Standalone certonly http-01 insufficient authorization

Maybe it has something to do with the IP using DHCP.

Is your server behind an AWS elastic load balancer? If so it might be marking your backend as unhealthy when you stop nginx, preventing the challenge from getting through to certbot’s temporary web server. If that’s the case I’d recommend using the webroot plugin instead of standalone.

Yep, I’d recently had exactly the same thought and found that while I had validated the server was up and reachable over port 80, after taking the nginx server down, the ELB took the instance out of service.

I’ve since started nginx again and verified that port 80 really is reachable at the address I’m trying to generate certs for. I’ve also set the health check interval and unhealthy threshold to max, giving me enough time to try and generate a certificate. Unfortunately this still hasn’t solved the problem.

The standalone plugin still fails to bind to IPv4 port 80 - and this time the connection just timesout:

2017-11-27 16:53:00,406:DEBUG:certbot.main:certbot version: 0.19.0
2017-11-27 16:53:00,407:DEBUG:certbot.main:Arguments: ['-n', '-d', 'sub.domain.com', '-m', 'me@domain.com', '--standalone', '--agree-tos', '--staging', '--preferred-challenges', 'http']
2017-11-27 16:53:00,407:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-11-27 16:53:00,418:DEBUG:certbot.log:Root logging level set at 20
2017-11-27 16:53:00,418:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-11-27 16:53:00,419:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2017-11-27 16:53:00,554:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f6a6a3d5b50>
Prep: True
2017-11-27 16:53:00,555:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f6a6a3d5b50> and installer None
2017-11-27 16:53:00,555:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2017-11-27 16:53:00,559:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, contact=(u'mailto:me@domain.com',), agreement=u'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f6a6a3d5b90>)>)), uri=u'https://acme-staging.api.letsencrypt.org/acme/reg/5140195', new_authzr_uri=u'https://acme-staging.api.letsencrypt.org/acme/new-authz', terms_of_service=u'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'), f37586153e54421fde25624d2f9ce98e, Meta(creation_host=u'ip-22-0-4-61', creation_dt=datetime.datetime(2017, 11, 27, 13, 47, 14, tzinfo=<UTC>)))>
2017-11-27 16:53:00,559:DEBUG:acme.client:Sending GET request to https://acme-staging.api.letsencrypt.org/directory.
2017-11-27 16:53:00,561:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
2017-11-27 16:53:00,821:DEBUG:urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 582
2017-11-27 16:53:00,822:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 582
Replay-Nonce: VMzWO0vjYWoItoRqK5MgDz80OmIgSuK2TEDLjQWemnk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 27 Nov 2017 16:53:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 27 Nov 2017 16:53:00 GMT
Connection: keep-alive

{
  "key-change": "https://acme-staging.api.letsencrypt.org/acme/key-change",
  "meta": {
    "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
  },
  "new-authz": "https://acme-staging.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-staging.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-staging.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-staging.api.letsencrypt.org/acme/revoke-cert",
  "rowBVDqMlbc": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
}
2017-11-27 16:53:00,822:INFO:certbot.main:Obtaining a new certificate
2017-11-27 16:53:00,823:DEBUG:acme.client:Requesting fresh nonce
2017-11-27 16:53:00,823:DEBUG:acme.client:Sending HEAD request to https://acme-staging.api.letsencrypt.org/acme/new-authz.
2017-11-27 16:53:01,014:DEBUG:urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 "HEAD /acme/new-authz HTTP/1.1" 405 0
2017-11-27 16:53:01,015:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Replay-Nonce: TOmXIRWYFKCz6vflZQ76zZiu6CdIyYh3wV2MoDlkipU
Expires: Mon, 27 Nov 2017 16:53:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 27 Nov 2017 16:53:01 GMT
Connection: keep-alive


