Some challenges have failed

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
dsclub.kr (www.dsclub.kr)

I ran this command:
sudo certbot certonly --webroot --agree-tos -m dsclub2023@gmail.com -w /var/www/html -d dsclub.kr

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for dsclub.kr

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: dsclub.kr
Type: connection
Detail: 114.200.192.149: Fetching http://dsclub.kr/.well-known/acme-challenge/F15gzbg-OGsgUVNHSdzvLkQEWqxEhGewgPR5YBdN6hg: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
nginx/1.24.0

The operating system my web server runs on is (include version):
Ubuntu 24.04 LTS (GNU/Linux 6.8.0-1004-raspi aarch64)
(ubuntu 24.04 lts server for raspi5)

My hosting provider, if applicable, is:
gabia (gabia.com)

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.9.0

This is my dns setting

IMG_0036
IMG_00361629×456 73.8 KB

My router and other dns settings:
Server Internal IP192.168.0.9->IPTIME Router (DMZ)->114.200.192.149 (External IP)->What is the problem with this

2

this is log

2024-05-02 07:57:13,296:DEBUG:certbot._internal.error_handler:Calling registered functions
2024-05-02 07:57:13,296:INFO:certbot._internal.auth_handler:Cleaning up challenges
2024-05-02 07:57:13,296:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/F15gzbg-OGsgUVNHSdzvLkQEWqxEhGewgPR5YBdN6hg
2024-05-02 07:57:13,296:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2024-05-02 07:57:13,297:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==2.9.0', 'console_scripts', 'certbot')())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1894, in main
return config.func(config, plugins)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1600, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 143, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 517, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2024-05-02 07:57:13,299:ERROR:certbot._internal.log:Some challenges have failed.

3

Hello @Tak2, welcome to the Let's Encrypt community. :slightly_smiling_face:

There is likely firewall problem.

Using the online tool Let's Debug yields these results:
https://letsdebug.net/dsclub.kr/1919247

ANotWorking
ERROR
dsclub.kr has an A (IPv4) record (114.200.192.149) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
A timeout was experienced while communicating with dsclub.kr/114.200.192.149: Get "http://dsclub.kr/.well-known/acme-challenge/letsdebug-test": dial tcp 114.200.192.149:80: i/o timeout

Trace:
@0ms: Making a request to http://dsclub.kr/.well-known/acme-challenge/letsdebug-test (using initial IP 114.200.192.149)
@0ms: Dialing 114.200.192.149
@10000ms: Experienced error: dial tcp 114.200.192.149:80: i/o timeout

IssueFromLetsEncrypt
ERROR
A test authorization for dsclub.kr to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
114.200.192.149: Fetching http://dsclub.kr/.well-known/acme-challenge/rN2XZHmOnWe0wl9W5vGVwfH8JFxIJCr1AnfS1lZAuvM: Timeout during connect (likely firewall problem)

Using nmap I see Ports 80 & 443 are filtered (i.e. blocked).

$ nmap -Pn -p80,443 dsclub.kr
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-01 17:02 PDT
Nmap scan report for dsclub.kr (114.200.192.149)
Host is up.

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.70 seconds

Best Practice - Keep Port 80 Open

2 Likes
4

If you have some geo blocking you may need to update or change it.
Let's Encrypt uses Multi-Perspective Validation Improves Domain Validation Security - Let's Encrypt

Since these are Domain Validation (DV) certificates the Domain Name System (DNS) is used extensively in the validation process as well a allowing us to assist here on Let's Encrypt community.
DNS Queries need to give consistent results from any location on the Internet, all your authoritative DNS Servers for the Domain need to also give consistent results as well.

2 Likes
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.