TLS-SNI-01 well-knowns not being very well known


#1

My domain is:
ct2.smtcorp.com
I ran this command:

It produced this output:

My web server is (include version):
Apache 2.4 on Ubuntu 16.04

The operating system my web server runs on is (include version):
Distributor ID: Ubuntu
Description: Ubuntu 16.04.5 LTS
Release: 16.04
Codename: xenial

My hosting provider, if applicable, is:
Self Managed

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Webmin when required

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.30.2

In an effort to head off issues with cert renewals I jumped in and followed the instructions in this post…


Right from the start certbot upgraded itself from 25.something to 30.2, I was a little astonished but it had been a while since anyone manually ran certbot auto.

I then ran the suggested sed command. Tried to do a dry run renewal, and things are broken. I originally had issues with redirection and webroots, but I believe I have worked that out, the url
https://ct2.smtcorp.com/.well-known/acme-challenge/test should suffice in proving that the directory is available when creating the challenge.

Running /etc/certbot/certbot-auto renew -vvvvvv --apache --dry-run > cert.log doesn’t show any files being created at the /.well-known/acme-challenges/ it does, however, look like a web server is spun up and the required challenge information is served from there…? maybe?

OUTPUT:
`Root logging level set at -40
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator apache and installer apache
Var dry_run=True (set by user).
Var server=set([‘staging’, ‘dry_run’]) (set by user).
Var dry_run=True (set by user).
Var server=set([‘staging’, ‘dry_run’]) (set by user).
Var account=set([‘server’]) (set by user).
Var authenticator=apache (set by user).
Var installer=apache (set by user).
Cert not due for renewal, but simulating renewal for dry run
Requested authenticator apache and installer apache
Apache version is 2.4.18
Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f597f648210>
Prep: True
Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f597f648210>
Prep: True
Selected authenticator <certbot_apache.override_debian.DebianConfigurator object at 0x7f597f648210> and installer <certbot_apache.override_debian.DebianConfigurator object at 0x7f597f648210>
Plugins selected: Authenticator apache, Installer apache
Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=u’https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf’, only_return_existing=None, contact=(), key=JWKRSA(key=<ComparableRSAKey(<cryptography
.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f597f5ff710>)>), external_account_binding=None), uri=u’https://acme-staging.api.letsencrypt.org/acme/reg/1614418’, new_authzr_uri=u’https://acme-staging.api.letsencrypt.org/acme/new-authz’, terms_of_service=u’https:
//letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf’), e39c0d78214e2a4a34caa93b2025604f, Meta(creation_host=u’owncloud’, creation_dt=datetime.datetime(2017, 3, 16, 14, 13, 25, tzinfo=<UTC>)))>
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
https://acme-staging-v02.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 724
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 724
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 28 Jan 2019 21:36:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 28 Jan 2019 21:36:02 GMT
Connection: keep-alive

{
 “MFu1wqlwpWI”: “Adding random entries to the directory”,
 “keyChange”: “https://acme-staging-v02.api.letsencrypt.org/acme/key-change”,
 “meta”: {
   “caaIdentities”: [
     “letsencrypt.org
   ],
   “termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
   “website”: “https://letsencrypt.org/docs/staging-environment/
 },
 “newAccount”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-acct”,
 “newNonce”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce”,
 “newOrder”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-order”,
 “revokeCert”: “https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert
}
Renewing an existing certificate
Requesting fresh nonce
Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-staging-v02.api.letsencrypt.org:443 “HEAD /acme/new-nonce HTTP/1.1” 200 0
Received response:
HTTP 200
Server: nginx
Replay-Nonce: EpL4P13ekypgib07MnNrksNySuz5ot5LXpimB_1ShNM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Content-Length: 0
Expires: Mon, 28 Jan 2019 21:36:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 28 Jan 2019 21:36:02 GMT
Connection: keep-alive

