The Certificate Authority failed to verify the manually created challenge files

fhhs · December 28, 2021, 2:00am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:www.fhhs.kh.edu.tw

I ran this command:certbot certonly --manual --csr C:\resin-4.0.44\keys\gryffindor.csr --preferred-challenges "http"

It produced this output:
2021-12-28 08:43:44,373:INFO:certbot._internal.auth_handler:Challenge failed for domain www.fhhs.kh.edu.tw
2021-12-28 08:43:44,373:INFO:certbot._internal.auth_handler:http-01 challenge for www.fhhs.kh.edu.tw
2021-12-28 08:43:44,373:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: www.fhhs.kh.edu.tw
Type: connection
Detail: Fetching https://www.fhhs.kh.edu.tw/.well-known/acme-challenge/96PmgxVANC9WmDwa_3mce_EQaqMk2wTccoG0cYs5L0M: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.

My web server is (include version):resin-4.0.44

The operating system my web server runs on is (include version):Windows Server 2012 R2 Standard

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot version: 1.19.0

rg305 · December 28, 2021, 2:03am

Hi @fhhs and welcome to the LE community forum

You will need a working HTTP site before it can be secured (via HTTP authentication).

fhhs · December 28, 2021, 3:00am

I have confirmed that the http site is working properly.
like this:
https://www.fhhs.kh.edu.tw/.well-known/acme-challenge/u0HW8IpsJxJJdPp0xiJ3OEQc1qH9lZe2Kakao22aR2A

MikeMcQ · December 28, 2021, 4:06am

It looks like you got a new certificate today. See crt.sh | www.fhhs.kh.edu.tw

Do you still need help?

Update: @fhhs Earlier today when I quickly looked at your problem your server was sending an expired certificate but it was sending a complete chain. Now, you are sending just the server "leaf" certificate but not the chain. You should restore the setting that sent the whole chain but using your new certificate (from fullchain.pem). You can view your cert and chain with a site like this:
https://decoder.link/sslchecker/www.fhhs.kh.edu.tw/443

fhhs · December 28, 2021, 5:11am

Thank you very much, I have completed Certificate request.

rg305 · December 28, 2021, 1:38pm

But you still have one more issue:

IPv4 and IPv6 do not serve the same content:

curl -Ii4 http://www.fhhs.kh.edu.tw
HTTP/1.1 302 Found
Location: https://www.fhhs.kh.edu.tw/
Content-Length: 65

curl -Ii4 https://www.fhhs.kh.edu.tw
HTTP/1.1 200 OK
Content-Length: 416

curl -Ii6 http://www.fhhs.kh.edu.tw
curl: (56) Recv failure: Connection reset by peer

curl -Ii6 https://www.fhhs.kh.edu.tw
curl: (7) Failed to connect to www.fhhs.kh.edu.tw port 443: Connection timed out

Notice the different return codes, lengths, and error messages.

Name:      www.fhhs.kh.edu.tw
Addresses: 2001:288:8219:1::65
           163.32.63.65

fhhs · January 6, 2022, 8:30pm

IPv4 and IPv6 do not serve the same content

Related issues have been resolved.
Thank you very much.

system · February 5, 2022, 8:31pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.