Some challenges have failed

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: finefrau.tk

I ran this command: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-32" --agree-tos --authenticator webroot --email "my_mail@bugsbunny.fun" --preferred-challenges "dns,http" --domains "finefrau.tk"

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I do not know what failed.

If it helps, here is the log:

Log File

2

The key error from your log is:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: finefrau.tk
  Type:   unauthorized
  Detail: 2606:4700:3036::6815:31fa: Invalid response from https://finefrau.tk/.well-known/acme-challenge/8ckTUYHQFPHw2dvPZd67Nz_iV2BvAjvcZUtJm4VfC3A: 522

You have your domain, finefrau.tk, proxied by Cloudflare. They are reporting (via a 522 error) that they can't connect to your backend server you have configured in Cloudflare.

6 Likes
3

Why not just get a cert from CloudFlare?

6 Likes
4

You still need a certificate on the origin server behind Cloudflare. If you won't ever access the site directly, you can always use a Clouflate origin CA cert, but I prefer to use LE certs behind Cloudflare due to the globaly recognized CA.

1 Like
5

In Cloudflare for your website, under SSL/TLS, choose the "Full" option instead of "Full (strict)". This will allow your origin certificate to be invalid until you fix it. You can set this back once you have fixed your server certificate. As long as you don't let it expire renewals should work normally.

Screenshot 2022-06-14 143207
Screenshot 2022-06-14 1432071022×572 26.5 KB

7 Likes
6

image
image1044×588 24.3 KB

Thanks in advance. Unfortunately this setting is set since 3 months to Full.

2 Likes
7

Thanks for pointing that out. I didn't even know what to look for.

2 Likes
8

Alright. Tried that now. But keep getting a certificate error now on my website after adding the cloudflare certificate to NPM.

NET::ERR_CERT_INVALID
Subject: Cloudflare

Issuer: Managed CA 615c5ade003d1d48a354037b34b72866

Expires on: 16.06.2023

Current date: 16.06.2022

PEM encoded chain:
-----BEGIN CERTIFICATE-----
whatever...
-----END CERTIFICATE------
9

From the Internet, I don't see that cert expiration date on your website.
Where are you seeing that cert?

4 Likes
10

You are right. This is within my local network.

From global I get a connection timeout from Cloudflare. Error 522. Googling this error number dindn't help.

2 Likes
11

Did you find this page?
https://support.cloudflare.com/hc/en-us/articles/115003011431-Troubleshooting-Cloudflare-5XX-errors

You might want to try the Cloudflare forum (too) if that doesn't help

6 Likes
12

I found this page. Thanks a lot. Unfortunately it does not help me at all. I don't know what to do.

13

[SOLVED]

Cheese and rice!! .... I did go through all settings again and figured out that I bonded two of my network interfaces some days ago. So everything is still the same with the slight difference that the mac adress of my bonded network does not match the mac adress of my previous ethernet connection.

That ended up for my router giving my server still the same IP address as usual, but the hostname has changed on router sides view... so it assumed it's not the same device anymore and did forward the ports to the "old" device, which from network perspective does not exist anymore...

3 Likes
14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.