2017-11-27 16:53:01,015:DEBUG:acme.client:Storing nonce: TOmXIRWYFKCz6vflZQ76zZiu6CdIyYh3wV2MoDlkipU
2017-11-27 16:53:01,015:DEBUG:acme.client:JWS payload:
{
  "identifier": {
    "type": "dns", 
    "value": "sub.domain.com"
  }, 
  "resource": "new-authz"
}
2017-11-27 16:53:01,018:DEBUG:acme.client:Sending POST request to https://acme-staging.api.letsencrypt.org/acme/new-authz:
{
  "protected": "eyJub25jZSI6ICJUT21YSVJXWUZLQ3o2dmZsWlE3NnpaaXU2Q2RJeVloM3dWMk1vRGxraXBVIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAiMjNqbnhhSXJLTThxUTlNd0JITmtkdFcwTkpaV2FBWTVWWVJCYTF1ZmNlR0VWdmh1UnJWQlYzelR5X2pYNW5wNGo4cFlDa1VLcWhzWV8xWVFpZnEwVUVJNFpBMmYxdlE2VEVjaF9sWmR1ZHJsOXBSTEg3UUhsdGZEOW9QbDdXTWt4SkdXSVV2QUdxemF2RXhKcHpNeGN2bDNoanNaVkZxLTRMelM4cldINEZhZ0stUTJTWW5ENVJqMG1XRHJ2NVA2cEcxaGwyY3g2U1E3dkFObUMxZjZvcWdDUzJpeFI5MUM2Nk1YRHB4TkVvcXBnQlBmaFZGZUtISWF5TGNnSVVYNTdYUENhMFNBU21WZ1JXZzF6bnMzZGRRVkUyTlR5YVg1c2g1MG9OdjFPZEo4QVZiXzdUYzFKQW9QblMtdFJRMHhXaXY2SGs2aFZFQ0hmYnQybWJaX0tRIn19", 
  "payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAiZGV2LnBhcmFkaW5vLmlvIgogIH0sIAogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiCn0", 
  "signature": "QVG3fKl8Pk-Bk77eVl2oUwD3y_T1vPgXLUirEAsqvML4y7j7usUXmiFbeOGSqFKMObwPiVvS4QJJyhXnhq0NMAecC5ur5p2ru6za8kIY4yjswxwb8BQWf2jY7HCKKGxAkr9nTOCv0VpgzkTRpDbXwxfIVpIQOBSOx0Qm_nn1W9UUKgQ_CR3hzXxNgiTCZGLTPc0CCrGtpkV74ccHC33NdV9PR0Onb29MfX52djtcBHNWyMPN5qsO4gvMAq5fJVsUc-xVf9o34IIPrDuBZ6eknZ9wfKrNMn9hYBQS0A3LwTbRkywPlOn2aXEJh_NoMmDjkZnujYXYsMPZv6GxfWoJiQ"
}
2017-11-27 16:53:01,231:DEBUG:urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 1008
2017-11-27 16:53:01,231:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1008
Boulder-Requester: 5140195
Link: <https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-staging.api.letsencrypt.org/acme/authz/Y5Js4p8AwfzRyZKo34xzK2S1HFf9PnHymQPU8d-fu6w
Replay-Nonce: DJvJonbdSz4EnN8IxvJRHLHN8sDhNR-z3yVSQth3F3g
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 27 Nov 2017 16:53:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 27 Nov 2017 16:53:01 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "sub.domain.com"
  },
  "status": "pending",
  "expires": "2017-12-04T16:53:01.11377708Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/Y5Js4p8AwfzRyZKo34xzK2S1HFf9PnHymQPU8d-fu6w/79580690",
      "token": "9sNPycn_DhREukdOlYGetE-oJzoRoHSmeA2iJkG9GUw"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/Y5Js4p8AwfzRyZKo34xzK2S1HFf9PnHymQPU8d-fu6w/79580691",
      "token": "bQi6-UqmyQoBrt0s4Svj-Q5b6vN-1HwCwo_toG3ad-M"
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/Y5Js4p8AwfzRyZKo34xzK2S1HFf9PnHymQPU8d-fu6w/79580692",
      "token": "_HR1MGvt4yngolSrbQQovL3HehfcpKi5aONHYNM3dRo"
    }
  ],
  "combinations": [
    [
      2
    ],
    [
      1
    ],
    [
      0
    ]
  ]
}
2017-11-27 16:53:01,232:DEBUG:acme.client:Storing nonce: DJvJonbdSz4EnN8IxvJRHLHN8sDhNR-z3yVSQth3F3g
2017-11-27 16:53:01,232:INFO:certbot.auth_handler:Performing the following challenges:
2017-11-27 16:53:01,232:INFO:certbot.auth_handler:http-01 challenge for sub.domain.com
2017-11-27 16:53:01,233:DEBUG:acme.standalone:Failed to bind to :80 using IPv4
2017-11-27 16:53:01,236:INFO:certbot.auth_handler:Waiting for verification...
2017-11-27 16:53:01,236:DEBUG:acme.client:JWS payload:
{
  "keyAuthorization": "bQi6-UqmyQoBrt0s4Svj-Q5b6vN-1HwCwo_toG3ad-M.ZP9pZIWOJFYfBSG7P8YJHdShf8fwGLJ-Y0S33CV7iiE", 
  "type": "http-01", 
  "resource": "challenge"
}
2017-11-27 16:53:01,239:DEBUG:acme.client:Sending POST request to https://acme-staging.api.letsencrypt.org/acme/challenge/Y5Js4p8AwfzRyZKo34xzK2S1HFf9PnHymQPU8d-fu6w/79580691:
{
  "protected": "eyJub25jZSI6ICJESnZKb25iZFN6NEVuTjhJeHZKUkhMSE44c0RoTlItejN5VlNRdGgzRjNnIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAiMjNqbnhhSXJLTThxUTlNd0JITmtkdFcwTkpaV2FBWTVWWVJCYTF1ZmNlR0VWdmh1UnJWQlYzelR5X2pYNW5wNGo4cFlDa1VLcWhzWV8xWVFpZnEwVUVJNFpBMmYxdlE2VEVjaF9sWmR1ZHJsOXBSTEg3UUhsdGZEOW9QbDdXTWt4SkdXSVV2QUdxemF2RXhKcHpNeGN2bDNoanNaVkZxLTRMelM4cldINEZhZ0stUTJTWW5ENVJqMG1XRHJ2NVA2cEcxaGwyY3g2U1E3dkFObUMxZjZvcWdDUzJpeFI5MUM2Nk1YRHB4TkVvcXBnQlBmaFZGZUtISWF5TGNnSVVYNTdYUENhMFNBU21WZ1JXZzF6bnMzZGRRVkUyTlR5YVg1c2g1MG9OdjFPZEo4QVZiXzdUYzFKQW9QblMtdFJRMHhXaXY2SGs2aFZFQ0hmYnQybWJaX0tRIn19", 
  "payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogImJRaTYtVXFteVFvQnJ0MHM0U3ZqLVE1YjZ2Ti0xSHdDd29fdG9HM2FkLU0uWlA5cFpJV09KRllmQlNHN1A4WUpIZFNoZjhmd0dMSi1ZMFMzM0NWN2lpRSIsIAogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9", 
  "signature": "xzi-TKeWP6Am8uEkb08S94TfHq-WLD9BuFDP4HB_sBxIe5m5Jn3CzleO5zF21BQbbwR8GjrfYAcxyhaMEAWsVHWanCcO1fa9akzGNbVMZrYAHFTodDIrJPZGYNj6c5SE2s2hl9agF4QBHv8e63J6puWrzEWU9CqW083LjBCo3UbdXmVU5YAC7eMGOzvVUD5zMA8Gd99siXVhCqcYHBUWFFUrhgNO_4FQYp0oYSstMXBRkdNtNoUagMEXoW9B65pdDn7ZmKY63266b9iUa3i0jjvjuAJTu9EcG2nImQrKLKFf2iJh9W24MQZWrmh3CrRbmPVcP13iE5xY8xy9XpItvQ"
}
2017-11-27 16:53:01,455:DEBUG:urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 "POST /acme/challenge/Y5Js4p8AwfzRyZKo34xzK2S1HFf9PnHymQPU8d-fu6w/79580691 HTTP/1.1" 202 338
2017-11-27 16:53:01,456:DEBUG:acme.client:Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 338
Boulder-Requester: 5140195
Link: <https://acme-staging.api.letsencrypt.org/acme/authz/Y5Js4p8AwfzRyZKo34xzK2S1HFf9PnHymQPU8d-fu6w>;rel="up"
Location: https://acme-staging.api.letsencrypt.org/acme/challenge/Y5Js4p8AwfzRyZKo34xzK2S1HFf9PnHymQPU8d-fu6w/79580691
Replay-Nonce: H_ttGHrEkWoIw6jPY0wnpiAeyCWVhUwMZYEjqB0UEtM
Expires: Mon, 27 Nov 2017 16:53:01 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 27 Nov 2017 16:53:01 GMT
Connection: keep-alive

