Renewal failed for some reason

Help
23

Is it possible, that I had some problem, now it is fixed, but I made too much requests to LE in process and LE do not in fact check anything now?
Basically, is it possible it will start to work after a week – I have seen somewhere that 20 requests per week are allowed. Or is it 20 certificates issued, not attempts, which counted?

24

That is possible.
Can you try www.maksikoms.lv instead?

25

it was included by default too. But I try to check

26 
Traceback (most recent call last):
  File "/usr/share/webmin/webmin/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "/usr/share/webmin/webmin/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/share/webmin/webmin/acme_tiny.py", line 143, in get_crt
    raise ValueError("Wrote file to {0}, but couldn't download {1}: {2}".format(wellknown_path, wellknown_url, e))
ValueError: Wrote file to /home/maksikoms/public_html/.well-known/acme-challenge/Q5RLDO2zivNPQGsYgWTh63mO_RvSt5BdqZAcxiVRQa0, but couldn't download http://www.maksikoms.lv/.well-known/acme-challenge/Q5RLDO2zivNPQGsYgWTh63mO_RvSt5BdqZAcxiVRQa0: Error:
Url: http://www.maksikoms.lv/.well-known/acme-challenge/Q5RLDO2zivNPQGsYgWTh63mO_RvSt5BdqZAcxiVRQa0
Data: None
Response Code: None
Response: <urlopen error [Errno 110] Connection timed out>
27

LE can't reach it, but I can.
I get file contents:

Q5RLDO2zivNPQGsYgWTh63mO_RvSt5BdqZAcxiVRQa0.8hKqKV6fm8JbtEE-Apn0h6eo6Gw57WIG45Ht0gb8_kw

Again, pointing to something blocking their requests.

28

do you know source IPs of LE?
I can check them (if there is at all something in FW logs, if I can ping them, etc)

29

The IPs are not published and do change from time to time.

30

port 80 requests should be allowed and filtered to accept only the necessary.
All other requests can be redirected to HTTPS.
port 443 can then be firewalled to only allow/block IPs as you desire.

31

This I see in my FW:

|2020-06-22 14:38:48|ProxyMatch, ProxyAvScan: HTTP request URL match, pri=6, disp=Allow, policy=HTTP-proxy.4-00, protocol=http/tcp, src_ip=65.19.128.70, src_port=59280, dst_ip=91.90.225.6, dst_port=80, src_intf=0-External, dst_intf=2-Optional-1, rc=599, proxy_act=HTTP-Server.1, rule_name=Default, dstname=www.maksikoms.lv, arg=/.well-known/acme-challenge/Q5RLDO2zivNPQGsYgWTh63mO_RvSt5BdqZAcxiVRQa0, 1AFF-000B, geo_src=USA; geo_dst=LVA|
|---|---|
|2020-06-22 14:38:48|ProxyHTTPReq, HTTP request, pri=6, disp=Allow, policy=HTTP-proxy.4-00, protocol=http/tcp, src_ip=65.19.128.70, src_port=59280, dst_ip=91.90.225.6, dst_port=80, src_intf=0-External, dst_intf=2-Optional-1, rc=525, proxy_act=HTTP-Server.1, rcvd_bytes=289, sent_bytes=276, elapsed_time=0.003514 sec(s); op=GET, dstname=www.maksikoms.lv, arg=/.well-known/acme-challenge/Q5RLDO2zivNPQGsYgWTh63mO_RvSt5BdqZAcxiVRQa0, 1AFF-0024, src_ctid=ffff8800664b1d50; dst_ctid=ffff8800664b1d50; out_port=59280; srv_ip=10.0.2.109; srv_port=80, geo_src=USA; geo_dst=LVA|
|2020-06-22 14:38:49|ProxyMatch, ProxyAvScan: HTTP request URL match, pri=6, disp=Allow, policy=HTTP-proxy.4-00, protocol=http/tcp, src_ip=65.19.128.70, src_port=34586, dst_ip=91.90.225.6, dst_port=80, src_intf=0-External, dst_intf=2-Optional-1, rc=599, proxy_act=HTTP-Server.1, rule_name=Default, dstname=www.maksikoms.lv, arg=/.well-known/acme-challenge/Q5RLDO2zivNPQGsYgWTh63mO_RvSt5BdqZAcxiVRQa0:, 1AFF-000B, geo_src=USA; geo_dst=LVA|
|2020-06-22 14:38:49|ProxyHTTPReq, HTTP request, pri=6, disp=Allow, policy=HTTP-proxy.4-00, protocol=http/tcp, src_ip=65.19.128.70, src_port=34586, dst_ip=91.90.225.6, dst_port=80, src_intf=0-External, dst_intf=2-Optional-1, rc=525, proxy_act=HTTP-Server.1, rcvd_bytes=439, sent_bytes=277, elapsed_time=0.003280 sec(s); op=GET, dstname=www.maksikoms.lv, arg=/.well-known/acme-challenge/Q5RLDO2zivNPQGsYgWTh63mO_RvSt5BdqZAcxiVRQa0:, 1AFF-0024, src_ctid=ffff8800407c9090; dst_ctid=ffff8800407c9090; out_port=34586; srv_ip=10.0.2.109; srv_port=80, geo_src=USA; geo_dst=LVA|
|2020-06-22 14:39:09|ProxyMatch, ProxyAvScan: HTTP request URL match, pri=6, disp=Allow, policy=HTTP-proxy.4-00, protocol=http/tcp, src_ip=75.51.0.156, src_port=13499, dst_ip=91.90.225.6, dst_port=80, src_intf=0-External, dst_intf=2-Optional-1, rc=599, proxy_act=HTTP-Server.1, rule_name=Default, dstname=www.maksikoms.lv, arg=/.well-known/acme-challenge/Q5RLDO2zivNPQGsYgWTh63mO_RvSt5BdqZAcxiVRQa0, 1AFF-000B, geo_src=USA; geo_dst=LVA|
|2020-06-22 14:39:09|ProxyHTTPReq, HTTP request, pri=6, disp=Allow, policy=HTTP-proxy.4-00, protocol=http/tcp, src_ip=75.51.0.156, src_port=13499, dst_ip=91.90.225.6, dst_port=80, src_intf=0-External, dst_intf=2-Optional-1, rc=525, proxy_act=HTTP-Server.1, rcvd_bytes=345, sent_bytes=213, elapsed_time=0.001777 sec(s); op=GET, dstname=www.maksikoms.lv, arg=/.well-known/acme-challenge/Q5RLDO2zivNPQGsYgWTh63mO_RvSt5BdqZAcxiVRQa0, 1AFF-0024, src_ctid=ffff8800646544d0; dst_ctid=ffff8800646544d0; out_port=13499; srv_ip=10.0.2.109; srv_port=80, geo_src=USA; geo_dst=LVA|
32

