Some challenges have failed - Godaddy domain forwarded ( redirected ) to aws

Dear All,

I am getting AuthorizationError(‘Some challenges have failed.’) while creating SSL certificate.

Note I have purchased a domain from GoDaddy & I am running apache webserver on aws elastic beanstalk. I have forwarded elastic beanstalk URL from GoDaddy with ‘forward with mask’.

this is the first time I am using Iet’sEncrypt so please help me resolving this issue.

Refer the following details :

I ran this command:
sudo /opt/certbot/certbot-auto certonly --debug --non-interactive --email myexamplemail@gmail.com --agree-tos --standalone --domains mydomain.com --keep-until-expiring --pre-hook “service httpd stop” --staging

It produced this output:

raise errors.AuthorizationError(‘Some challenges have failed.’)
2020-07-14 02:13:59,518 P3375 [INFO] AuthorizationError: Some challenges have failed.
2020-07-14 02:13:59,518 P3375 [INFO] Please see the logfiles in /var/log/letsencrypt for more details.
2020-07-14 02:13:59,519 P3375 [INFO] IMPORTANT NOTES:
2020-07-14 02:13:59,519 P3375 [INFO] - The following errors were reported by the server:
2020-07-14 02:13:59,519 P3375 [INFO]
2020-07-14 02:13:59,519 P3375 [INFO] Domain: mydomain.com
2020-07-14 02:13:59,519 P3375 [INFO] Type: connection
2020-07-14 02:13:59,519 P3375 [INFO] Detail: Fetching
2020-07-14 02:13:59,519 P3375 [INFO] http://mydomain.com/.well-known/acme-challenge/kCF6ZmWn0dWdhROECu8t6B7y0e7pOHn6owOZqMwOmY4:
2020-07-14 02:13:59,519 P3375 [INFO] Timeout during connect (likely firewall problem)
2020-07-14 02:13:59,519 P3375 [INFO]
2020-07-14 02:13:59,519 P3375 [INFO] To fix these errors, please make sure that your domain name was
2020-07-14 02:13:59,519 P3375 [INFO] entered correctly and the DNS A/AAAA record(s) for that domain
2020-07-14 02:13:59,519 P3375 [INFO] contain(s) the right IP address. Additionally, please check that
2020-07-14 02:13:59,519 P3375 [INFO] your computer has a publicly routable IP address and that no
2020-07-14 02:13:59,519 P3375 [INFO] firewalls are preventing the server from communicating with the
2020-07-14 02:13:59,520 P3375 [INFO] client. If you’re using the webroot plugin, you should also verify
2020-07-14 02:13:59,520 P3375 [INFO] that you are serving files from the webroot path you provided.
2020-07-14 02:13:59,520 P3375 [INFO] - Your account credentials have been saved in your Certbot
2020-07-14 02:13:59,520 P3375 [INFO] configuration directory at /etc/letsencrypt. You should make a
2020-07-14 02:13:59,520 P3375 [INFO] secure backup of this folder now. This configuration directory will
2020-07-14 02:13:59,520 P3375 [INFO] also contain certificates and private keys obtained by Certbot so
2020-07-14 02:13:59,520 P3375 [INFO] making regular backups of this folder is ideal.
2020-07-14 02:13:59,520 P3375 [INFO] ------------------------------------------------------------
2020-07-14 02:13:59,520 P3375 [ERROR] Exited with error code 1

My web server is (include version):
Apache 2.4.43 with mod_wsgi 3.5

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
64bit Amazon Linux 2018.03 v2.9.12 running Python 3.6

I can login to a root shell on my machine (yes or no, or I don’t know):yes

Thanks,

Hi @gaurav

that may be wrong.

Your domain name is required to check that.

1 Like

Dear @JuergenAuer Thanks for your reply …

I am not getting what do you mean by "it may be wrong " ? please elaborate.

So what should be the solution or way to create SSL with the given setup?

You literally force the http service to stop before running certbot and fail to see why the site times out.

In addition, as @JuergenAuer pointed out, URL forwarding by GoDaddy will most likely fail.

1 Like

As the above method (challenge http) will fail so i decided to go with DNS challenge.
But still after many attempts no success. Request you to clarify the following points

  1. I am trying to generate a certificate from my development pc for my server through DNS challenge. Is it OK ?

By running manual mode i got following details ( domain logicsandyou.com )

Running manual-auth-hook command: /etc/letsencrypt/acme-dns-auth.py
Output from manual-auth-hook command acme-dns-auth.py:
Please add the following CNAME record to your main DNS zone:

_acme-challenge.logicsandyou.com CNAME 5fa69900-561265-4f4c-a0ca-a614102e46b4.auth.acme-dns.io.

Running manual-auth-hook command: /etc/letsencrypt/acme-dns-auth.py
Output from manual-auth-hook command acme-dns-auth.py:
Please add the following CNAME record to your main DNS zone:

_acme-challenge.www.logicsandyou.com CNAME 4f7c337b-6c3b-4afc-ab5a-8b65302d3db6.auth.acme-dns.io.

