Renewal Fails "Fetching" acme-challenge

Whereinsussex · April 30, 2018, 11:37am

Trying to renew, with certbot renew (or with --dry-run) yet it's failing with "Error getting validation data" and saying it's fetching from acme-challenge that is the problem.

Looking at server log, getting 200 back for these, and could also access test.html and test from browser in acme-challenge when I placed them there. "A" records seem correct for my domain, and there are no AAAA records on the DNS.

Everywhere I have looked the web root looks to be correct.

Running Debian 8.8 and nginx/1.12.0

Hopefully someone can help, done a lot of searching and not been able to find any solutions that work.

Thanks;

Here is the output from the renew request:

 # certbot renew --dry-run
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
 
 -------------------------------------------------------------------------------
 Processing /etc/letsencrypt/renewal/www.sussextrains.co.uk.conf
 -------------------------------------------------------------------------------
 Cert is due for renewal, auto-renewing...
 Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
 Renewing an existing certificate
 Performing the following challenges:
 http-01 challenge for www.sussextrains.co.uk
 http-01 challenge for livetrainmap.co.uk
 http-01 challenge for sussextrains.co.uk
 http-01 challenge for www.livetrainmap.co.uk
 Waiting for verification...
 Cleaning up challenges
 Attempting to renew cert from /etc/letsencrypt/renewal/www.sussextrains.co.uk.conf produced an unexpected error: Failed authorization procedure. sussextrains.co.uk (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.sussextrains.co.uk/.well-known/acme-challenge/ggRdfgjIRQ02Y5JnQ35CZE_p-jTQsW5vInGOBlQvT9A: Error getting validation data, www.livetrainmap.co.uk (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.sussextrains.co.uk/.well-known/acme-challenge/7h2ib2rSNQwe0RXlbD0PyPd3BygP00z6pJl_gPj6HfU: Error getting validation data, livetrainmap.co.uk (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.sussextrains.co.uk/.well-known/acme-challenge/ivHimDB9tnlOLcvIXr5UYm29KZlfPrhr1PWyESUBGyo: Error getting validation data, www.sussextrains.co.uk (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.sussextrains.co.uk/.well-known/acme-challenge/SJSCotxce-CYD3z30sqJsDbTieBHzxffnmKoKC62EMo: Error getting validation data. Skipping.
 ** DRY RUN: simulating 'certbot renew' close to cert expiry
 **          (The test certificates below have not been saved.)
 
 All renewal attempts failed. The following certs could not be renewed:
   /etc/letsencrypt/live/www.sussextrains.co.uk/fullchain.pem (failure)
 ** DRY RUN: simulating 'certbot renew' close to cert expiry
 **          (The test certificates above have not been saved.)
 1 renew failure(s), 0 parse failure(s)
 
 IMPORTANT NOTES:
  - The following errors were reported by the server:
 
    Domain: sussextrains.co.uk
    Type:   connection
    Detail: Fetching
    https://www.sussextrains.co.uk/.well-known/acme-challenge/ggRdfgjIRQ02Y5JnQ35CZE_p-jTQsW5vInGOBlQvT9A:
    Error getting validation data
 
    Domain: www.livetrainmap.co.uk
    Type:   connection
    Detail: Fetching
    https://www.sussextrains.co.uk/.well-known/acme-challenge/7h2ib2rSNQwe0RXlbD0PyPd3BygP00z6pJl_gPj6HfU:
    Error getting validation data
 
    Domain: livetrainmap.co.uk
    Type:   connection
    Detail: Fetching
    https://www.sussextrains.co.uk/.well-known/acme-challenge/ivHimDB9tnlOLcvIXr5UYm29KZlfPrhr1PWyESUBGyo:
    Error getting validation data
 
    Domain: www.sussextrains.co.uk
    Type:   connection
    Detail: Fetching
    https://www.sussextrains.co.uk/.well-known/acme-challenge/SJSCotxce-CYD3z30sqJsDbTieBHzxffnmKoKC62EMo:
    Error getting validation data
 
    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

Here is a line from the nginx log:

66.133.109.36 - - [30/Apr/2018:12:22:43 +0100] "GET /.well-known/acme-challenge/7h2ib2rSNQwe0RXlbD0PyPd3BygP00z6pJl_gPj6HfU HTTP/1.1" 200 87 "http://www.livetrainmap.co.uk/.well-known/acme-challenge/7h2ib2rSNQwe0RXlbD0PyPd3BygP00z6pJl_gPj6HfU" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

The "challenges" part of the letsencrypt.log shows the correct ip is being used from the DNS

sahsanu · April 30, 2018, 11:49am

Hi @Whereinsussex,

All your domains are being redirected to https://www.sussextrains.co.uk/whatever so seems all of them should use the same web root to serve your site. You said you put test and test.html files and it worked fine (I suppose you removed them because it gives a 404 error now) so… Did you modify the root directive in your nginx conf since you issued the certificates?.

