kbase.us
Type: dns
Detail: During secondary validation: DNS problem: SERVFAIL looking
up A for rancher.berkeley.kbase.us - the domain’s nameservers may
be malfunctioning
[attempt C:]
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: rancher.berkeley.kbase.us
Type: dns
Detail: During secondary validation: No valid IP addresses found
for rancher.berkeley.kbase.us
My web server is (include version):
nginx version: nginx/1.13.8
The operating system my web server runs on is (include version):
“Debian GNU/Linux 9 (stretch)” (from docker container, using standard nginx image)
My hosting provider, if applicable, is:
NA
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you’re using Certbot):
certbot 1.2.0