so 2 addresses:

65.19.128.70


75.51.0.156

One must be yours, second - LE?
But both successfull.

33

Both are allowed and neither of them is from LE.
It must be blocked before it reaches that firewall.
They do use “geo_src” which caught my eye.
Is there a different log for the denied/dropped requests?
[is that the allowed log?]

34

No, if there would be deny, it would be there…
FW has GEO option, but it is not configured to block anything. I don’t see any blocked requests to this rule ( I look by port and IP).
It seems that I have to buy some static cert and forget about this. It worked for 2 years, when I configured it. Now it doesn’t work and not clear why…

35

I see requests from 17.58.88.xxx network, from multiple addresses, with exact url for new generated file.
It must be LE, as how somebody can know exact file-name, just created and go for that link?
I don’t see any directory browsing before, and for my understanding it is not even possible because of permissions?
So it looks as I am blocked out by too many requests. I’ll disable it for some time, probably.

36

Ok, seems that I have no any ideas to test now. I disabled auotmated requests to LE now. I’ll install some cert for 1 year, and may be look than if it starts to work. It is too much troubleshooting, so just to buy a certificate becomes cheaper option…
Thanks a lot for help, rg305!

37

I see some requests (all successfull) immediately after I requests certificate. All from network 17.58.81.xxx.
Than requests stop ( I filter by acme file url). So if this are LE request, I am quit sure that LE blocks certification issuing and just wrong error message is provided.
I drop this for now, let it stay disabled, and probably install other cert if later.
If you have any idea, make me know, but it really doesn’t look as client problem any more…

