The Certificate Authority failed to download the temporary challenge files created by Certbot, while port 80 is open

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: revizie.controlserver.sk

I ran this command: certbot certonly -v --webroot -w /var/www/letsencrypt -d revizie.controlserver.sk, certbot renew -v --webroot -w /var/www/letsencrypt

It produced this output: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

In /var/log/letsencrypt/letsencrypt.log, I get these logs:

2025-02-15 13:50:22,288:DEBUG:acme.client:Storing nonce: KzKG6P_ECrTDDXStkVsskhmla7b7CZEMuGZSmDvkP7xmmNkDqqM
2025-02-15 13:50:22,288:INFO:certbot._internal.auth_handler:Challenge failed for domain revizie.controlserver.sk
2025-02-15 13:50:22,289:INFO:certbot._internal.auth_handler:http-01 challenge for revizie.controlserver.sk
2025-02-15 13:50:22,290:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: revizie.controlserver.sk
  Type:   connection
  Detail: 87.197.163.137: Fetching http://revizie.controlserver.sk/.well-known/acme-challenge/32-baDrzSm6yeQIUfTkg5uJxAy7dPw32SEEhOrtYn80: Timeout during connect (likely firewall pro
blem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-pa
th/-w and that files created there can be downloaded from the internet.

2025-02-15 13:50:22,292:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/usr/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2025-02-15 13:50:22,293:DEBUG:certbot._internal.error_handler:Calling registered functions
2025-02-15 13:50:22,293:INFO:certbot._internal.auth_handler:Cleaning up challenges
2025-02-15 13:50:22,293:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/letsencrypt/.well-known/acme-challenge/32-baDrzSm6yeQIUfTkg5uJxAy7dPw32SEEhOrtYn80
2025-02-15 13:50:22,293:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2025-02-15 13:50:22,293:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/usr/lib/python3.12/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/certbot/_internal/main.py", line 1871, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/certbot/_internal/main.py", line 1577, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/certbot/_internal/main.py", line 142, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/certbot/_internal/client.py", line 519, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/certbot/_internal/client.py", line 429, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/certbot/_internal/client.py", line 498, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/usr/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2025-02-15 13:50:22,297:ERROR:certbot._internal.log:Some challenges have failed.

My web server is (include version): Nginx v1.27.4

The operating system my web server runs on is (include version): Alpine Linux v3.21.2

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): v3.2.0; It used to work with v2.11.0, however, started failing to renew the certificates recently (with the same error), therefore, I have upgraded it to v3.2.0

Ports 443 and 80 are accessible on the public IP address of the domains. Moreover, when i create the /var/www/letsencrypt/.well-known/acme-challenge folder in the nginx-certbot container and create a file there (e.g. echo test > /var/www/letsencrypt/.well-known/acme-challenge/test) I can access it via a web browser at http://$domain/.well-known/acme-challenge/$filename (I could even access the challenge file during renewal), therefore, Nginx seems to work as expected and Let’s Encrypt should be able to access the challenges.

nmap -p80,443 revizie.controlserver.sk executed from outside of the LAN states the ports are open.

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

I also tried to access the /.well-known/acme-challenge/$filename on the public IP address instead of the domain, and that also worked as expected.

I also tried to re-create the certificates, but that failed too.

Thank you advance for help! :pray:

2

Related: Timeout during connect (likely firewall problem) | port 80 is opened, however, I don’t use Cloudflare.

Related Nginx config:

# Always redirect HTTP to HTTPS, except for the certificate renewals (HTTP-01 ACME challenges)
server {
	listen 80 default_server reuseport;
	server_name _;

	location /.well-known/acme-challenge {
		default_type text/plain;
		root /var/www/letsencrypt;
	}

	location / {
		return 301 https://$http_host$request_uri;
	}
}

It worked and still seems to work. :man_shrugging: I don’t use IPv6.

The Let’s Debug test result: Let's Debug

You can still access the the test file (it returns test string) over HTTP → http://revizie.controlserver.sk/.well-known/acme-challenge/test

3

Thanks for all that info @tukusejssirs And, you did many useful tests.

But, connections to your domain are failing (timing out) from many parts around the world. Do you have a firewall limiting access to just your geographic region?

The Let's Debug test showed the same error as you get from Let's Encrypt. And this test site shows access working from only one country: Check website performance and response : Check host - online website monitoring

You will need to open port 80 access to the entire world. Or, at least URLs with the format: http://(domain)/.well-known/acme-challenge/(token)

4 Likes
4

Thanks, @MikeMcQ, for the info.

Yes, indeed it works after allowing the port 80 from the entire world, however, then we experience we experience multiple connection requests from around the world. I know it is OT, however, what would you suggest to secure the LAN from unsolicited/dangerous connects from all over the world if all our customers (ATM) are only from Czechia and Slovakia? :thinking:

Here you can see a list of connection requests after a few minutes after allowing the port 80 from all over the world.

image
image2265×1129 468 KB

5

Does your firewall allow rules to block all except the /.well-known/acme-challenge path?

Or, consider the DNS Challenge. That uses a TXT record in your DNS rather than port 80 for HTTP Challenge (or port 443 for TLS-ALPN challenge).

EDIT: Or, use a Certbot pre-hook and post-hook to open/close port 80 at your firewall. Then it is only exposed during the cert request

This wiki has more helpful info: Multi-Perspective Validation & Geoblocking FAQ

3 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.