Storing nonce: EpL4P13ekypgib07MnNrksNySuz5ot5LXpimB_1ShNM
JWS payload:
{
 “identifiers”: [
   {
     “type”: “dns”,  
     “value”: “ct2.smtcorp.com
   }
 ]
}
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
 “protected”: “eyJub25jZSI6ICJFcEw0UDEzZWt5cGdpYjA3TW5OcmtzTnlTdXo1b3Q1TFhwaW1CXzFTaE5NIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmcuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL3JlZy8xNjE0NDE
4IiwgImFsZyI6ICJSUzI1NiJ9”,  
 “payload”: “ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwgCiAgICAgICJ2YWx1ZSI6ICJjdDIuc210Y29ycC5jb20iCiAgICB9CiAgXQp9”,  
 “signature”: “cFVCX86XBevRHAXHjlRuDrFpOh5ruN8qgrUsFk2U-3FzCJ_RzFzDfO-T5tzqGmQNoS7LfER8kBItQmMxLeK05yR9wrBj7zvMO7rHTUSibDdKR1uf7hFv9Q7F8Ep4oAR1HYYePIilzn_Z214UnDhfgWHWTEcR_IKB9osBQ49mxG4b0CcBPtxnRrndPRilkga3UGXT939WFknZLRAwb-E4_3dsYTzyZDqyxzvaAdQryYWe_G7BgQPhUoYC-vPnE
q7eeEPhvBHjhoSbZ1LGrWeNipn6PvqC689rPdpdpAV0oyMDm4Ge5-je5m2XUD2gNh1HdTxEQ1gDFI0US51NwQxA”
}
https://acme-staging-v02.api.letsencrypt.org:443 “POST /acme/new-order HTTP/1.1” 201 388
Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 388
Boulder-Requester: 1614418
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/1614418/21654309
Replay-Nonce: cbWDd0oWZGztIuCa4GXA2zhfUjFy9i4Nu5PMIs2jCWA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 28 Jan 2019 21:36:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 28 Jan 2019 21:36:02 GMT
Connection: keep-alive

{
 “status”: “pending”,
 “expires”: “2019-02-04T21:36:02.517875008Z”,
 “identifiers”: [
   {
     “type”: “dns”,
     “value”: “ct2.smtcorp.com
   }
 ],
 “authorizations”: [
   “https://acme-staging-v02.api.letsencrypt.org/acme/authz/jgQ3q5AOHNNkWvPgwOSccjTzAFXtf7BffbeF-RAVLOY
 ],
 “finalize”: “https://acme-staging-v02.api.letsencrypt.org/acme/finalize/1614418/21654309
}
Storing nonce: cbWDd0oWZGztIuCa4GXA2zhfUjFy9i4Nu5PMIs2jCWA
JWS payload:

Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/jgQ3q5AOHNNkWvPgwOSccjTzAFXtf7BffbeF-RAVLOY:
{
 “protected”: “eyJub25jZSI6ICJjYldEZDBvV1pHenRJdUNhNEdYQTJ6aGZVakZ5OWk0TnU1UE1JczJqQ1dBIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6L2pnUTNxNUFPSE5Oa1d2UGd3T1NjY2pUekFGWHRmN0JmZmJlRi1SQVZMT1kiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGF
naW5nLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9yZWcvMTYxNDQxOCIsICJhbGciOiAiUlMyNTYifQ”,  
 “payload”: “”,  
 “signature”: “dBwWVx1fllX8_MLatCfRhDl8BMm54DAyhkOLEWiW_U-NWPqIBjSmX0avIz7R0cmGKJaQtIvFQxMiqwIQvlMcSl38LRvfv-lBYSn8gbErmXS07ORLfKUie66VcyQvUysoNXZD7-fyXm31LyvPZUmElX-TiPFTShwCXoS-dvNEaolXkeTd7Oy0uTKr07lMd8FyRr5PHvsp79mWI9y2BErfVGDSFjHcbfryuFYkvRC62cKSBfS-WCU-LY03Pl5W21o
KCagovwdjcn1k9fDkCXcfXbh26-sCGEToHjn739oSAxV6avLdq723NoExQp3hXHpD1r42KK0EHUWjAxbdnJY6Gw”
}
https://acme-staging-v02.api.letsencrypt.org:443 “POST /acme/authz/jgQ3q5AOHNNkWvPgwOSccjTzAFXtf7BffbeF-RAVLOY HTTP/1.1” 200 928
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 928
Boulder-Requester: 1614418
Replay-Nonce: -MRXfE6i1ScaPrCdIowh4258ff3xLeLxnN_cQSfOSxI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 28 Jan 2019 21:36:02 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 28 Jan 2019 21:36:02 GMT
Connection: keep-alive

