Too many failed attempts

Help
1

My domain is: dansmith.ca

I ran this command: certbot certonly, certbot certonly --apache, certbot certonly --standalone, certbot certonly --webroot, certbot certonly (all failed with acme challenge response)

It produced this output: "Invalid response from http://www.dansmith.ca/.well-known/acme-challenge/<random_string>: 404

My web server is (include version): Ubuntu Linux 20.04.2 LTS (command line)

The operating system my web server runs on is (include version): Ubuntu Linux 20.04.2 LTS (Hyper-V virtual machine)

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.5.0

Ok, so I currently have a Hyper-V Windows 2019 virtual server running my sites which are secured already with a valid cert, and have recently set up a Ubuntu Linux server so I can move everything over to it and retire the Windows web server. However, when I go to run certbot using any of the commands above, I get the "Some challenges have failed" message. Is this because when Certbot goes out LetsEncrypt, does it see that I already have a certificate and refuse to issue a new one?

Regarding the .well-known/acme-challenges, the folder is writable (777), so I know that writing to the folder is not an issue. Also I think that certbot is supposed to TELL me what the acme-challenge is BEFORE it tries to write to the folder and create the cert, isn't it? It does not tell me what the challenge is so when I go to the freedns to make a TXT entry with my challenge, I can put it there and then Certbot will go look at it and say it's OK and process the challenge normally.

UFW tells me that Apache Full, OpenSSH, 80, 443, and 22 are all open and allowed.

But still, it fails, and I have no idea why. How do I start from scratch without rebuilding Linux and doing all this over again?

I have no problems running my site LOCALLY on HTTP but I can't run it on the WEB with HTTPS.

Thanks to anyone who can help.

2

Welcome to the Let's Encrypt Community!

It is highly advisable to use the staging environment while testing and troubleshooting. This can help prevent hitting issuance limits.

No.

Please don't ever use mode 777. That is never the right solution to a permissions problem, real or otherwise.

Certbot is usually run in a non-interactive, automated fashion.

You would normally use a DNS plugin and an API for this. Manually handling challenges, while technically possible, is extremely inefficient and defeats the purpose of using an automated certificate authority.

We only care about HTTP for the purpose of ACME HTTP-01 validation, but this is good information to know.

If you haven't tested with the Let's Debug site, I encourage you to do so.

https://letsdebug.net/

4 Likes
3

Hi @dan40, and welcome to the LE community forum :slight_smile:

If you only have one external IP, you will need to use a proxy to share that IP amongst multiple internal systems that require the same port.

Right now, I see IIS 10 answering on port 80:

curl -Ii http://www.dansmith.ca/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 404 Not Found
Cache-Control: no-cache, must-revalidate, max-age=0
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Server: Microsoft-IIS/10.0     <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
X-Powered-By: PHP/8.0.26
Link: <https://www.dansmith.ca/wp-json/>; rel="https://api.w.org/"
Date: Thu, 06 Apr 2023 13:02:47 GMT
4 Likes
4

Thank you, I want it to respond to my Linux server, which means a) the response you got above is from my Windows server and b) I need to turn off my Windows server to get it to respond on port 80 to my Linux server. If you want me to do that, I can, so you can run your query again and get a different response.

1 Like
5

Here is the output that I get when running sudo certbot --standalone

image
image1027×387 10.7 KB

I have a feeling this acme-challenge is causing the issue.

I get a fail when running the --test-cert args too.

6

Sharing the letsencrypt.log could help.

2 Likes
7

Are you running certbot on the server with IP address 24.80.233.126?

Because when you run Certbot, it is an ACME Client and makes a request to the Let's Encrypt ACME Server for a cert. The LE Server makes a request to the IP found in the public IP. This request must be satisfied but yours is failing.

You mention having two servers and yet are running certbot in standalone. Can you explain more how you set the DNS for this domain for these two servers?

I suspect the --standalone is not your best option but without more info it is hard to say

4 Likes
8

I'm sorry to have to put you all through this, I figured out what my problem was. Firstly, I did not have the correct port on my router to open 80 and 443, it was still pointing to my old server on another IP address.

Secondly, I stopped the IIS server, and pointed the router to the new Linux IP address, and re-ran certbot --apache and much to my surprise, it worked!!! I didn't have to worry about the acme-challenge!

Major hurdle solved!

How can I extend the life of the certs? Like, in some examples I've seen, I've seen it where people issue renewals at 35,000 days. If I don't have to keep renewing my cert every few months that would help me a lot.

Now the question is how do I get my old sites off my virtual IIS server and on to the Linux server? I installed Filezilla yesterday hoping that I can somehow FTP my files off that Windows server and onto the Linux server... and I can use phpmyadmin to export my databases and import them onto the Linux server. Needless to say I have some work cut out for me.

Thanks for your help, mates!

3 Likes
9

You cannot. Let's Encrypt issues certificates for 90 days; and then you would renew (typically at the 60 day mark).

2 Likes
10

That's a good question for a different forum :slight_smile:

You are very welcome.

4 Likes
11

Also from the CA/Browser Forum's Baseline Requirement CA-Browser-Forum BR 1.8.7
6.3 Other aspects of key pair management
6.3.1 Public key archival
6.3.2 Certificate operational periods and key pair usage periods
Subscriber Certificates issued on or after 1 September 2020 SHOULD NOT have a Validity Period
greater than 397 days and MUST NOT have a Validity Period greater than 398 days. Subscriber
Certificates issued after 1 March 2018, but prior to 1 September 2020, MUST NOT have a Validity
Period greater than 825 days. Subscriber Certificates issued after 1 July 2016 but prior to 1 March
2018 MUST NOT have a Validity Period greater than 39 months.
For the purpose of calculations, a day is measured as 86,400 seconds. Any amount of time greater
than this, including fractional seconds and/or leap seconds, shall represent an additional day. For
this reason, Subscriber Certificates SHOULD NOT be issued for the maximum permissible time by
default, in order to account for such adjustments.

What is the lifetime for Let’s Encrypt certificates? For how long are they valid?

2 Likes
12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.