Renewal failing in secondary

clintdok-1 · April 5, 2020, 2:41pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: MailOK.com

I ran this command: wacs.exe

It produced this output:

“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “During secondary validation: Fetching http://mailok.com/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: Timeout during connect (likely firewall problem)”,
“status”: 400
}

My web server is (include version): Apache 2.4.33.0 (Xampp)

The operating system my web server runs on is (include version): Windows Version 10.0.18363.720

My hosting provider, if applicable, is: local ISP with Cox as provider

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): wacs.exe 2.1.5.742

Port 80 is open
The primary validation looks good
Most times, of the secondary validation, the first two are successful and can be seen in access.log

My local ISP indicates they do not block traffic of this type.
I suspect my ISP’s provider has blacked-listed some AWS traffic.

rg305 · April 5, 2020, 4:24pm

Is there an inline IPS?
Is there any local software that inspects HTTP?

If so, check those logs for drops/blocks.
[or try temporarily bypassing them]

clintdok-1 · April 5, 2020, 6:08pm

Here are the log entries showing primary and first two secondary:

98.191.240.12 - - [05/Apr/2020:09:23:06 -0500] “GET /.well-known/acme-challenge/xiNgHuqggqsBSJ5zaFosqn41PDfK8hJrjL06u07iiyk HTTP/1.1” 302 373 “-” “-”
66.133.109.36 - - [05/Apr/2020:09:23:06 -0500] “GET /.well-known/acme-challenge/xiNgHuqggqsBSJ5zaFosqn41PDfK8hJrjL06u07iiyk HTTP/1.1” 302 373 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
34.209.232.166 - - [05/Apr/2020:09:23:07 -0500] “GET /.well-known/acme-challenge/xiNgHuqggqsBSJ5zaFosqn41PDfK8hJrjL06u07iiyk HTTP/1.1” 302 373 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”

I have added the file back to the /well-known/acme-challenge directory so you can test

http://mailok.com/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xml

clintdok-1 · April 5, 2020, 6:25pm

No IPS

No software inspecting HTTP

rg305 · April 5, 2020, 8:29pm

HTTP error 302 means it moved.

Your “test” is an XML file.
That is probably not a good test.
Try a similar file type and name.

system · May 5, 2020, 8:41pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.