{
 “identifier”: {
   “type”: “dns”,
   “value”: “ct2.smtcorp.com
 },
 “status”: “pending”,
 “expires”: “2019-02-04T21:36:02Z”,
 “challenges”: [
   {
     “type”: “tls-alpn-01”,
     “status”: “pending”,
     “url”: “https://acme-staging-v02.api.letsencrypt.org/acme/challenge/jgQ3q5AOHNNkWvPgwOSccjTzAFXtf7BffbeF-RAVLOY/232074553”,
     “token”: “r3upCHTGd9ShR-vUZA5fHlU5q0Vrq9k-R6cXTk54Hd8”
   },
   {
     “type”: “http-01”,
     “status”: “pending”,
     “url”: “https://acme-staging-v02.api.letsencrypt.org/acme/challenge/jgQ3q5AOHNNkWvPgwOSccjTzAFXtf7BffbeF-RAVLOY/232074554”,
     “token”: “Bmg0CTXFb_fM7oFgYvKbjYRjCuWcRaZzeSNQz21vRA4”
   },
   {
     “type”: “dns-01”,
     “status”: “pending”,
     “url”: “https://acme-staging-v02.api.letsencrypt.org/acme/challenge/jgQ3q5AOHNNkWvPgwOSccjTzAFXtf7BffbeF-RAVLOY/232074555”,
     “token”: “1Ql1_ZxrhAa3IKHkSu3iIMo7SjwbcqTaOLIIl1p603o”
   }
 ]
}
Storing nonce: -MRXfE6i1ScaPrCdIowh4258ff3xLeLxnN_cQSfOSxI
Performing the following challenges:
http-01 challenge for ct2.smtcorp.com
Adding a temporary challenge validation Include for name: None in: /etc/apache2/sites-enabled/webmin.1548703757.conf
writing a pre config file with text:
        RewriteEngine on
       RewriteRule ^/.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]
    
writing a post config file with text:
        <Directory /var/lib/letsencrypt/http_challenges>
           Require all granted
       </Directory>
       <Location /.well-known/acme-challenge>
           Require all granted
       </Location>
    
