[Resolved] FailedChallenges: Failed authorization procedure

PhLinuX · May 11, 2016, 5:37pm

Forgive me, one question again please, should I remove the .well-known directory if it is not needed anymore ?

serverco · May 11, 2016, 5:40pm

You can do - it will be needed when you come to renew your certificate ( you won’t need to do that using the standalone method ) It should be recreated by letsencrypt though at that time if it doesn’t exist.

PhLinuX · May 11, 2016, 5:47pm

Ok thanks

Unfortunately I still have my trouble (I didn't close the port since our tests) :

./letsencrypt-auto certonly --test-cert --standalone --domain my_site.fr
Checking for new version...
Requesting root privileges to run letsencrypt...
/root/.local/share/letsencrypt/bin/letsencrypt certonly --test-cert --standalone --domain my_site.fr
Failed authorization procedure. my_site.fr (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge

Do you know what ip is the letsencrypt server or its fqdn ? I think it would be nice to check my FW rules ...

I respond to myself : found at least test server : acme-staging.api.letsencrypt.org

serverco · May 11, 2016, 5:54pm

letsencrypt deliberately don't provide this information ( so that requests from them are not treated differently from normal users).

Is your setup a simple server with a firewall ? or do you have port forwards / proxy or anything else in your setup ?

PhLinuX · May 11, 2016, 5:57pm

mmmm this a a full server and the firewall contains a lot of rules, mainly to drop any attackers from outside of france. (mainly built with all ip with repeated tries on the port 22)

PhLinuX · May 11, 2016, 5:58pm

There are no port fworward or proxy.

the staging server is e981.dscb.akamaiedge.net @ 2.20.30.68 so it shouldn’t be blocked as it is not part of my FW rules

serverco · May 11, 2016, 6:06pm

In your logs there shouldn’t be many trying to reach .well-known/lets-encrypt, so should tell you the IP address that is currently being used. That IP will change over time though ( there are possible plans to even perform the test via TOR to randomise the IP address used ) - so you can’t just whitelist it.

would you be happy to briefly ( 1 min ) turn off the firewall to confirm that’s what is causing the issue ( that will also give you the IP address used )

PhLinuX · May 11, 2016, 6:11pm

Well this what I wiil do tomorrow … unfortunately I must leave now.
I will post the results here or may be I will solicite community again

Again, many many thanks for your kind help

serverco · May 11, 2016, 6:12pm

You’re welcome. Have a good evening

PhLinuX · May 12, 2016, 3:24pm

I finally found where was the trouble : I actually had a rule that drop any traffic from LE servers into my permanently banned adresses list and that do not log them.
I removed this ip and I was able to get certicats using ./letsencrypt-auto --apache --domain my_site.fr

@serverco Thanks again, I appreciate your quick and valuable help.

serverco · May 12, 2016, 3:56pm

You’re Welcome

Just be aware that LE might use random IP addresses in the future, so if you get a similar error on renewal, check what’s been blocked.

PhLinuX · May 12, 2016, 4:06pm

Yes for sure I will.
In fact, my banned ip list should only be updated (automaticaly by script) when a number of tries on some ports is reached.
Sometimes it may needed to update it by hand and I’m quite sure I did it by mistake as I can see it was done when I did my very first tries with LE.
So it should not occur again … anyway I know what to do now

system · June 11, 2016, 4:06pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.