|2020-06-22 15:35:57|ProxyMatch, ProxyAvScan: HTTP request URL match, pri=6, disp=Allow, policy=HTTP-proxy.4-00, protocol=http/tcp, src_ip=17.58.88.166, src_port=37848, dst_ip=91.90.225.6, dst_port=80, src_intf=0-External, dst_intf=2-Optional-1, rc=599, proxy_act=HTTP-Server.1, rule_name=Default, dstname=maksikoms.lv, arg=/.well-known/acme-challenge/wCti7e45pkQVyN5aKbFQuyjQU3uxUDaICFZW7adhJ4U:, 1AFF-000B, geo_src=USA; geo_dst=LVA|
|2020-06-22 15:35:57|ProxyHTTPReq, HTTP request, pri=6, disp=Allow, policy=HTTP-proxy.4-00, protocol=http/tcp, src_ip=17.58.88.166, src_port=37848, dst_ip=91.90.225.6, dst_port=80, src_intf=0-External, dst_intf=2-Optional-1, rc=525, proxy_act=HTTP-Server.1, rcvd_bytes=491, sent_bytes=190, elapsed_time=0.002075 sec(s); op=GET, dstname=maksikoms.lv, arg=/.well-known/acme-challenge/wCti7e45pkQVyN5aKbFQuyjQU3uxUDaICFZW7adhJ4U:, 1AFF-0024, src_ctid=ffff880051035d50; dst_ctid=ffff880051035d50; out_port=37848; srv_ip=10.0.2.109; srv_port=80, geo_src=USA; geo_dst=LVA|
|2020-06-22 15:35:58|ProxyMatch, ProxyAvScan: HTTP request URL match, pri=6, disp=Allow, policy=HTTP-proxy.4-00, protocol=http/tcp, src_ip=17.58.88.166, src_port=37906, dst_ip=91.90.225.6, dst_port=80, src_intf=0-External, dst_intf=2-Optional-1, rc=599, proxy_act=HTTP-Server.1, rule_name=Default, dstname=maksikoms.lv, arg=/.well-known/acme-challenge/wCti7e45pkQVyN5aKbFQuyjQU3uxUDaICFZW7adhJ4U, 1AFF-000B, geo_src=USA; geo_dst=LVA|
|2020-06-22 15:35:58|ProxyHTTPReq, HTTP request, pri=6, disp=Allow, policy=HTTP-proxy.4-00, protocol=http/tcp, src_ip=17.58.88.166, src_port=37906, dst_ip=91.90.225.6, dst_port=80, src_intf=0-External, dst_intf=2-Optional-1, rc=525, proxy_act=HTTP-Server.1, rcvd_bytes=345, sent_bytes=189, elapsed_time=0.001942 sec(s); op=GET, dstname=maksikoms.lv, arg=/.well-known/acme-challenge/wCti7e45pkQVyN5aKbFQuyjQU3uxUDaICFZW7adhJ4U, 1AFF-0024, src_ctid=ffff88004af03490; dst_ctid=ffff88004af03490; out_port=37906; srv_ip=10.0.2.109; srv_port=80, geo_src=USA; geo_dst=LVA|
|2020-06-22 15:35:58|ProxyMatch, ProxyAvScan: HTTP request URL match, pri=6, disp=Allow, policy=HTTP-proxy.4-00, protocol=http/tcp, src_ip=17.58.88.166, src_port=37934, dst_ip=91.90.225.6, dst_port=80, src_intf=0-External, dst_intf=2-Optional-1, rc=599, proxy_act=HTTP-Server.1, rule_name=Default, dstname=maksikoms.lv, arg=/.well-known/acme-challenge/wCti7e45pkQVyN5aKbFQuyjQU3uxUDaICFZW7adhJ4U, 1AFF-000B, geo_src=USA; geo_dst=LVA|
|2020-06-22 15:35:58|ProxyHTTPReq, HTTP request, pri=6, disp=Allow, policy=HTTP-proxy.4-00, protocol=http/tcp, src_ip=17.58.88.166, src_port=37934, dst_ip=91.90.225.6, dst_port=80, src_intf=0-External, dst_intf=2-Optional-1, rc=525, proxy_act=HTTP-Server.1, rcvd_bytes=345, sent_bytes=189, elapsed_time=0.001991 sec(s); op=GET, dstname=maksikoms.lv, arg=/.well-known/acme-challenge/wCti7e45pkQVyN5aKbFQuyjQU3uxUDaICFZW7adhJ4U, 1AFF-0024, src_ctid=ffff880063d9b730; dst_ctid=ffff880063d9b730; out_port=37934; srv_ip=10.0.2.109; srv_port=80, geo_src=USA; geo_dst=LVA|

I also tried to disable all additional checks on firewall for 1 request, no difference.

Regards,

38

17/8 network IPs are from Apple.
They are just following the links that you posted in this forum.

If your DNS service provider supports API updates, you can use that authentication method instead.
[which can be automated with clients that support DNS API authentication method]
Otherwise, you can also do the DNS changes manually [not recommended but possible].

39

I don’t see how it is possible, that the fallow links before I posted them in forum?

This connection happens immediately after I try to renew certificate, and stops after few attempts… File name is generated randomly each time… It’s interesting…

DNS option is not realistic for me (no API, and I can’t do it manually all the time) . I’ll probably buy certificate instead.
Have a nice day!

40

You need to check your timestamps.
And watch how they follow this one:

41

This link dproduces "file not found, as expected, as there is no any file with name"just-a-test-link. Speaking"that they know file name before posting I was not very precise – I haven’t posted that link at all, I posted just firewall log, which includes name of the acme challenge file – so it was definitely after the access.
So it is really interesting for me how somebody can know this name, except LE, who generated the name? I would expect it must be impossible, as it is actually the reason using random name. Or have I missed something?

42

I’m confused…
Which link was accessed by a 17 IP before you posted it here?