Unable to Add Certificate

ntsluke · July 7, 2021, 12:05pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: * dan-orourke.com

I ran this command: Add certificate Include the "www" subdomain for the domain and each selected alias from Plesk Obsidian

It produced this output:

Could not issue a Let's Encrypt SSL/TLS certificate for dan-orourke.com . Authorization for the domain failed.
Details

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/14611447268.
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: Fetching https://dan-orourke.com/.well-known/acme-challenge/Uo_uwJMKfUpVPOPklRJCEbYM2w7_5NrFtktCg6x2Las: Timeout during connect (likely firewall problem)

My web server is (include version): Plesk Obsidian
Version 18.0.36

The operating system my web server runs on is (include version): Ubuntu 20.04.2 LTS

My hosting provider, if applicable, is: Fasthost

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk Obsidian

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Version 18.0.36

griffin · July 7, 2021, 6:31pm

Welcome to the Let's Encrypt Community, Luke

The problem I see is that port 443 (https) is unresponsive. This could be due to a firewall blocking incoming requests on that port. Since all port 80 (http) requests are being redirected to port 443 (https), this prevents satisfaction of http-01 challenges. You could try turning off the http to https redirect for now. Once the certificate is acquired and installed you can turn it back on (if that hasn't already happened in the process). At least then you would have your certificate and can debug the port 443 block independently.

Rip · July 7, 2021, 7:33pm

I concur with @griffin here.

PORT    STATE    SERVICE
22/tcp  open     ssh
80/tcp  open     http
443/tcp filtered https

443 should be open for business!

rg305 · July 7, 2021, 8:01pm

OR

You could always handle the authentication requests in HTTP (and redirect all other requests).

griffin · July 7, 2021, 8:29pm

He is using the Plesk Obsidian panel to acquire certificates, so he might not have control over how the authentication requests are handled.

rg305 · July 7, 2021, 8:32pm

I would think so.
But you may be right - this may still require some light hacking.

griffin · July 7, 2021, 8:35pm

Dah.

I missed the root part.

I've always found manually administering a server while using a control panel to be a bit hairy.

rg305 · July 7, 2021, 8:37pm

For NGINX, you could replace the current redirection mechanism with:

  location ^/(?!\.well-known) {            # skip challenge requests
    return 301 https://$host$request_uri;  # send all requests to HTTPS
  }# location

[note: This method implies the use of a root path (and location) for the challenge requests to then use]

ntsluke · July 8, 2021, 9:28am

Hey @Griffin and everyone else. Thanks for the warm welcome.

Using your advice I went ahead and turned off the Permanent SEO-safe 301 redirect from HTTP to HTTPS. This fixed the connectivity issue I was having; the site loads without any issues now, which is great, I'm still getting the same error message when it comes to securing a certificate. See below

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/14635923917.
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: During secondary validation: Fetching http://dan-orourke.com/.well-known/acme-challenge/69AxJlsSZXc73atSGllqcE_atOc4nS1_y9k5pYFhkEU: Timeout during connect (likely firewall problem)

Any other ideas?

ntsluke · July 8, 2021, 9:35am

So I adjusted the firewall and opened up 443, checked it on pentest-tools.com to make sure it was open, and than ran Lets Encrypt, but I received they same error message.

rg305 · July 8, 2021, 1:06pm

Try handling the ACME challenge requests in HTTP instead of redirecting them to HTTPS; as seen in the failed request:

And in either case, check that there are no other devices in line, or services, that may be blocking IPs (i.e. other firewalls, control panel settings, IPS, Geo-Location blocking services, Fail2Ban, etc.)

griffin · July 8, 2021, 2:34pm

There's a huge difference between the secondary validation failure you now see and the primary validation failure you were seeing. Notice that for the primary failure (top) it was your https firewall blockage causing the issue while for the secondary failure (bottom) it was a failure to connect via http. Gigantic difference. The secondary failure could have been caused by many things, like some of those mentioned in the post directly above by @rg305 that are often outside of your control. Try it again.

ntsluke · July 8, 2021, 3:57pm

I tried again and still get this http error. I have 6 other websites on the server and none of them have had this issue. Really odd.

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/14643095809.
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: During secondary validation: Fetching http://dan-orourke.com/.well-known/acme-challenge/2IHKD0glQTPmOkaWnfL0CEypT0_xW-yzUIxjmH8OPk0: Timeout during connect (likely firewall problem)

ntsluke · July 8, 2021, 4:01pm

Nothing apart from the standard firewall. I've even gone to the lengths of opening up ports 80 and 443. However, I've successfully given certificates to all the other sites on the same server without the need to open up any additional ports. It's just this single site causing issues.

griffin · July 8, 2021, 4:20pm

I can access the token just fine. This looks like some type of ISP/regional/dynamic block.

ntsluke · July 8, 2021, 4:51pm

I'm not sure about that as all my other sites were fine. It's just this single website.

ntsluke · July 8, 2021, 4:58pm

Hmm looks so I did a test at Lets Debug and it brought up this.

dan-orourke.com has an A (IPv4) record (213.171.212.37) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

Not sure how to resolve this as everything seems to be in place as it should.

griffin · July 8, 2021, 5:20pm

That's because your http to https redirect is turned on again and your port 443 is non-responsive.

@ 0ms: Making a request to http://dan-orourke.com/.well-known/acme-challenge/letsdebug-test (using initial IP 213.171.212.37)
@ 0ms: Dialing 213.171.212.37
@ 304ms: Server response: HTTP 301 Moved Permanently
@ 304ms: Received redirect to https://dan-orourke.com/
@ 304ms: Dialing 213.171.212.37
@ 10002ms: Experienced error: context deadline exceeded

Additionally, your redirect is incorrectly structured, so it's stripping the URI of the request off the end when redirecting (the .well-known/acme-challenge/letsdebug-test is missing after the redirect).

griffin · July 8, 2021, 5:38pm

I keep getting intermittent performance for port 443. Sometimes it responds. Sometimes it doesn't. This smells like a responsive firewall issue (like Fail2Ban).

rg305 · July 8, 2021, 5:47pm

I have to agree; as I'm experiencing a similar situation: Where now I can't get any response (even from HTTP).