Some challenges have failed; HTTP-01 challenge success

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cloaked1.mywire.org and *.cloaked1.mywire.org

I ran this command:

certbot certonly -n --webroot -w /var/www --config-dir /etc/ssl/certs/nginx --logs /var/log/certbot -d 'cloaked1.mywire.org' -d '*.cloaked1.mywire.org' --agree-tos -m my-name@gmail.com --preferred-challenges http --http-01-address cloaked1.mywire.org --debug-challenges -v

It produced this output:

Saving debug log to /var/log/certbot/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for cloaked1.mywire.org and *.cloaked1.mywire.org
Performing the following challenges:
dns-01 challenge for cloaked1.mywire.org
Using the webroot path /var/www for all unmatched domains.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA.

The following FQDNs should return a TXT resource record with the value
mentioned:

FQDN: _acme-challenge.cloaked1.mywire.org
Expected value: Nq76OhY4RtGO4CrDWM1SiNJxBRjpmMt0XvqMR4Htp0k
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Waiting for verification...
Challenge failed for domain cloaked1.mywire.org
dns-01 challenge for cloaked1.mywire.org

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: cloaked1.mywire.org
  Type:   unauthorized
  Detail: No TXT record found at _acme-challenge.cloaked1.mywire.org

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/certbot/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
nginx 1.25.2

The operating system my web server runs on is (include version):

Linux Ubuntu 22:04 LTS
Docker nginx:latest image

Dockerfile:

FROM nginx:latest

ENV DEBIAN_FRONTEND non-interactive

COPY nginx.conf /etc/nginx
COPY includes/ /etc/nginx/includes
COPY etc/ssl/certs/nginx/ /etc/ssl/certs/nginx/
COPY www/ /var/www/
COPY patches/* /var/tmp/

EXPOSE 80 10443

RUN apt update && \
    apt install -y patch python3 python3.11-venv libaugeas0 && \
    openssl req -noenc -new -x509 \
                -days 30 \
                -keyout /etc/ssl/certs/nginx/le.key \
                -out /etc/ssl/certs/nginx/le.crt \
                -subj "/C=US/ST=None/L=None/O=jimconn/CN=*.cloaked1.mywire.org" && \
    python3 -m venv /opt/certbot/ && \
    /opt/certbot/bin/pip install --upgrade pip && \
    /opt/certbot/bin/pip install --upgrade certbot certbot-nginx && \
    patch /opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py < /var/tmp/auth_handler.patch && \
    ln -s /opt/certbot/bin/certbot /usr/bin/certbot && \
    chown -R nginx:nginx /etc/nginx /etc/ssl/certs/nginx \
                         /var/www /var/log/nginx

ENTRYPOINT ["/usr/sbin/nginx"]

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

root@c8a40de968f6:/# certbot --version
certbot 2.7.1

Additional information:

Logs from nginx which seem to indicate a successful query (code 200s):

3.140.252.119 - - [16/Oct/2023:16:14:57 +0000] "GET /.well-known/acme-challenge/6MLKx0KUqndOA8DfwzLoQt_SuDIeAuPtS-h2JCWQCQU HTTP/1.1" 301 169 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.220.86.115 - - [16/Oct/2023:16:14:57 +0000] "GET /.well-known/acme-challenge/6MLKx0KUqndOA8DfwzLoQt_SuDIeAuPtS-h2JCWQCQU HTTP/1.1" 301 169 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.220.86.115 - - [16/Oct/2023:16:14:58 +0000] "GET /.well-known/acme-challenge/6MLKx0KUqndOA8DfwzLoQt_SuDIeAuPtS-h2JCWQCQU HTTP/1.1" 200 87 "http://cloaked1.mywire.org/.well-known/acme-challenge/6MLKx0KUqndOA8DfwzLoQt_SuDIeAuPtS-h2JCWQCQU" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
23.178.112.107 - - [16/Oct/2023:16:14:58 +0000] "GET /.well-known/acme-challenge/6MLKx0KUqndOA8DfwzLoQt_SuDIeAuPtS-h2JCWQCQU HTTP/1.1" 301 169 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
3.140.252.119 - - [16/Oct/2023:16:14:58 +0000] "GET /.well-known/acme-challenge/6MLKx0KUqndOA8DfwzLoQt_SuDIeAuPtS-h2JCWQCQU HTTP/1.1" 200 87 "http://cloaked1.mywire.org/.well-known/acme-challenge/6MLKx0KUqndOA8DfwzLoQt_SuDIeAuPtS-h2JCWQCQU" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
23.178.112.107 - - [16/Oct/2023:16:14:58 +0000] "GET /.well-known/acme-challenge/6MLKx0KUqndOA8DfwzLoQt_SuDIeAuPtS-h2JCWQCQU HTTP/1.1" 200 87 "http://cloaked1.mywire.org/.well-known/acme-challenge/6MLKx0KUqndOA8DfwzLoQt_SuDIeAuPtS-h2JCWQCQU" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