{
  "type": "http-01",
  "status": "pending",
  "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/Y5Js4p8AwfzRyZKo34xzK2S1HFf9PnHymQPU8d-fu6w/79580691",
  "token": "bQi6-UqmyQoBrt0s4Svj-Q5b6vN-1HwCwo_toG3ad-M",
  "keyAuthorization": "bQi6-UqmyQoBrt0s4Svj-Q5b6vN-1HwCwo_toG3ad-M.ZP9pZIWOJFYfBSG7P8YJHdShf8fwGLJ-Y0S33CV7iiE"
}
2017-11-27 16:53:01,456:DEBUG:acme.client:Storing nonce: H_ttGHrEkWoIw6jPY0wnpiAeyCWVhUwMZYEjqB0UEtM
2017-11-27 16:53:01,529:DEBUG:acme.standalone:::ffff:22.0.0.7 - - Incoming request
2017-11-27 16:53:01,755:DEBUG:acme.standalone:::ffff:22.0.0.7 - - Serving HTTP01 with token u'bQi6-UqmyQoBrt0s4Svj-Q5b6vN-1HwCwo_toG3ad-M'
2017-11-27 16:53:01,755:DEBUG:acme.standalone:::ffff:22.0.0.7 - - "GET /.well-known/acme-challenge/bQi6-UqmyQoBrt0s4Svj-Q5b6vN-1HwCwo_toG3ad-M HTTP/1.1" 200 -
2017-11-27 16:53:01,755:DEBUG:acme.standalone:::ffff:22.0.0.7 - - Incoming request
2017-11-27 16:53:04,460:DEBUG:acme.client:Sending GET request to https://acme-staging.api.letsencrypt.org/acme/authz/Y5Js4p8AwfzRyZKo34xzK2S1HFf9PnHymQPU8d-fu6w.
2017-11-27 16:53:04,652:DEBUG:urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 "GET /acme/authz/Y5Js4p8AwfzRyZKo34xzK2S1HFf9PnHymQPU8d-fu6w HTTP/1.1" 200 1116
2017-11-27 16:53:04,653:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1116
Link: <https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"
Replay-Nonce: -RFk5dbz7mwfY5XqQL9XHItKOGT8p2N98yQjaTE3-jg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 27 Nov 2017 16:53:04 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 27 Nov 2017 16:53:04 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "sub.domain.com"
  },
  "status": "pending",
  "expires": "2017-12-04T16:53:01Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/Y5Js4p8AwfzRyZKo34xzK2S1HFf9PnHymQPU8d-fu6w/79580690",
      "token": "9sNPycn_DhREukdOlYGetE-oJzoRoHSmeA2iJkG9GUw"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/Y5Js4p8AwfzRyZKo34xzK2S1HFf9PnHymQPU8d-fu6w/79580691",
      "token": "bQi6-UqmyQoBrt0s4Svj-Q5b6vN-1HwCwo_toG3ad-M",
      "keyAuthorization": "bQi6-UqmyQoBrt0s4Svj-Q5b6vN-1HwCwo_toG3ad-M.ZP9pZIWOJFYfBSG7P8YJHdShf8fwGLJ-Y0S33CV7iiE"
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/Y5Js4p8AwfzRyZKo34xzK2S1HFf9PnHymQPU8d-fu6w/79580692",
      "token": "_HR1MGvt4yngolSrbQQovL3HehfcpKi5aONHYNM3dRo"
    }
  ],
  "combinations": [
    [
      2
    ],
    [
      1
    ],
    [
      0
    ]
  ]
}
2017-11-27 16:53:07,656:DEBUG:acme.client:Sending GET request to https://acme-staging.api.letsencrypt.org/acme/authz/Y5Js4p8AwfzRyZKo34xzK2S1HFf9PnHymQPU8d-fu6w.
2017-11-27 16:53:07,915:DEBUG:urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 "GET /acme/authz/Y5Js4p8AwfzRyZKo34xzK2S1HFf9PnHymQPU8d-fu6w HTTP/1.1" 200 1874
2017-11-27 16:53:07,915:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1874
Link: <https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"
Replay-Nonce: uew4PSuJrNxqopKNhUDxpxp-rmQGd5gbpRwDse_t-6I
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 27 Nov 2017 16:53:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 27 Nov 2017 16:53:07 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "sub.domain.com"
  },
  "status": "invalid",
  "expires": "2017-12-04T16:53:01Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/Y5Js4p8AwfzRyZKo34xzK2S1HFf9PnHymQPU8d-fu6w/79580690",
      "token": "9sNPycn_DhREukdOlYGetE-oJzoRoHSmeA2iJkG9GUw"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:connection",
        "detail": "Fetching http://sub.domain.com/.well-known/acme-challenge/bQi6-UqmyQoBrt0s4Svj-Q5b6vN-1HwCwo_toG3ad-M: Timeout",
        "status": 400
      },
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/Y5Js4p8AwfzRyZKo34xzK2S1HFf9PnHymQPU8d-fu6w/79580691",
      "token": "bQi6-UqmyQoBrt0s4Svj-Q5b6vN-1HwCwo_toG3ad-M",
      "keyAuthorization": "bQi6-UqmyQoBrt0s4Svj-Q5b6vN-1HwCwo_toG3ad-M.ZP9pZIWOJFYfBSG7P8YJHdShf8fwGLJ-Y0S33CV7iiE",
      "validationRecord": [
        {
          "url": "http://sub.domain.com/.well-known/acme-challenge/bQi6-UqmyQoBrt0s4Svj-Q5b6vN-1HwCwo_toG3ad-M",
          "hostname": "sub.domain.com",
          "port": "80",
          "addressesResolved": [
            "54.77.192.196",
            "34.240.74.18",
            "2a01:578:3::364d:c0c4",
            "2a01:578:3::22f0:4a12"
          ],
          "addressUsed": "54.77.192.196",
          "addressesTried": [
            "2a01:578:3::364d:c0c4"
          ]
        }
      ]
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/Y5Js4p8AwfzRyZKo34xzK2S1HFf9PnHymQPU8d-fu6w/79580692",
      "token": "_HR1MGvt4yngolSrbQQovL3HehfcpKi5aONHYNM3dRo"
    }
  ],
  "combinations": [
    [
      2
    ],
    [
      1
    ],
    [
      0
    ]
  ]
}
2017-11-27 16:53:07,916:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: sub.domain.com
Type:   connection
Detail: Fetching http://sub.domain.com/.well-known/acme-challenge/bQi6-UqmyQoBrt0s4Svj-Q5b6vN-1HwCwo_toG3ad-M: Timeout

