Our site is running Windows Server 2019 with Apache 2.4 and certbot 1.24.0, and we began to have issues with challenges timing out.
I checked the edge firewall and saw it pass the requests from ISRG to the web server.
On the Apache I saw ISRG requests getting 200.
Is this version 1.24.0 we are using still supported?
I went looking for the current one, and landed on Certbot Instructions | Certbot but when I click on the link to Github, it gives me first a 404 with a login page and next this:
certbot quit supporting windows few years ago. may want different client.
did that error had prefix "During secondary validation:"? You might blocking Multi perspective observation points (mostly AWS server around world currently)
Due to the organization's policy, I am only allowed to share the following, in the public forum:
Type: connection
Detail: During secondary validation: <Apache server IP>: Fetching http://www.ourdomain/.well-known/acme-challenge/<guid>: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from
the internet.
Failed to renew certificate <ourdomain> with error: Some challenges have failed.
Certbot is still supported on Linux distros just not on Windows. In addition to the announcement @Nekit linked, the EFF's website install instructions for Windows also describes that: Certbot Instructions
How many requests arrived and replied with 200? For a successful challenge you should see 5 but possibly 4. There is currently one primary Let's Encrypt validation center and 4 secondaries. The primary must always succeed and at least 3 of the 4 secondaries.
As requested earlier, the exact error message can be helpful.
We cross-posted. Please see my prior post about primary and secondaries.
Because of the "secondary" part in your error message you are likely blocking from a geographic region where one or more of the Let's Encrypt secondary centers checks from.
Yes, we block everything but North America.
I read about secondary confirmations, which makes zero sense from my perspective and sounds like a subtle way to erode Let's Encrypt subscribers' security, with malicious purposes in mind, or due to lack of thinking.
A US entity that Let's Encrypt is should not require North American subscribers to expose themselves to cyberattacks from the rest of the world. Our servers have been hit with millions of hacking and bruteforcing attempts, from all kinds of 3d world dictatorships like Russia, North Korea, Myanmar, South Africa, or whatnot, until we silenced their deluge of hacking, with GeoIP-based rules. Finally, our logs are quiet, and only legitimate North-American users are allowed to pass. We will not forego this security for the convenience of Let's Encrypt certs.
From our prespective, it is totally inappropriate and unacceptable to require North American entities to allow connections from other countries. There is simply no legal or reasonable justification for that. Either inform your users of the IP networks that are legitimate and from which you are planning to connect, for them to be whitelisted, or drop this requirement.
If Let's Encryp absolutely insists on exposing North-American entities to cyberattacks, as a pre-condition to the issuance of SSL certs, then FBI and NSA should look into its shady dealings, and I'll see to it.
Please read and study the link I provided about Multi Perspective Validation.
Checking from multiple locations is an industry requirement. It is not specific to Let's Encrypt.
Perhaps a DNS Challenge would work for you. Your authoritative DNS Servers will need to be reachable by these same centers. Again, this was an option explained in that Multi Perspective wiki.
A number of US government sites use Let's Encrypt certs (login.gov and www.usa.gov being just two). Please educate yourself on how multi perspective validation increases security across the ecosystem.
Geographic IP blocking makes a number of assumptions, none of which are necessarily true:
No connection from any country that you block is "legitimate"
Connections from countries that you don't block are "legitimate"
The information you have on the location of any given IP address is correct
The connection coming from that IP address is on behalf of somebody in that country
Geo IP blocking is not a magic bullet. Like anything, it's a tool in your toolbox.
Remember also that while Let's Encrypt may be run by a US-based organisation, it doesn't provide direct services or indirect benefits purely to US individuals and organisations.