Note that I don't have the capability to update a TXT record for my dyndns provider (at least not currently), so I'm relying solely on HTTP-01 challenges. I can provide full certbot logs but I'm leary of providing those since there are secret payloads that I don't want to share to a public forum. The following is the tail end of the logs, though:

2023-10-16 16:14:58,776:DEBUG:acme.client:Storing nonce: Oaj3whhZZwyz93S-NOTcgK9IieLxzh1eotSgdujmYGvju00cDvc
2023-10-16 16:14:58,777:INFO:certbot._internal.auth_handler:Challenge failed for domain cloaked1.mywire.org
2023-10-16 16:14:58,777:INFO:certbot._internal.auth_handler:dns-01 challenge for cloaked1.mywire.org
2023-10-16 16:14:58,777:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: cloaked1.mywire.org
  Type:   unauthorized
  Detail: No TXT record found at _acme-challenge.cloaked1.mywire.org

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2023-10-16 16:14:58,780:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2023-10-16 16:14:58,780:DEBUG:certbot._internal.error_handler:Calling registered functions
2023-10-16 16:14:58,780:INFO:certbot._internal.auth_handler:Cleaning up challenges
2023-10-16 16:14:58,780:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/.well-known/acme-challenge/hDkHYaAmxr77O1hm6MYE5ddLMYLnBEDuAGKPT7sqM6s
2023-10-16 16:14:58,781:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/.well-known/acme-challenge/6MLKx0KUqndOA8DfwzLoQt_SuDIeAuPtS-h2JCWQCQU
2023-10-16 16:14:58,782:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2023-10-16 16:14:58,782:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1873, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1600, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 143, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 517, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2023-10-16 16:14:58,788:ERROR:certbot._internal.log:Some challenges have failed.

One more likely important fact. From as far as I can tell, something is broken in this certbot, I think. Despite the argument, --preferred-challenges http and when I do that, without a patch I've applied, HTTP-01 challenges don't occur at all. The patch I applied in order to even get an HTTP-01 challenges to be performed is:

root@c8a40de968f6:/# cat /var/tmp/auth_handler.patch 
--- /opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py 2023-10-15 20:30:03.811999701 +0000
+++ /var/tmp/auth_handler.py    2023-10-15 20:36:12.375817383 +0000
@@ -429,7 +429,7 @@
             combo_total += chall_cost.get(challbs[
                 challenge_index].chall.__class__, max_cost)

-        if combo_total < best_combo_cost:
+        if combo_total <= best_combo_cost:
             best_combo = combo
             best_combo_cost = combo_total

the following worked (just now)

certbot certonly --nginx -d cloaked1.mywire.org -d media.cloaked1.mywire.org -d media.cloaked1.mywire.org  --dry-run

and when I try to do a wildcard cert, however, I get an error. Are wildcard certs not allowed?

2

Hello @notjames,

The wildcard Certificates can only be done by using the DNS-01 challenge.

4 Likes
3

May be it has interest for you, may be not. Just in case, I would like to let you know that I created a script to update DNS records for the domains if your dyndns provider is dynu.com.

I managed to create certificate containing wildcard subdomain names for my dynu.com hosted domains.

5 Likes
4

awesome! Although, I am not a paid user and in order to use this option, I believe I need to be. However, I'll dig into this a bit. Thank you for the link.

3 Likes
5

You do not have to be paid user. I am also a free service user of dynu.com.

7 Likes
6

I did not know that! Freakin great! Thank you! I'm in the process of checking it out.

5 Likes
7

I'm going to close this. For the record, the way I finally got this to work was to remove the -d *.subdom.domain.com option. The use of the script provided by @bruncsak is an option which I am still exploring. I haven't had time to finish that work yet.

3 Likes
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.