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2017-11-27 16:53:07,916:INFO:certbot.auth_handler:Cleaning up challenges
2017-11-27 16:53:07,917:DEBUG:certbot.plugins.standalone:Stopping server at :::80...
2017-11-27 16:54:00,947:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.19.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 861, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 786, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 85, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 357, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 318, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 81, in get_authorizations
    self._respond(resp, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 138, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 202, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. sub.domain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://sub.domain.com/.well-known/acme-challenge/bQi6-UqmyQoBrt0s4Svj-Q5b6vN-1HwCwo_toG3ad-M: Timeout

Since nginx can successfully bind to port 80 and you’ve eliminated some of the more common reasons why certbot might not be able to bind to it, I suspect that a mandatory access control scheme such as SELinux or AppArmor is getting in the way. What operating system/Linux distribution and version are you using?

As a simpler solution to your problem I would suggest just using webroot authentication with your working nginx server rather than attempting standalone authentication and fighting the load balancer’s health check and whatever is blocking certbot’s standalone mode.

Just start nginx if it isn’t already, make sure the load balancer is properly forwarding requests to it, and run a command like this to get a certificate:

sudo certbot certonly --webroot -w /var/www/html -d example.com,www.example.com

Replace /var/www/html with the actual path nginx serves files out of if it is different, and make sure to pass the correct domains to -d and not these examples.

2 Likes

Here’s what’s going on with the messages in Certbot’s logs about failing to bind to port 80 using IPv4. To automatically handle IPv4 and IPv6 traffic on most systems, Certbot’s standalone plugin first attempts to bind to the port for all interfaces using IPv6 and then bind to the port using IPv4. On most Linux systems, binding using IPv4 fails as IPv4 traffic is routed to the IPv6 port, but since this isn’t the case on all systems like the BSDs, Certbot tries with both protocols and continues execution if at most one fails.

In your most recent log, Certbot served a response for the challenge as seen by these lines:

2017-11-27 16:53:01,529:DEBUG:acme.standalone:::ffff:22.0.0.7 - - Incoming request
2017-11-27 16:53:01,755:DEBUG:acme.standalone:::ffff:22.0.0.7 - - Serving HTTP01 with token u'bQi6-UqmyQoBrt0s4Svj-Q5b6vN-1HwCwo_toG3ad-M'
2017-11-27 16:53:01,755:DEBUG:acme.standalone:::ffff:22.0.0.7 - - "GET /.well-known/acme-challenge/bQi6-UqmyQoBrt0s4Svj-Q5b6vN-1HwCwo_toG3ad-M HTTP/1.1" 200 -
2017-11-27 16:53:01,755:DEBUG:acme.standalone:::ffff:22.0.0.7 - - Incoming request

but Let’s Encrypt timed out before it got the response.