Note: the above data is an old one when validation failed. I have now created & updated DNS record with fresh values.

  1. do I need to create CNAME record or TXT record ? as in many online tutorials & forums used TXT record.

  2. which is the correct way to add CNAME
    _acme-challenge.logicsandyou.com or just _acme-challenge
    _acme-challenge.www.logicsandyou.com or _acme-challenge.www

  3. How should I know that the above records are ready to validate?

Thanks,
Gaurav

1 Like

There is a check of your domain, created yesterday - https://check-your-website.server-daten.de/?q=logicsandyou.com

Host Type IP-Address is auth. ∑ Queries ∑ Timeout
logicsandyou.com A 184.168.131.241 Scottsdale/Arizona/United States (US) - GoDaddy.com, LLC Hostname: ip-184-168-131-241.ip.secureserver.net yes 2 0
AAAA yes
www.logicsandyou.com CNAME logicsandyou.com yes 1 0

That can’t work, the result:

http://logicsandyou.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
184.168.131.241 No GZip used - 442 / 480 - 92,08 % possible
Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0	200
	
Html is minified: 104,58 %	0.343
	
Visible Content: 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> LogicsAndYou

Info: Html-Content with frame found, may be a problem creating a Letsencrypt certificate using http-01 validation

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> 
<html> <head> <title>LogicsAndYou</title> <meta name="description" content="Online Courses"> 
<meta name="keywords" content="Online Courses"> </head> 
<frameset rows="100%,*" border="0"> 
<frame src="http://logictest1-env.eba-3pztgd5h.ap-south-1.elasticbeanstalk.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de" frameborder="0" /> </frameset> </html> 

Use the ip of

http://logictest1-env.eba-3pztgd5h.ap-south-1.elasticbeanstalk.com

in your dns A record, not the GoDaddy 184.168.131.241 ip.

Such frames can’t work, because Letsencrypt checks the GoDaddy ip, not your webserver.

1 Like

Thanks @JuergenAuer for your quick reply .Request you to clarify above points

1 Like

TXT type record.

Don’t use CNAME for this.

1 Like

which is the correct way to add TXT record ?
_acme-challenge.logicsandyou.com or just _acme-challenge
_acme-challenge.www.logicsandyou.com or _acme-challenge.www

1 Like

That depends entire on the interface.
Some will append whatever you enter to your domain.
So that, when you enter:
_acme-challenge.logicsandyou.com
it may actually become:
_acme-challenge.logicsandyou.com.logicsandyou.com
Some are “smart enough” to correct that.
I would try adding the short name first:
_acme-challenge
And see if _acme-challenge.logicsandyou.com was created as you expected.

I can’t say for sure what will happen in your DNS control interface.

1 Like

As suggested I have change DNS A record & created TXT in DNS … but still updates not reflected yet …
I will wait till tomorrow & reply the result .

This is NOT how the TXT record is expected to be:

_acme-challenge.logicsandyou.com        text =

        "9f7ffd2c-b350-4b36-b322-74c7f69ac81b.auth.acme-dns.io."
1 Like

I have added TXT record as follows

NAME as – > _acme-challenge
Value as —> 9f7ffd2c-b350-4b36-b322-74c7f69ac81b.auth.acme-dns.io.

What’s wrong in this ?

What were the instructions?

It should probably be just:

1 Like

certbot command gave the following data

Running manual-auth-hook command: /etc/letsencrypt/acme-dns-auth.py
Output from manual-auth-hook command acme-dns-auth.py:
Please add the following CNAME record to your main DNS zone:
_acme-challenge.logicsandyou.com CNAME 9f7ffd2c-b350-4b36-b322-74c7f69ac81b.auth.acme-dns.io.

Running manual-auth-hook command: /etc/letsencrypt/acme-dns-auth.py
Output from manual-auth-hook command acme-dns-auth.py:
Please add the following CNAME record to your main DNS zone:
_acme-challenge.www.logicsandyou.com CNAME a8ae8dbb-d62b-4c38-a82e-58c93004c6bb.auth.acme-dns.io.

Also let me know whether we need to keep “.” at the end ( …c6bb.auth.acme-dns.io**.**)

1 Like

I’ve never seen it ask for that.
But
that would mean that you need to create a CNAME (not a TXT) record with that info in it.

The dot at the end tries to ensure that the name won’t be appended to anything else.
So, yes, keep the dot at the end.

On re-reading the thread I think you may be following some outdated (or overly complicated) instructions to get a cert.

1 Like

I am referring following link

1 Like

Do you need a wildcard cert?
Or is there any other reason to get your certs using this method?
[this is a very manual process - you should only do it this way if you absolutely have to]

1 Like

Actually not , but preferred this as I missed to change A record & instead used forwarding / redirecting method that causing failure in getting SSL cert. I will try once again for HTTP challenge .

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.