Creating backup of /etc/apache2/sites-enabled/webmin.1548703757.conf
Waiting for verification…
JWS payload:
{
 “keyAuthorization”: “Bmg0CTXFb_fM7oFgYvKbjYRjCuWcRaZzeSNQz21vRA4.b3I76EPd7-s5ASBh-l3WCUw4cFXXeUoXG9ZJpTuVS2Y”,  
 “type”: “http-01”,  
 “resource”: “challenge”
}
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/challenge/jgQ3q5AOHNNkWvPgwOSccjTzAFXtf7BffbeF-RAVLOY/232074554:
{
 “protected”: “eyJub25jZSI6ICItTVJYZkU2aTFTY2FQckNkSW93aDQyNThmZjN4TGVMeG5OX2NRU2ZPU3hJIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsZW5nZS9qZ1EzcTVBT0hOTmtXdlBnd09TY2NqVHpBRlh0ZjdCZmZiZUYtUkFWTE9ZLzIzMjA3NDU1NCIsICJraWQiOiAiaHR
0cHM6Ly9hY21lLXN0YWdpbmcuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL3JlZy8xNjE0NDE4IiwgImFsZyI6ICJSUzI1NiJ9”,  
 “payload”: “ewogICJrZXlBdXRob3JpemF0aW9uIjogIkJtZzBDVFhGYl9mTTdvRmdZdktiallSakN1V2NSYVp6ZVNOUXoyMXZSQTQuYjNJNzZFUGQ3LXM1QVNCaC1sM1dDVXc0Y0ZYWGVVb1hHOVpKcFR1VlMyWSIsIAogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9”,  
 “signature”: “s7OXlYj4LDQaK3FdDpxi7ozlMr2lnkSBry6bgKr4ASbBdDDgcwNiK0ycmfBHTIoSPnRb6h6bxSsOO5vpC7AbwjRTb9rs8sApS1ou-x-Tk32Av4p9_CHc7fphFr4xnichUe5sXPueK7yytm7CNXdnmXdrnPYdUBJrXaS5Pz3LHr9nfHia8PtrTjO37lskvmwlvc8Nm1p0AlbWHZxcIk7oKMMoHxRE6n1c092NRO0Diwokvq2x_D_zZDXzomWM1LX
goNyZ1Ib3NnNb4fZHHSuHIq0kgy1CHq5hfDMeJiG5V1ZJKSPrbdfg2fTKhPX__njA_jIFVJlA3tUCY5dK59ELGA”
}
https://acme-staging-v02.api.letsencrypt.org:443 “POST /acme/challenge/jgQ3q5AOHNNkWvPgwOSccjTzAFXtf7BffbeF-RAVLOY/232074554 HTTP/1.1” 200 230
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 230
Boulder-Requester: 1614418
Link: <https://acme-staging-v02.api.letsencrypt.org/acme/authz/jgQ3q5AOHNNkWvPgwOSccjTzAFXtf7BffbeF-RAVLOY>;rel=“up”
Location: https://acme-staging-v02.api.letsencrypt.org/acme/challenge/jgQ3q5AOHNNkWvPgwOSccjTzAFXtf7BffbeF-RAVLOY/232074554
Replay-Nonce: Kf6KNsPHHSancnZZBNvqAiE3X_msAtmm8M9v_4Kh1BU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 28 Jan 2019 21:36:08 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 28 Jan 2019 21:36:08 GMT
Connection: keep-alive

{
 “type”: “http-01”,
 “status”: “pending”,
 “url”: “https://acme-staging-v02.api.letsencrypt.org/acme/challenge/jgQ3q5AOHNNkWvPgwOSccjTzAFXtf7BffbeF-RAVLOY/232074554”,
 “token”: “Bmg0CTXFb_fM7oFgYvKbjYRjCuWcRaZzeSNQz21vRA4”
}
Storing nonce: Kf6KNsPHHSancnZZBNvqAiE3X_msAtmm8M9v_4Kh1BU
JWS payload:

Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/jgQ3q5AOHNNkWvPgwOSccjTzAFXtf7BffbeF-RAVLOY:
{
 “protected”: “eyJub25jZSI6ICJLZjZLTnNQSEhTYW5jblpaQk52cUFpRTNYX21zQXRtbThNOXZfNEtoMUJVIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6L2pnUTNxNUFPSE5Oa1d2UGd3T1NjY2pUekFGWHRmN0JmZmJlRi1SQVZMT1kiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGF
naW5nLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9yZWcvMTYxNDQxOCIsICJhbGciOiAiUlMyNTYifQ”,  
 “payload”: “”,  
 “signature”: “gi-r8cQ6qJvssBtWGW5QyZUEi5ccvbgYBag-m-vL1PLH_-n3F_vVXdYCzkPPH6M5nniqmXpUJ0NIgueoKoJ0LQIctvWFQjXt6j-4CfebQkzC0kUMZOx3DGEbM5Le1bGMoSPcE5ixjf7fNKwc-wCeYU_r5QPtXxs9VLNeJMbOGQ0dUmLSOmr7BvUVEmzVWJo9z3UX5gBwJ-_yV8QvpZDeo6nWsqUJxrSkFNAllV-VbuVLBuc56m70r7tbth7VmES
_fL6DanKb4-C1BjqFQDsjrQ62y0KODGDgsEEvDyiuen6l593lRyXDOLOxCliItGZl2wEJ8IzwC7e_r_sgDPbwJg”
}
https://acme-staging-v02.api.letsencrypt.org:443 “POST /acme/authz/jgQ3q5AOHNNkWvPgwOSccjTzAFXtf7BffbeF-RAVLOY HTTP/1.1” 200 1532
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1532
Boulder-Requester: 1614418
Replay-Nonce: ao9FCHv_Y95OpegrNmlDpZRER5XUPNjjOY2a_VuBrns
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 28 Jan 2019 21:36:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 28 Jan 2019 21:36:12 GMT
Connection: keep-alive