Using our webroot plugin may be a better option for you, but if you want to continue debugging this method, you can add --debug-challenges --verbose to the command line. After doing this, Certbot should stop after output like:

{
  "identifier": {
    "type": "dns",
    "value": "example.org"
  },  
  "status": "pending",
  "expires": "2017-12-04T21:18:03.015476576Z",
  "challenges": [
    {   
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/re0muu91OzyKZBSSrTyqXG7-NYeoRYK0jdQBPl1y63M/79617545",
      "token": "Sqpy9TK5O1tmkuHgo2rI11boXZg7fkMRp_b2FWFToBM"
    },  
    {   
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/re0muu91OzyKZBSSrTyqXG7-NYeoRYK0jdQBPl1y63M/79617546",
      "token": "dQeXxJiSeD60HSevSdkYVRHnAboPksEclEymGBV3QvU"
    },  
    {   
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/re0muu91OzyKZBSSrTyqXG7-NYeoRYK0jdQBPl1y63M/79617547",
      "token": "NpQjL8B6JmVDyz-fOAUP-yr-xKIX6U35qDPu_1MU0WA"
    }   
  ],  
  "combinations": [
    [   
      2   
    ],  
    [   
      0   
    ],  
    [   
      1   
    ]   
  ]
}
Storing nonce: vb9HxDgYlqCpBmwcpX0sNuTnTTy2u208mp9Kje2t8Os
Performing the following challenges:
http-01 challenge for example.org
Failed to bind to 0:80 using IPv6
Waiting for verification...

-------------------------------------------------------------------------------
Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.
-------------------------------------------------------------------------------
Press Enter to Continue

At this point, Certbot has deployed the challenge but is waiting for further input from you to continue.

You can now check yourself that the challenge is being served. The URL to check is:

http://<your domain>/.well-known/acme-challenge/<token>

where <your domain> is the domain you gave to Certbot and <token> is the value of token for the http-01 challenge in Certbot’s output. In the output I provided above, this value is NpQjL8B6JmVDyz-fOAUP-yr-xKIX6U35qDPu_1MU0WA. If you request this URL, you should get a 200 response and a short base64 string.

4 Likes

Thanks for your help on this - I’m keen to get this working without the use of webroot.

When running with the --debug-challenges --verbose flags, I get the “Challenges loaded” output, but the process isn’t waiting for any user interaction - after outputting “Press continue to submit to CA. Pass “-v” for more info about” the process just continues automatically. I tried this a few times and got the same result.

Is there a way to configure / debug the location of the .well-known directory that gets created as part of the challenge?

2017-11-28 10:31:05,188:DEBUG:certbot.main:certbot version: 0.19.0
2017-11-28 10:31:05,188:DEBUG:certbot.main:Arguments: ['-n', '-d', 'sub.domain.com', '-m', 'me@domain.com', '--standalone', '--agree-tos', '--staging', '--preferred-challenges', 'http', '--debug-challenges', '--verbose']
2017-11-28 10:31:05,188:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-11-28 10:31:05,199:DEBUG:certbot.log:Root logging level set at 10
2017-11-28 10:31:05,199:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-11-28 10:31:05,200:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2017-11-28 10:31:05,524:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f69e383cb50>
Prep: True
2017-11-28 10:31:05,525:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f69e383cb50> and installer None
2017-11-28 10:31:05,526:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2017-11-28 10:31:05,529:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, contact=(u'mailto:me@domain.com',), agreement=u'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f69e383cb90>)>)), uri=u'https://acme-staging.api.letsencrypt.org/acme/reg/5140195', new_authzr_uri=u'https://acme-staging.api.letsencrypt.org/acme/new-authz', terms_of_service=u'https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'), f37586153e54421fde25624d2f9ce98e, Meta(creation_host=u'ip-22-0-4-61', creation_dt=datetime.datetime(2017, 11, 27, 13, 47, 14, tzinfo=<UTC>)))>
2017-11-28 10:31:05,530:DEBUG:acme.client:Sending GET request to https://acme-staging.api.letsencrypt.org/directory.
2017-11-28 10:31:05,531:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
2017-11-28 10:31:05,798:DEBUG:urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 582
2017-11-28 10:31:05,798:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 582
Replay-Nonce: 9rIC5iT4ZCKZoPdOg_vfmdIlQZ3xEwa6e-ghTDZd_bw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 28 Nov 2017 10:31:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 28 Nov 2017 10:31:05 GMT
Connection: keep-alive

{
  "HyGxYNAPhNs": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "key-change": "https://acme-staging.api.letsencrypt.org/acme/key-change",
  "meta": {
    "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
  },
  "new-authz": "https://acme-staging.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-staging.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-staging.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-staging.api.letsencrypt.org/acme/revoke-cert"
}
2017-11-28 10:31:05,800:INFO:certbot.main:Obtaining a new certificate
2017-11-28 10:31:05,800:DEBUG:acme.client:Requesting fresh nonce
2017-11-28 10:31:05,800:DEBUG:acme.client:Sending HEAD request to https://acme-staging.api.letsencrypt.org/acme/new-authz.
2017-11-28 10:31:05,996:DEBUG:urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 "HEAD /acme/new-authz HTTP/1.1" 405 0
2017-11-28 10:31:05,996:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Replay-Nonce: 7WjCi9p8NTymSKGmaOXvrEJ4hbmJETX7TITuheJPtIg
Expires: Tue, 28 Nov 2017 10:31:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 28 Nov 2017 10:31:05 GMT
Connection: keep-alive


