Type http-01 status invalid

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dev.sourcing.kwikbasket.com

I ran this command: sudo certbot --apache -d dev.sourcing.kwikbasket.com -d dev.sourcing.kwikbasket.com

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for dev.sourcing.kwikbasket.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: dev.sourcing.kwikbasket.com
Type: connection
Detail: Fetching http://dev.sourcing.kwikbasket.com/.well-known/acme-challenge/MeeAyroURcGtZmUUl_HvK1RRQg3qS2NnyMB0hhKDkcI: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache

The operating system my web server runs on is (include version): Ubuntu 20.04.1 LTS

My hosting provider, if applicable, is: AWS EC2

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.22.0

1 Like

Welcome @ramakanthrapaka-tech

It looks like your AWS Security Group is not allowing HTTP traffic inbound to EC2. This is required to satisfy the Let's Encrypt http challenge.

And there is no need to list the same domain name twice on your certbot command

3 Likes

Thank you for immediate response, i added http, https inbound and out bound rules, but still am unable to SSL am getting below log in letsencrypt.log

{
"identifier": {
"type": "dns",
"value": "dev.sourcing.kwikbasket.com"
},
"status": "pending",
"expires": "2022-02-04T20:15:25Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/72862744820/ykQwmA",
"token": "Iu0WMGML8ZsqwK5xmGhzxd8iwtHppiANZtLZeAuaN78"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/72862744820/SCsvdg",
"token": "Iu0WMGML8ZsqwK5xmGhzxd8iwtHppiANZtLZeAuaN78"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/72862744820/YANQbw",
"token": "Iu0WMGML8ZsqwK5xmGhzxd8iwtHppiANZtLZeAuaN78"
}
]
}

2 Likes

I don't think you updated the right place. Or, there is another place to update because:

22/tcp   open     ssh
80/tcp   filtered http
443/tcp  open     https

Also see:

3 Likes

Please show the output of:
apachectl -t -D DUMP_VHOSTS

3 Likes

Yeah, and make sure your DNS is pointing to right IP.

DNS says IP is: 3.139.146.153

Do this command to see your public IP and that it matches DNS:

curl -4 ifconfig.co
3 Likes

I ran this command

sudo apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
*:8080 ip-172-31-35-10.us-east-2.compute.internal (/etc/apache2/sites-enabled/crontabui.conf:2)
*:443 is a NameVirtualHost
default server dev.apiadmin.kwikbasket.com (/etc/apache2/sites-enabled/apiadmin-le-ssl.conf:2)
port 443 namevhost dev.apiadmin.kwikbasket.com (/etc/apache2/sites-enabled/apiadmin-le-ssl.conf:2)
port 443 namevhost dev.apicustomerregistration.kwikbasket.com (/etc/apache2/sites-enabled/apicustomerregitration-le-ssl.conf:2)
port 443 namevhost dev.customerregistration.kwikbasket.com (/etc/apache2/sites-enabled/customerregitration-le-ssl.conf:2)
port 443 namevhost dev.delivery.kwikbasket.com (/etc/apache2/sites-enabled/deliverywebapp-le-ssl.conf:2)
port 443 namevhost dev.apifarmer.kwikbasket.com (/etc/apache2/sites-enabled/farmerapi-le-ssl.conf:2)
port 443 namevhost dev.farmer.kwikbasket.com (/etc/apache2/sites-enabled/farmers-le-ssl.conf:2)
port 443 namevhost dev.api.kwikbasket.com (/etc/apache2/sites-enabled/kwikbasketapi-le-ssl.conf:2)
port 443 namevhost ocr.kwikbasket.com (/etc/apache2/sites-enabled/ocr-le-ssl.conf:2)
port 443 namevhost dev.shop.kwikbasket.com (/etc/apache2/sites-enabled/shop-le-ssl.conf:2)
port 443 namevhost dev.store.kwikbasket.com (/etc/apache2/sites-enabled/store-le-ssl.conf:2)
port 443 namevhost dev.kwikbasket.com (/etc/apache2/sites-enabled/website-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server dev.apiadmin.kwikbasket.com (/etc/apache2/sites-enabled/apiadmin.conf:1)
port 80 namevhost dev.apiadmin.kwikbasket.com (/etc/apache2/sites-enabled/apiadmin.conf:1)
port 80 namevhost dev.apicustomerregistration.kwikbasket.com (/etc/apache2/sites-enabled/apicustomerregitration.conf:1)
port 80 namevhost dev.apisourcing.kwikbasket.com (/etc/apache2/sites-enabled/apisourcing.conf:1)
port 80 namevhost dev.customerregistration.kwikbasket.com (/etc/apache2/sites-enabled/customerregitration.conf:1)
port 80 namevhost dev.delivery.kwikbasket.com (/etc/apache2/sites-enabled/deliverywebapp.conf:1)
port 80 namevhost dev.apifarmer.kwikbasket.com (/etc/apache2/sites-enabled/farmerapi.conf:1)
port 80 namevhost dev.farmer.kwikbasket.com (/etc/apache2/sites-enabled/farmers.conf:1)
port 80 namevhost dev.api.kwikbasket.com (/etc/apache2/sites-enabled/kwikbasketapi.conf:1)
port 80 namevhost ocr.kwikbasket.com (/etc/apache2/sites-enabled/ocr.conf:1)
port 80 namevhost dev.shop.kwikbasket.com (/etc/apache2/sites-enabled/shop.conf:1)
port 80 namevhost dev.sourcing.kwikbasket.com (/etc/apache2/sites-enabled/sourcing.conf:1)
port 80 namevhost dev.store.kwikbasket.com (/etc/apache2/sites-enabled/store.conf:1)
port 80 namevhost dev.kwikbasket.com (/etc/apache2/sites-enabled/website.conf:1)