{
 “identifier”: {
   “type”: “dns”,
   “value”: “ct2.smtcorp.com
 },
 “status”: “invalid”,
 “expires”: “2019-02-04T21:36:02Z”,
 “challenges”: [
   {
     “type”: “tls-alpn-01”,
     “status”: “invalid”,
     “url”: “https://acme-staging-v02.api.letsencrypt.org/acme/challenge/jgQ3q5AOHNNkWvPgwOSccjTzAFXtf7BffbeF-RAVLOY/232074553”,
     “token”: “r3upCHTGd9ShR-vUZA5fHlU5q0Vrq9k-R6cXTk54Hd8”
   },
   {
     “type”: “http-01”,
     “status”: “invalid”,
     “error”: {
       “type”: “urn:ietf:params:acme:error:connection”,
       “detail”: “Fetching http://ct2.smtcorp.com/.well-known/acme-challenge/Bmg0CTXFb_fM7oFgYvKbjYRjCuWcRaZzeSNQz21vRA4: Connection refused”,
       “status”: 400
     },
     “url”: “https://acme-staging-v02.api.letsencrypt.org/acme/challenge/jgQ3q5AOHNNkWvPgwOSccjTzAFXtf7BffbeF-RAVLOY/232074554”,
     “token”: “Bmg0CTXFb_fM7oFgYvKbjYRjCuWcRaZzeSNQz21vRA4”,
     “validationRecord”: [
       {
         “url”: “http://ct2.smtcorp.com/.well-known/acme-challenge/Bmg0CTXFb_fM7oFgYvKbjYRjCuWcRaZzeSNQz21vRA4”,
         “hostname”: “ct2.smtcorp.com”,
         “port”: “80”,
         “addressesResolved”: [
           “209.104.242.174”
         ],
         “addressUsed”: “209.104.242.174”
       }
     ]
   },
   {
     “type”: “dns-01”,
     “status”: “invalid”,
     “url”: “https://acme-staging-v02.api.letsencrypt.org/acme/challenge/jgQ3q5AOHNNkWvPgwOSccjTzAFXtf7BffbeF-RAVLOY/232074555”,
     “token”: “1Ql1_ZxrhAa3IKHkSu3iIMo7SjwbcqTaOLIIl1p603o”
   }
 ]
}
Storing nonce: ao9FCHv_Y95OpegrNmlDpZRER5XUPNjjOY2a_VuBrns
Reporting to user: The following errors were reported by the server:

Domain: ct2.smtcorp.com
Type:   connection
Detail: Fetching http://ct2.smtcorp.com/.well-known/acme-challenge/Bmg0CTXFb_fM7oFgYvKbjYRjCuWcRaZzeSNQz21vRA4: Connection refused

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are prev
enting the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
Encountered exception:
Traceback (most recent call last):
 File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
   self._respond(aauthzrs, resp, best_effort)
 File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 161, in _respond
   self._poll_challenges(aauthzrs, chall_update, best_effort)
 File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 232, in _poll_challenges
   raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. ct2.smtcorp.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://ct2.smtcorp.com/.well-known/acme-challenge/Bmg0CTXFb_fM7oFgYvKbjYRjCuW
cRaZzeSNQz21vRA4: Connection refused

