[resolved] Acme install or renew problem (for yunohost)

Hello,

I have a problème for install / renew my let’s encrypt certificate.

Let me explain, when I try to renew or install a let encryption certificate, I have the following message:

Erreur : Wrote file to
/tmp/acme-challenge-public/ghvmCOYNcQsZ-jbF5C-LUMT-UNIlibybublhujbuylhjn, but couldn't download
http://mydomaine.tld/.well-known/acme-challenge/ghvmCOYNqsdcQsZ-jqsdqsbF5Ca-LUMgddfsT-qhyeaicuygfiauzegycfnaieuzgyncaizueygfcnaizuegfycnazie
Erreur : Certificate installation for mydomaine.tld failed !

For me, it’s not a DNS problem; my DNS configuration is :

@ 10800 IN A 192.99.xxx.xxx
@ 10800 IN AAAA xxxx:xxxx:xxxx:xxxx::1
@ 10800 IN MX 10 spool.mail.gandi.net.
@ 10800 IN MX 50 fb.mail.gandi.net.
@ 10800 IN SOA ns1.gandi.net. hostmaster.gandi.net. 1509211470 10800 3600 604800 10800
_xmpp-client._tcp 1800 IN SRV 0 5 5222 mydomaine.tld.
_xmpp-server._tcp 1800 IN SRV 0 5 5269 mydomaine.tld.
imap 10800 IN CNAME access.mail.gandi.net.
pop 10800 IN CNAME access.mail.gandi.net.
smtp 10800 IN CNAME relay.mail.gandi.net.

Where A and AAAA are respectively the IPv4 and IPv6 addresses of my server.
And when I execute the following command :
dig mydomaine.tld
I have :
mydomain.tld. 10799 IN A 192.99.xxx.xxx

So for me it’s correct.

And here is what I understand least: When I try with a web browser to download the file it works …

(with: http://mydomain.tld/.well-known/acme-challenge/AwjxMogJFdSSyh3EjYyw9XCWu4cV4dMDyNORRirg79k )

Have you ever encountered a similar problem?

PS:
This certificate is for my yunohost server.
I will try to explain my infrastructure behind this message.

My, let’s encypt certificat if for my Yunohost serveur (the web serveur is nginx) behind a PFSense firewall.

(IT’s 2 VM on Proxmox)

               +------------------------------------------------------------------------+
               |                                                                        |
               |                                                                        |
               |                                                                        |
               |                           +---------+                                  |
               |                           |         |                                  |
               |                      +----+  other VM                                  |
 my_domaine.tld|                      |    |         |                                  |
 192.99.XXX.XXX|                      |    +---------+                                  |
               |    +---------+       |                                                 |
               |    |         |       |                                                 |
               +----+         +-------+                                                 |
               |    | PFSense |       |                                                 |
               |    |         |       |                                                 |
               |    +---------+       |   +-----------+                                 |
               |   192.168.2.1        |   | yunohost  |                                 |
               |                      |   |           |                                 |
               |                      +---+           |                                 |
               |                          |           |                                 |
               |                          +-----------+                                 |
               |                      192.168.2.2                                       |
               +------------------------------------------------------------------------+

All traffic arriving on my proxmox server is redirected via iptables to the PFSense. (except 2 ports, one for the web interface and another for ssh access.)
And the web traffic (80 and 443) is redirected to my Yunohost server (NAT and rule).

Can you explain in a way that makes a little more sense? YunoHost is a software, correct?

I’m just trying to clarify.

My main problem is that i can not install a new let’s encrypt certificate.

When I try, I have :

Erreur : Wrote file to
/tmp/acme-challenge-public/ghvmCOYNcQsZ-jbF5C-LUMT-UNIlibybublhujbuylhjn, but couldn't download
http://mydomaine.tld/.well-known/acme-challenge/ghvmCOYNqsdcQsZ-jqsdqsbF5Ca-LUMgddfsT-qhyeaicuygfiauzegycfnaieuzgyncaizueygfcnaizuegfycnazie
Erreur : Certificate installation for mydomaine.tld failed !

But :

Do you have any idea where this may come from?

( I talked about Yunohost but I have the same problem with the following configuration: Debian 8 (fresh install) + nginx server + acme client. )


Quickly, Yunohost is Self-hosting distribution based on Debian GNU/Linux.
But, I don’t speak English very wel, so I prefer to invite you to click on the following links:

What is YunoHost ? (official site)

if you need more information, no problem :slight_smile:

Please do not redact the domain - it makes life really hard for others trying to figure out your issue.

To clarify, you are serving the /.well-known/acme-challange/ path of your domain out of the /tmp/acme-challenge-public/ directory?

Could you show the part of your server configuration where this is defined?

Also, from YunoHost website:

Certificate installation fails, says “Wrote file to ‘some path’, but couldn’t download ‘some url’” !

This should be fixed in the future, but for now you might need to manually add the following line in your /etc/hosts :

127.0.0.1 your.domain.tld

Did you try this?

Yes and yes.
And if I try to create a file in this directory in cli.
For example : echo "TEST" >> /tmp/test
I can download the file with the following command tatafrom my laptop
Or I can access it from a web browser.
My domain is charbowicz.fr
You can test : http://charbowicz.fr/.well-known/acme-challenge/test

Yes and I have always the same problem.

These don't match. Which directory serves files to /.well-known/acme-challenge, /tmp or /tmp/acme-challenge-public?

pfff it’s a mistake … it’s the following command that I executed :

echo "TEST" >> /tmp/acme-challenge-public/test

It’s OK.
It was an IPv6 problem.
I know that Let’s Encrypt test IPv6 first.
But I did not know that Let’s Encrypt does not test IPv4 after IPv6 …

thank you for help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.