1 Like

I ran this command

curl -4 ifconfig.co

3.139.146.153

1 Like

OK. Thanks. Your IP looks good and nothing in your VHost dump would prevent access. We can look in more detail at your Apache and Ubuntu config but I think the most likely cause is related to your AWS EC2 or VPC network config. On my AWS setup, I only see 'filtered' when those are wrong. When those are right but the server is wrong I see 'closed'.

There are possibly 2 places you could be blocking traffic. The most commonly wrong spot is the EC2 Security Group. Below is a partial of mine and you can ignore the IPv6 since you are not using it. Make sure you see something similar:

Another place you could be blocking port 80 is in your VPC ACL Rules. If you have one of those make sure it is not blocking port 80.

Here is a current list of your ports. I only showed a partial list earlier but maybe this will help you identify what you need to do. Let's Encrypt needs port 80 to show open. I can connect to your ports that show open - just not port 80.

PORT     STATE    SERVICE
22/tcp   open     ssh
25/tcp   filtered smtp
80/tcp   filtered http
443/tcp  open     https
2000/tcp open     cisco-sccp
3306/tcp open     mysql
7000/tcp open     afs3-fileserver
7200/tcp open     fodms
8000/tcp open     http-alt
8080/tcp open     http-proxy

If none of this helps let us know. We can look more at your Apache and Ubuntu config to see if anything there is blocking port 80.

1 Like

These are my inbound rules please check once

1 Like

That looks ok. You have an All Traffic rule so you don't even need the extra ones for HTTP and HTTPS.

Do you have a Network ACL in your VPC? To find any, click the VPC-ID associated with the running EC2 instance and scroll to the left menu item for Network ACL and click one, if it exists. If you have one there should be Inbound/Outbound Rules and a column for Rule Number. Network ACLs are optional so you might not have one.

2 Likes

Please Check Network ACLs

1 Like

Yeah, that looks good too. Do you have a firewall in Ubuntu? Maybe ufw?
Show

ufw status
2 Likes

I an this below command
sudo ufw status

i got this output

Status: inactive

1 Like

Argh. Odd. What about this?

sudo netstat -pant | grep -Ei ':80|:443|httpd|apache' | grep -i listen
1 Like

1 Like

What are the contents of this file?

2 Likes

What server should respond to 127.0.0.1:2001 ? There wasn't any such definition in any display earlier.

Also, the rewrite statements look faulty. I believe those would result in a loop as it redirects to the same server it comes from. But, we are not connecting so they have not been sent yet.

Has this server ever worked?

2 Likes

I used same .conf file in another EC2 instance there SSL installation done perfectly. and there also i used 2001 port...there site working fine on 2001 port and SSL installation also done smoothly.

yes this server working fine...am facing issue with recent SSL installations. Previous SSL certificates working fine and websites also..