[solved] Renew failed, couldnt download challenge

I have a site with an active letsencrypt certificate that was succesfully renewed before. However, now renewals fail.
I’m using the “acme_renew” client script on a CentOS server.

Wrote file to /var/www/challenges/tTD-trU4w-fXpy2jTEQqFCCIg5YwSGpErEaFgqzyljo, but couldn’t download http://www.zuahub.org/.well-known/acme-challenge/tTD-trU4w-

I have done the following local tests and verifications:

During renewal i left the following script running in a separate console:
while true; do [ 0`ls /var/www/challenges | wc -l` -gt 0 ] && ls -laZ /var/www/challenges ; done

This confirmed the succesful creation of above file as:
-rw-r–r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 tTD-trU4w-fXpy2jTEQqFCCIg5YwSGpErEaFgqzyljo
The file was automatically deleted after acme_renew finished.
I have recreated a text file in the same spot with the same permissions (unix&selinux) which can access using the advertised URL as per the log entry.

I can see my access attempts in apache access log, but no other while the page is accessible through the internet and DNS only advertises 1 single IPv4 and no IPv6 addresses.

So i see no possibility to solve the problem on my end.

Suggestion for self service support: providing a tool on letsencrypt site that indicates “How we see you” that reports DNS and other possible information after presenting a hostname.

Thanks for your support.

What error showed up when trying to download the challenge file?

When i’m trying to download the test file (you can do as well) under below URL, i receive no errors and get the matching log entry in apache access log.

This below text:
Wrote file to /var/www/challenges/tTD-trU4w-fXpy2jTEQqFCCIg5YwSGpErEaFgqzyljo, but couldn’t download http://www.zuahub.org/.well-known/acme-challenge/tTD-trU4w-fXpy2jTEQqFCCIg5YwSGpErEaFgqzyljo

Is the output of the acme_renew script indicating to me that letsencrypt services were not able to do that download of the token. However, i do not see an attempt in apache access log, so must assume, such GET by letsencrypt was not arriving at the server.

Maybe its the script itself which tries to download the file. You may try to simulate that with the following command on the server:

wget -S -O - http://www.zuahub.org/.well-known/acme-challenge/tTD-trU4w-fXpy2jTEQqFCCIg5YwSGpErEaFgqzyljo


@bytecamp you were right. The message was not referring an external trial.

It appears acme_tiny first does a local attempt in addition, prior to trying letsencrypt. Adding an entry to hoists for the apache virutal host did make it complete successfully and renew the certificate. So acme_tiny protected me from a problem i didnt have without it :slight_smile:

Thanks for that spark of genius.

Best regards, the issue can be closed as solved.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.