You should double check the web root path used in/etc/letsencrypt/renewal/www.sussextrains.co.uk.conf is the same as the one defined in your current nginx conf for these domains.

Good luck,
sahsanu

Whereinsussex · April 30, 2018, 12:11pm

Hi Sahsanu,

https://www.sussextrains.co.uk/.well-known/acme-challenge/test.html and https://www.sussextrains.co.uk/.well-known/acme-challenge/test should work now (I had removed the files)

This is my renewal conf file:

# renew_before_expiry = 30 days
version = 0.10.2
archive_dir = /etc/letsencrypt/archive/www.sussextrains.co.uk
cert = /etc/letsencrypt/live/www.sussextrains.co.uk/cert.pem
privkey = /etc/letsencrypt/live/www.sussextrains.co.uk/privkey.pem
chain = /etc/letsencrypt/live/www.sussextrains.co.uk/chain.pem
fullchain = /etc/letsencrypt/live/www.sussextrains.co.uk/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = 50e3c6a0c26199d7f4b09adb0c0b3b07
webroot_path = /var/www,
[[webroot_map]]
www.sussextrains.co.uk = /var/www
livetrainmap.co.uk = /var/www
www.livetrainmap.co.uk = /var/www
sussextrains.co.uk = /var/www

And in my nginx conf file:

root /var/www;

Nothing has changed in the configuration afaik since the first ceritifcates were issued, this is the first renewal.

Thanks

Steve

sahsanu · April 30, 2018, 12:23pm

That is really strange, it is working fine from my side. Could you please put an unformatted text file in your web root?.

echo -n "Testing www.sussextrains.co.uk" > /var/www/.well-known/acme-challenge/test2

Whereinsussex · April 30, 2018, 12:55pm

Have done that, seems to be working ok here with test2

sahsanu · April 30, 2018, 12:59pm

It is ok, just one thing, could you please show the line in your nginx conf where you add the header Strict-Transport-Security?

Whereinsussex · April 30, 2018, 1:20pm

I think this is the line?

add_header Strict-Transport-Security "max-age=63072000;

sahsanu · April 30, 2018, 1:25pm

I think includeSubDomains shoud be in other line, could you please put all the params in the same line?

I mean:

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";

and remove the line that you should have only with includeSubDomains…

Restart nginx and try to renew again using --dry-run.

Edit: Just for the records. I forgot to include the reason I was asking for the header Strict-Transport-Secuity in previous post so I’m adding it here just in case someone has the same problem.

When I tried to test the file, I saw this:

$ curl -ikL http://sussextrains.co.uk/.well-known/acme-challenge/test2
[...]
Strict-Transport-Security: max-age=63072000;
includeSubdomains
[...]

So, includeSubDomains (part of Strict-Transport-Security header) is in other line, as if it were another header and boulder doesn’t like/understand it.

That means nginx conf looks like this (the header is split in 2 lines):

add_header Strict-Transport-Security "max-age=0;
includeSubDomains";

To solve the issue just put them in 1 line:

add_header Strict-Transport-Security "max-age=0; includeSubDomains";

Once nginx has been restarted, checking again the file we see the right header in one line and validation could be completed:

$ curl -ikL http://sussextrains.co.uk/.well-known/acme-challenge/test2
[...]
Strict-Transport-Security: max-age=63072000; includeSubdomains
[...]

Whereinsussex · April 30, 2018, 1:51pm

Well done sir!

I believe it was the config had been copied and the lines were messed up. I just renewed no problems.

Thank you

sahsanu · April 30, 2018, 2:00pm

You are welcome. I’m glad you have solved the renewal issue

system · May 30, 2018, 2:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.