[resolved] Acme install or renew problem (for yunohost)

tdgannon · December 16, 2017, 9:10pm

Hello,

I have a problème for install / renew my let’s encrypt certificate.

Let me explain, when I try to renew or install a let encryption certificate, I have the following message:

Erreur : Wrote file to
/tmp/acme-challenge-public/ghvmCOYNcQsZ-jbF5C-LUMT-UNIlibybublhujbuylhjn, but couldn't download
http://mydomaine.tld/.well-known/acme-challenge/ghvmCOYNqsdcQsZ-jqsdqsbF5Ca-LUMgddfsT-qhyeaicuygfiauzegycfnaieuzgyncaizueygfcnaizuegfycnazie
Erreur : Certificate installation for mydomaine.tld failed !

For me, it’s not a DNS problem; my DNS configuration is :

@ 10800 IN A 192.99.xxx.xxx
@ 10800 IN AAAA xxxx:xxxx:xxxx:xxxx::1
@ 10800 IN MX 10 spool.mail.gandi.net.
@ 10800 IN MX 50 fb.mail.gandi.net.
@ 10800 IN SOA ns1.gandi.net. hostmaster.gandi.net. 1509211470 10800 3600 604800 10800
_xmpp-client._tcp 1800 IN SRV 0 5 5222 mydomaine.tld.
_xmpp-server._tcp 1800 IN SRV 0 5 5269 mydomaine.tld.
imap 10800 IN CNAME access.mail.gandi.net.
pop 10800 IN CNAME access.mail.gandi.net.
smtp 10800 IN CNAME relay.mail.gandi.net.

Where A and AAAA are respectively the IPv4 and IPv6 addresses of my server.
And when I execute the following command :
dig mydomaine.tld
I have :
mydomain.tld. 10799 IN A 192.99.xxx.xxx

So for me it’s correct.

And here is what I understand least: When I try with a web browser to download the file it works …

(with: http://mydomain.tld/.well-known/acme-challenge/AwjxMogJFdSSyh3EjYyw9XCWu4cV4dMDyNORRirg79k )

Have you ever encountered a similar problem?

PS:
This certificate is for my yunohost server.
I will try to explain my infrastructure behind this message.

tdgannon · December 16, 2017, 9:23pm

My, let’s encypt certificat if for my Yunohost serveur (the web serveur is nginx) behind a PFSense firewall.

(IT’s 2 VM on Proxmox)

               +------------------------------------------------------------------------+
               |                                                                        |
               |                                                                        |
               |                                                                        |
               |                           +---------+                                  |
               |                           |         |                                  |
               |                      +----+  other VM                                  |
 my_domaine.tld|                      |    |         |                                  |
 192.99.XXX.XXX|                      |    +---------+                                  |
               |    +---------+       |                                                 |
               |    |         |       |                                                 |
               +----+         +-------+                                                 |
               |    | PFSense |       |                                                 |
               |    |         |       |                                                 |
               |    +---------+       |   +-----------+                                 |
               |   192.168.2.1        |   | yunohost  |                                 |
               |                      |   |           |                                 |
               |                      +---+           |                                 |
               |                          |           |                                 |
               |                          +-----------+                                 |
               |                      192.168.2.2                                       |
               +------------------------------------------------------------------------+

All traffic arriving on my proxmox server is redirected via iptables to the PFSense. (except 2 ports, one for the web interface and another for ssh access.)
And the web traffic (80 and 443) is redirected to my Yunohost server (NAT and rule).

Aidan · December 18, 2017, 7:42am

Can you explain in a way that makes a little more sense? YunoHost is a software, correct?

tdgannon · December 19, 2017, 12:20am

I’m just trying to clarify.

My main problem is that i can not install a new let’s encrypt certificate.

When I try, I have :

Erreur : Wrote file to
/tmp/acme-challenge-public/ghvmCOYNcQsZ-jbF5C-LUMT-UNIlibybublhujbuylhjn, but couldn't download
http://mydomaine.tld/.well-known/acme-challenge/ghvmCOYNqsdcQsZ-jqsdqsbF5Ca-LUMgddfsT-qhyeaicuygfiauzegycfnaieuzgyncaizueygfcnaizuegfycnazie
Erreur : Certificate installation for mydomaine.tld failed !

But :

I can access my site in https, when it is configured with a self-signed certificate.
and, for example, when I put this url (http://mydomaine.tld/.well-known/acme-challenge/test) in a web browser, I have the contents of the “test” file.

Do you have any idea where this may come from?

( I talked about Yunohost but I have the same problem with the following configuration: Debian 8 (fresh install) + nginx server + acme client. )

Quickly, Yunohost is Self-hosting distribution based on Debian GNU/Linux.
But, I don’t speak English very wel, so I prefer to invite you to click on the following links:

What is YunoHost ? (official site)

if you need more information, no problem

_az · December 19, 2017, 1:00am

Please do not redact the domain - it makes life really hard for others trying to figure out your issue.

To clarify, you are serving the /.well-known/acme-challange/ path of your domain out of the /tmp/acme-challenge-public/ directory?

Could you show the part of your server configuration where this is defined?

Also, from YunoHost website:

Certificate installation fails, says "Wrote file to 'some path', but couldn't download 'some url'" !

This should be fixed in the future, but for now you might need to manually add the following line in your /etc/hosts :

127.0.0.1 your.domain.tld

Did you try this?

tdgannon · December 19, 2017, 4:17pm

Yes and yes.
And if I try to create a file in this directory in cli.
For example : echo "TEST" >> /tmp/test
I can download the file with the following command tatafrom my laptop
Or I can access it from a web browser.
My domain is charbowicz.fr
You can test : http://charbowicz.fr/.well-known/acme-challenge/test

Yes and I have always the same problem.

jared.m · December 19, 2017, 5:02pm

These don't match. Which directory serves files to /.well-known/acme-challenge, /tmp or /tmp/acme-challenge-public?

tdgannon · December 19, 2017, 6:50pm

pfff it’s a mistake … it’s the following command that I executed :

echo "TEST" >> /tmp/acme-challenge-public/test

tdgannon · December 21, 2017, 7:56pm

It’s OK.
It was an IPv6 problem.
I know that Let’s Encrypt test IPv6 first.
But I did not know that Let’s Encrypt does not test IPv4 after IPv6 …

thank you for help.

system · January 20, 2018, 7:56pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Failing to renew / can't install fresh. Worked OK last month Server	4	1679	January 17, 2017
Let's encrypt renew certificate issue Help	9	3366	July 6, 2017
Trying to renew expired certificate Help	10	1068	March 3, 2019
Trying to renew the certificate gives me error Help	21	2728	December 21, 2017
[RESOLVED] Problem with certificate regeneration Help	7	1494	November 9, 2017

[resolved] Acme install or renew problem (for yunohost)

Related topics