2017-11-28 10:31:05,997:DEBUG:acme.client:Storing nonce: 7WjCi9p8NTymSKGmaOXvrEJ4hbmJETX7TITuheJPtIg
2017-11-28 10:31:05,997:DEBUG:acme.client:JWS payload:
{
  "identifier": {
    "type": "dns", 
    "value": "sub.domain.com"
  }, 
  "resource": "new-authz"
}
2017-11-28 10:31:06,000:DEBUG:acme.client:Sending POST request to https://acme-staging.api.letsencrypt.org/acme/new-authz:
{
  "protected": "eyJub25jZSI6ICI3V2pDaTlwOE5UeW1TS0dtYU9YdnJFSjRoYm1KRVRYN1RJVHVoZUpQdElnIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAiMjNqbnhhSXJLTThxUTlNd0JITmtkdFcwTkpaV2FBWTVWWVJCYTF1ZmNlR0VWdmh1UnJWQlYzelR5X2pYNW5wNGo4cFlDa1VLcWhzWV8xWVFpZnEwVUVJNFpBMmYxdlE2VEVjaF9sWmR1ZHJsOXBSTEg3UUhsdGZEOW9QbDdXTWt4SkdXSVV2QUdxemF2RXhKcHpNeGN2bDNoanNaVkZxLTRMelM4cldINEZhZ0stUTJTWW5ENVJqMG1XRHJ2NVA2cEcxaGwyY3g2U1E3dkFObUMxZjZvcWdDUzJpeFI5MUM2Nk1YRHB4TkVvcXBnQlBmaFZGZUtISWF5TGNnSVVYNTdYUENhMFNBU21WZ1JXZzF6bnMzZGRRVkUyTlR5YVg1c2g1MG9OdjFPZEo4QVZiXzdUYzFKQW9QblMtdFJRMHhXaXY2SGs2aFZFQ0hmYnQybWJaX0tRIn19", 
  "payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAiZGV2LnBhcmFkaW5vLmlvIgogIH0sIAogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiCn0", 
  "signature": "OXpfLnwda6H7DUnKGjlzKo-uYScR73Eex_JBPWEvCUGjRd3y6sVYhXD7mqW72rE4FjLJcRMMSEfcFaH5cbqjVOCi6toFAEDSytHAanp2BGoQkMNzx-XhGes_TwWL1c8S5gMFszrpir4fktvLzHS9Rw-4z6RCrEPMSXWp2nO9iTuVp0V0C2vM7aKxHgwSIbvj5IdWb-k1VPcmeI9ESYUQ6e2CiN3QYsT2l3Y4fIY3jNT_QEM1ZhI-hfmPkv4JrMthR5CHAWam8ZiJk3Glqa_nvb4E1l67jbAyw-oNkWAZwhCzlemEL28IAV0KtMSdaVJ7KFNY8pqwvFVicIZxeRekcA"
}
2017-11-28 10:31:06,213:DEBUG:urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 1009
2017-11-28 10:31:06,214:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1009
Boulder-Requester: 5140195
Link: <https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-staging.api.letsencrypt.org/acme/authz/5Nl7ldhD1poYNZBMmQnCqNWKXg2FDs8KRCXrJWIfRxg
Replay-Nonce: BstMATyc_QXjo_3CZw1HgCLZUtVpdJtKyVbiOm_xjPs
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 28 Nov 2017 10:31:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 28 Nov 2017 10:31:06 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "sub.domain.com"
  },
  "status": "pending",
  "expires": "2017-12-05T10:31:06.091127555Z",
  "challenges": [
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/5Nl7ldhD1poYNZBMmQnCqNWKXg2FDs8KRCXrJWIfRxg/79724456",
      "token": "FOoH1TAh3at4yDSDfIUwFYrVag9Be8vsmU1r9w8tvJM"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/5Nl7ldhD1poYNZBMmQnCqNWKXg2FDs8KRCXrJWIfRxg/79724457",
      "token": "ZKpgE5wcUPyklVQmDlU3glOedHK9_rX_tLmyiuq7FIM"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/5Nl7ldhD1poYNZBMmQnCqNWKXg2FDs8KRCXrJWIfRxg/79724458",
      "token": "xcyKPEZ8aHh8j7Ylz9Hy2oSuMKN0vkfYOswyRDYeX3Y"
    }
  ],
  "combinations": [
    [
      1
    ],
    [
      2
    ],
    [
      0
    ]
  ]
}