Calling registered functions
Cleaning up challenges
Attempting to renew cert (ct2.smtcorp.com) from /etc/letsencrypt/renewal/ct2.smtcorp.com.conf produced an unexpected error: Failed authorization procedure. ct2.smtcorp.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to v
erify the domain :: Fetching http://ct2.smtcorp.com/.well-known/acme-challenge/Bmg0CTXFb_fM7oFgYvKbjYRjCuWcRaZzeSNQz21vRA4: Connection refused. Skipping.                                                                                                                       
Traceback was:
Traceback (most recent call last):
 File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py”, line 452, in handle_renewal_request
   main.renew_cert(lineage_config, plugins, renewal_candidate)
 File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1192, in renew_cert
   renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
 File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 116, in _get_and_save_cert
   renewal.renew_cert(config, domains, le_client, lineage)
 File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py”, line 310, in renew_cert
   new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
 File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 353, in obtain_certificate
   orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
 File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 389, in _get_order_and_authorizations
   authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
 File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
   self._respond(aauthzrs, resp, best_effort)
 File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 161, in _respond
   self._poll_challenges(aauthzrs, chall_update, best_effort)
 File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 232, in _poll_challenges
   raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. ct2.smtcorp.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://ct2.smtcorp.com/.well-known/acme-challenge/Bmg0CTXFb_fM7oFgYvKbjYRjCuW
cRaZzeSNQz21vRA4: Connection refused

All renewal attempts failed. The following certs could not be renewed:
 /etc/letsencrypt/live/ct2.smtcorp.com/fullchain.pem (failure)
Exiting abnormally:
Traceback (most recent call last):
 File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in <module>
   sys.exit(main())
 File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1364, in main
   return config.func(config, plugins)
 File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1271, in renew
   renewal.handle_renewal_request(config)
 File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py”, line 477, in handle_renewal_request
   len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)
1 renew failure(s), 0 parse failure(s)`

Thoughts?


#2

Hi @mcarpenterjr

if you want to use http-01 validation, you must have an open port 80. Your port 80 is closed or blocked ( https://check-your-website.server-daten.de/?q=ct2.smtcorp.com ):

Domainname Http-Status redirect Sec. G
http://ct2.smtcorp.com/
209.104.242.174 -2 1.337 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 209.104.242.174:80
https://ct2.smtcorp.com/
209.104.242.174 200 6.823 B
http://ct2.smtcorp.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
209.104.242.174 -2 1.350 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 209.104.242.174:80

You can add a redirect http -> https, but Letsencrypt tries to load the validation file via port 80.

Looks like there is a firewall that blocks.

Certbot can create an own webserver or use a redirect to another directory.

You can use webroot instead, then your running apache and the webroot is used (there, where you have created the test file).


#3

The --apache plugin would conflict with/override spinning up a web server.

The log entries below show where the challenge files should have been placed.

You can include similar code to permanently direct it to a specific path/location of your choosing.


#4

That’s a great tool, can think back to so many instances where that would have been handy.

if you want to use http-01 validation, you must have an open port 80. Your port 80 is closed or blocked

We’re in a tight spot with this particular instance and opening port 80 might be a hard sell, anything I can do to minimize exposure in addition to redirecting/forcing https to anything outside /.well-know?

Also in looking over our global apache config, I noticed a previous admin specifically forced SSL on the /.well-know/acme-challenge directory in an effort to combat the POODLE Vulnerability, will/could this have an effect on the http-01 validation method? Also is this even still relevant 4 years later?


#5

Seen that, but I noticed there were a lot of what looked like nginx configs getting out put.


#6

You can redirect /.well-known/acme-challenge to https, this isn’t a problem. Or/and the complete http traffic.

But redirect it correct

http://ct2.smtcorp.com/.well-known/acme-challenge/1234 
-->>
https://ct2.smtcorp.com/.well-known/acme-challenge/1234

Then Letsencrypt follows the redirect.


#7

Awesome.

Is there a set of IPs that lets encrypt typically uses? We’re tossing the idea around of doing a white list for restricting access even further.


#8

Short answer: NO.
They can and do change and will be doing even more so in the future.


#9

That doesn’t make sense. POODLE was a vulnerability that affected SSL and buggy TLS implementations. (It was resolved by turning off SSL 3.0 and using better or fixed TLS implementations.) HTTP had nothing to do with it.

POODLE shouldn’t be an issue now because you should have fixed it in 2014, but also it never had anything to do with HTTP.


closed #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.