Running Boulder Internally - DNS Configuration Means Certificates Aren't Issued


#1

Hi, I ve been trying to solve this problem myself but I have found little success :sweat:

I m using ubuntu trusty and apache and cant get the response from my server.
I get this message after using : sudo ./certbot-auto certonly --agree-tos --renew-by-default -d bye.com --server http://172.17.0.1:4000/directory --webroot -w /var/www/bye.com/html/ (this is where I have bye.html)

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for bye.com
Using the webroot path /var/www/bye.com/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. bye.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://bye.com/.well-known/acme-challenge/xDpsMOU5N1lTkvIhgQeO1gWZQX7kOk-l7p683SiNI2w: 404 not found

IMPORTANT NOTES:

404 not found

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.


I have access to files I place in ./well-known/acme-challenge using curl from other machines and have thos same directories with 755 permissions and chown myUser.
Any help is welcome :sob:


#2

Hi @Chopi64,

How did you choose --server http://172.17.01.1:4000/directory? That does not sound like the correct location of the Let’s Encrypt CA.

Apart from that, if you create a file /var/www/bye.com/html/test.txt, can you see its contents at http://bye.com/test.txt? If so, if you create a file at /var/www/bye.com/html/.well-known/acme-challenge/test2.txt, can you see its contents at http://bye.com/.well-known/acme-challenge/test2.txt?


#3

Thanks for the response @schoen!
I just tried to access test.txt and test2.txt at those locations and no problems visualizing the message. :relaxed:

About the --server http://172.17.0.1:4000/directory , I ve got a copy of Boulder CA running in 172.17.0.4 that can be accessed through 172.17.0.1 so I decided to add it here instead of changing my /etc/hosts.
As far as I m aware the problem shouldnt be in accessing the CA, as a tcpdump -i eth0 port 4000 in the CA VM returns me plenty of messages when launching ./certbot-auto from the other machine.
Btw, I have access to test.txt and test2.txt from 172.17.0.4 :confused: so I guess the problem is that somehow the CA cannot complete the challenge? :confused:


#4

Since you’re running your own copy of Boulder, is it possible that something is misconfigured in Boulder that prevents it from verifying HTTP-01 challenges, or that the version of bye.com that it sees is not the same version that you intended?

If you just wanted to experiment without running into rate limits, you can also use the Let’s Encrypt staging CA with --staging.


#5

Solved!! :grin:
I had forgotten to change the FAKE_DNS field in my Boulder server, certbot was doing all right


#6

hi @Chopi64

Congrats on getting it to work. In future it would be a good idea to state that you are using boulder internally up front so people don’t have to deduce it :smiley:

Andrei


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.