2017-11-28 10:31:06,215:DEBUG:acme.client:Storing nonce: BstMATyc_QXjo_3CZw1HgCLZUtVpdJtKyVbiOm_xjPs
2017-11-28 10:31:06,216:INFO:certbot.auth_handler:Performing the following challenges:
2017-11-28 10:31:06,216:INFO:certbot.auth_handler:http-01 challenge for sub.domain.com
2017-11-28 10:31:06,216:DEBUG:acme.standalone:Failed to bind to :80 using IPv4
2017-11-28 10:31:06,220:INFO:certbot.auth_handler:Waiting for verification...
2017-11-28 10:31:06,221:DEBUG:acme.client:JWS payload:
{
  "keyAuthorization": "ZKpgE5wcUPyklVQmDlU3glOedHK9_rX_tLmyiuq7FIM.ZP9pZIWOJFYfBSG7P8YJHdShf8fwGLJ-Y0S33CV7iiE", 
  "type": "http-01", 
  "resource": "challenge"
}
2017-11-28 10:31:06,223:DEBUG:acme.client:Sending POST request to https://acme-staging.api.letsencrypt.org/acme/challenge/5Nl7ldhD1poYNZBMmQnCqNWKXg2FDs8KRCXrJWIfRxg/79724457:
{
  "protected": "eyJub25jZSI6ICJCc3RNQVR5Y19RWGpvXzNDWncxSGdDTFpVdFZwZEp0S3lWYmlPbV94alBzIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAiMjNqbnhhSXJLTThxUTlNd0JITmtkdFcwTkpaV2FBWTVWWVJCYTF1ZmNlR0VWdmh1UnJWQlYzelR5X2pYNW5wNGo4cFlDa1VLcWhzWV8xWVFpZnEwVUVJNFpBMmYxdlE2VEVjaF9sWmR1ZHJsOXBSTEg3UUhsdGZEOW9QbDdXTWt4SkdXSVV2QUdxemF2RXhKcHpNeGN2bDNoanNaVkZxLTRMelM4cldINEZhZ0stUTJTWW5ENVJqMG1XRHJ2NVA2cEcxaGwyY3g2U1E3dkFObUMxZjZvcWdDUzJpeFI5MUM2Nk1YRHB4TkVvcXBnQlBmaFZGZUtISWF5TGNnSVVYNTdYUENhMFNBU21WZ1JXZzF6bnMzZGRRVkUyTlR5YVg1c2g1MG9OdjFPZEo4QVZiXzdUYzFKQW9QblMtdFJRMHhXaXY2SGs2aFZFQ0hmYnQybWJaX0tRIn19", 
  "payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogIlpLcGdFNXdjVVB5a2xWUW1EbFUzZ2xPZWRISzlfclhfdExteWl1cTdGSU0uWlA5cFpJV09KRllmQlNHN1A4WUpIZFNoZjhmd0dMSi1ZMFMzM0NWN2lpRSIsIAogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9", 
  "signature": "TdhT59_SXrV_o9vc1fYYqscMQpjOA35mhabaM94bXqaFLLUfhvs5zpAHaNAl9xx82k38rcnxXuWxO9S-jic-WdTW7s4ERfOSAkZBvQ2nh-P6paA3zfa99xmwh037-QcT1prTGt0-F6ZA4KPZ9ugxxnJvVmjJt1_LUS8lRMP8JQCOL5e4y8-RtqFqOM5bAakA3ieoJyAtR8g6vcrSAfcttGUZGK8dRNQw9R3N4K2cbU8K2mj8uq-95Gcp_HJnyKIwJYG4xwxShxbZ8246eINPRSg7AQjZIP9Y3wrn0AXO9eResNynPzS6fnKd64mNh5AFOvotF-CgvFmq5yrmv_9U3A"
}
2017-11-28 10:31:06,300:DEBUG:acme.standalone:::ffff:22.0.0.43 - - Incoming request
2017-11-28 10:31:06,433:DEBUG:urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 "POST /acme/challenge/5Nl7ldhD1poYNZBMmQnCqNWKXg2FDs8KRCXrJWIfRxg/79724457 HTTP/1.1" 202 338
2017-11-28 10:31:06,434:DEBUG:acme.client:Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 338
Boulder-Requester: 5140195
Link: <https://acme-staging.api.letsencrypt.org/acme/authz/5Nl7ldhD1poYNZBMmQnCqNWKXg2FDs8KRCXrJWIfRxg>;rel="up"
Location: https://acme-staging.api.letsencrypt.org/acme/challenge/5Nl7ldhD1poYNZBMmQnCqNWKXg2FDs8KRCXrJWIfRxg/79724457
Replay-Nonce: t7YByzriQ2R8HAar8RQY7IBxifJ2Qxexqr8NOar-IGA
Expires: Tue, 28 Nov 2017 10:31:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 28 Nov 2017 10:31:06 GMT
Connection: keep-alive

{
  "type": "http-01",
  "status": "pending",
  "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/5Nl7ldhD1poYNZBMmQnCqNWKXg2FDs8KRCXrJWIfRxg/79724457",
  "token": "ZKpgE5wcUPyklVQmDlU3glOedHK9_rX_tLmyiuq7FIM",
  "keyAuthorization": "ZKpgE5wcUPyklVQmDlU3glOedHK9_rX_tLmyiuq7FIM.ZP9pZIWOJFYfBSG7P8YJHdShf8fwGLJ-Y0S33CV7iiE"
}
2017-11-28 10:31:06,434:DEBUG:acme.client:Storing nonce: t7YByzriQ2R8HAar8RQY7IBxifJ2Qxexqr8NOar-IGA
2017-11-28 10:31:06,530:DEBUG:acme.standalone:::ffff:22.0.0.43 - - Serving HTTP01 with token u'ZKpgE5wcUPyklVQmDlU3glOedHK9_rX_tLmyiuq7FIM'
2017-11-28 10:31:06,531:DEBUG:acme.standalone:::ffff:22.0.0.43 - - "GET /.well-known/acme-challenge/ZKpgE5wcUPyklVQmDlU3glOedHK9_rX_tLmyiuq7FIM HTTP/1.1" 200 -
2017-11-28 10:31:06,531:DEBUG:acme.standalone:::ffff:22.0.0.43 - - Incoming request
2017-11-28 10:31:09,438:DEBUG:acme.client:Sending GET request to https://acme-staging.api.letsencrypt.org/acme/authz/5Nl7ldhD1poYNZBMmQnCqNWKXg2FDs8KRCXrJWIfRxg.
2017-11-28 10:31:09,711:DEBUG:urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 "GET /acme/authz/5Nl7ldhD1poYNZBMmQnCqNWKXg2FDs8KRCXrJWIfRxg HTTP/1.1" 200 1116
2017-11-28 10:31:09,712:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1116
Link: <https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"
Replay-Nonce: VjA0wHE-4RA2kdb6UasuTDl1vyqelaXJiR9kVBdSmmY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 28 Nov 2017 10:31:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 28 Nov 2017 10:31:09 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "sub.domain.com"
  },
  "status": "pending",
  "expires": "2017-12-05T10:31:06Z",
  "challenges": [
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/5Nl7ldhD1poYNZBMmQnCqNWKXg2FDs8KRCXrJWIfRxg/79724456",
      "token": "FOoH1TAh3at4yDSDfIUwFYrVag9Be8vsmU1r9w8tvJM"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/5Nl7ldhD1poYNZBMmQnCqNWKXg2FDs8KRCXrJWIfRxg/79724457",
      "token": "ZKpgE5wcUPyklVQmDlU3glOedHK9_rX_tLmyiuq7FIM",
      "keyAuthorization": "ZKpgE5wcUPyklVQmDlU3glOedHK9_rX_tLmyiuq7FIM.ZP9pZIWOJFYfBSG7P8YJHdShf8fwGLJ-Y0S33CV7iiE"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/5Nl7ldhD1poYNZBMmQnCqNWKXg2FDs8KRCXrJWIfRxg/79724458",
      "token": "xcyKPEZ8aHh8j7Ylz9Hy2oSuMKN0vkfYOswyRDYeX3Y"
    }
  ],
  "combinations": [
    [
      1
    ],
    [
      2
    ],
    [
      0
    ]
  ]
}
2017-11-28 10:31:12,717:DEBUG:acme.client:Sending GET request to https://acme-staging.api.letsencrypt.org/acme/authz/5Nl7ldhD1poYNZBMmQnCqNWKXg2FDs8KRCXrJWIfRxg.
2017-11-28 10:31:12,982:DEBUG:urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 "GET /acme/authz/5Nl7ldhD1poYNZBMmQnCqNWKXg2FDs8KRCXrJWIfRxg HTTP/1.1" 200 1873
2017-11-28 10:31:12,983:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1873
Link: <https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"
Replay-Nonce: NFoMoTsxsojzbqBrZWcs21bCpYHNXMhvzqEBTIVjESc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 28 Nov 2017 10:31:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 28 Nov 2017 10:31:12 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "sub.domain.com"
  },
  "status": "invalid",
  "expires": "2017-12-05T10:31:06Z",
  "challenges": [
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/5Nl7ldhD1poYNZBMmQnCqNWKXg2FDs8KRCXrJWIfRxg/79724456",
      "token": "FOoH1TAh3at4yDSDfIUwFYrVag9Be8vsmU1r9w8tvJM"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:connection",
        "detail": "Fetching http://sub.domain.com/.well-known/acme-challenge/ZKpgE5wcUPyklVQmDlU3glOedHK9_rX_tLmyiuq7FIM: Timeout",
        "status": 400
      },
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/5Nl7ldhD1poYNZBMmQnCqNWKXg2FDs8KRCXrJWIfRxg/79724457",
      "token": "ZKpgE5wcUPyklVQmDlU3glOedHK9_rX_tLmyiuq7FIM",
      "keyAuthorization": "ZKpgE5wcUPyklVQmDlU3glOedHK9_rX_tLmyiuq7FIM.ZP9pZIWOJFYfBSG7P8YJHdShf8fwGLJ-Y0S33CV7iiE",
      "validationRecord": [
        {
          "url": "http://sub.domain.com/.well-known/acme-challenge/ZKpgE5wcUPyklVQmDlU3glOedHK9_rX_tLmyiuq7FIM",
          "hostname": "sub.domain.com",
          "port": "80",
          "addressesResolved": [
            "34.240.74.18",
            "54.77.192.196",
            "2a01:578:3::364d:c0c4",
            "2a01:578:3::22f0:4a12"
          ],
          "addressUsed": "34.240.74.18",
          "addressesTried": [
            "2a01:578:3::364d:c0c4"
          ]
        }
      ]
    },
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/5Nl7ldhD1poYNZBMmQnCqNWKXg2FDs8KRCXrJWIfRxg/79724458",
      "token": "xcyKPEZ8aHh8j7Ylz9Hy2oSuMKN0vkfYOswyRDYeX3Y"
    }
  ],
  "combinations": [
    [
      1
    ],
    [
      2
    ],
    [
      0
    ]
  ]
}
2017-11-28 10:31:12,985:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: sub.domain.com
Type:   connection
Detail: Fetching http://sub.domain.com/.well-known/acme-challenge/ZKpgE5wcUPyklVQmDlU3glOedHK9_rX_tLmyiuq7FIM: Timeout

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2017-11-28 10:31:12,985:INFO:certbot.auth_handler:Cleaning up challenges
2017-11-28 10:31:12,986:DEBUG:certbot.plugins.standalone:Stopping server at :::80...
2017-11-28 10:32:05,727:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.19.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 861, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 786, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 85, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 357, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 318, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 81, in get_authorizations
    self._respond(resp, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 138, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 202, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. sub.domain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://sub.domain.com/.well-known/acme-challenge/ZKpgE5wcUPyklVQmDlU3glOedHK9_rX_tLmyiuq7FIM: Timeout

You seem to pass -n which enables non-interactive mode.
Furthermore, if you want to place challenge files manually, you don’t need to use --standalone.

After removing and re-installing nginx via apt, running the exact same certbot command is successful.

I’m not clear exactly what the issue is, but it seems something in my own configuration of nginx was causing issues with nginx when run by the standalone plugin.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.