Unable to issue or renew some certificats

Everything has worked perfectly until last week, where the renewal of old certificates are no more working.
After turning around some time I have discovered that creation and renewing of new certificates are working perfectly with my setup but even when I revoke some of the older certificates and try to recreate it it’s no more working.

The setup is based on HAProxy redirecting to the certbot port 8000.

If anybody has a good idea … it’s becoming urgent as some certificates are coming near the expiration date.

Regard’s
Claude

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dev.mediakit.moto-station.com

I ran this command: /usr/bin/certbot certonly --standalone --agree-tos --preferred-challenges http --debug-challenges -v --dry-run --http-01-port 8000 -d dev.mediakit.moto-station.com

It produced this output:

Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator standalone and installer None
Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f52d18c52e8>
Prep: True
Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f52d18c52e8> and installer None
Plugins selected: Authenticator standalone, Installer None
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri=‘https://acme-staging-v02.api.letsencrypt.org/acme/acct/12798055’, new_authzr_uri=None, terms_of_service=None), 48e73279190ac39fcc6bf1485e76d519, Meta(creation_dt=datetime.datetime(2020, 3, 16, 16, 55, 54, tzinfo=), creation_host=‘varnish4.editions-lariviere.fr’))>
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
https://acme-staging-v02.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 724
Received response:
HTTP 200
Server: nginx
Date: Tue, 17 Mar 2020 08:19:29 GMT
Content-Type: application/json
Content-Length: 724
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“ULKL4bsTo_w”: “Adding random entries to the directory”,
“keyChange”: “https://acme-staging-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
letsencrypt.org
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org/docs/staging-environment/
},
“newAccount”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert
}
Obtaining a new certificate
Requesting fresh nonce
Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-staging-v02.api.letsencrypt.org:443 “HEAD /acme/new-nonce HTTP/1.1” 200 0
Received response:
HTTP 200
Server: nginx
Date: Tue, 17 Mar 2020 08:19:29 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0001T19YRmd4g76haV8vGcTMCHxc51KjlbdIhqhZEqvjJqM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

Storing nonce: 0001T19YRmd4g76haV8vGcTMCHxc51KjlbdIhqhZEqvjJqM
JWS payload:
b’{\n “identifiers”: [\n {\n “type”: “dns”,\n “value”: “dev.mediakit.moto-station.com”\n }\n ]\n}’
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
“protected”: “eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMjc5ODA1NSIsICJub25jZSI6ICIwMDAxVDE5WVJtZDRnNzZoYVY4dkdjVE1DSHhjNTFLamxiZElocWhaRXF2akpxTSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ”,
“signature”: “K_PAUyZyAjwAVtNteokpVaDYThK_mS7ghqK07JwYoPiDzEopHGlAUKE8vzxID1T8tgHxpPu0hFYHI9m-37BupDnbgbt7G5BZzfY_owurJVVoTo62aMzr0bOazi0rbkFPb6MXuKd-7-cNWkFQdd8XeMbapao9K8yzBozpREj7nb7M1aIvJoEY_vU2BPdT6EL9SPH09vsPMK9LrM5LvTYba4tIc76Y-oAEPGTC_bUPrVj2eWPFsy0Mkmlwtyjk4MrPfLY3xsRCNFYzC3tL96EF68Ph_KU0piaa3R-n2vjN6-vTVVhYK05EZroOPbzCUzPD6KtQZD1UHKZXne5YeN4BtA”,
“payload”: “ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImRldi5tZWRpYWtpdC5tb3RvLXN0YXRpb24uY29tIgogICAgfQogIF0KfQ”
}
https://acme-staging-v02.api.letsencrypt.org:443 “POST /acme/new-order HTTP/1.1” 201 371
Received response:
HTTP 201
Server: nginx
Date: Tue, 17 Mar 2020 08:19:29 GMT
Content-Type: application/json
Content-Length: 371
Connection: keep-alive
Boulder-Requester: 12798055
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel=“index”
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/12798055/79788692
Replay-Nonce: 00020VwxmtMIfGoRtBjYGh1gdXRaUoFEUPxP-tst-2HpJXg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“status”: “pending”,
“expires”: “2020-03-24T08:19:29.449882284Z”,
“identifiers”: [
{
“type”: “dns”,
“value”: “dev.mediakit.moto-station.com
}
],
“authorizations”: [
https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/44164380
],
“finalize”: “https://acme-staging-v02.api.letsencrypt.org/acme/finalize/12798055/79788692
}
Storing nonce: 00020VwxmtMIfGoRtBjYGh1gdXRaUoFEUPxP-tst-2HpJXg
JWS payload:
b’’
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/44164380:
{
“protected”: “eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMjc5ODA1NSIsICJub25jZSI6ICIwMDAyMFZ3eG10TUlmR29SdEJqWUdoMWdkWFJhVW9GRVVQeFAtdHN0LTJIcEpYZyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80NDE2NDM4MCJ9”,
“signature”: “uO8n2AV83NljXrekfX0hBoE_ZWawcED8IQGrkDaQDBeK6m1lXMWPQ8WpEavQgC_2bmonQzY7lud_PUeIF0FFyU6-0mFvecCET73-rAvwbs5olXIhoTj96YnIkH0VosWSEMzOLI7unUttv-TKGdwwJw0wd3UuvY9u8_fsuKWNJXMm2yvaGz6jGstQ_t__58oQaFFWfwN2LKE1Zn24XadTGYTgP-j6cUneSjRYGeyatZAB_Yq_msxUJuByfyFFevu0L-pHSVNpmGwA0N4zCtPvp7pkx9UFjx1Sf-kruPJWSufdCAQQVzkypMFueVkpcmqs_ORlPX4qbPGWUf1_3VOszw”,
“payload”: “”
}
https://acme-staging-v02.api.letsencrypt.org:443 “POST /acme/authz-v3/44164380 HTTP/1.1” 200 825
Received response:
HTTP 200
Server: nginx
Date: Tue, 17 Mar 2020 08:19:29 GMT
Content-Type: application/json
Content-Length: 825
Connection: keep-alive
Boulder-Requester: 12798055
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0002WiiyTmeKoRiKor_YIpoG2qqHVF3uwpiTHtUbYoQDhmQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“identifier”: {
“type”: “dns”,
“value”: “dev.mediakit.moto-station.com
},
“status”: “pending”,
“expires”: “2020-03-24T08:19:29Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/44164380/ARMsGQ”,
“token”: “PFPT3SQ60Z92vGe_dy9Bk70pCM7-O6Lm_q4KNhbWSBo”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/44164380/jtgBmw”,
“token”: “PFPT3SQ60Z92vGe_dy9Bk70pCM7-O6Lm_q4KNhbWSBo”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/44164380/l9SsCQ”,
“token”: “PFPT3SQ60Z92vGe_dy9Bk70pCM7-O6Lm_q4KNhbWSBo”
}
]
}
Storing nonce: 0002WiiyTmeKoRiKor_YIpoG2qqHVF3uwpiTHtUbYoQDhmQ
Performing the following challenges:
http-01 challenge for dev.mediakit.moto-station.com
Successfully bound to :8000 using IPv6
Certbot wasn’t able to bind to :8000 using IPv4, this is often expected due to the dual stack nature of IPv6 socket implementations.
Waiting for verification…


Challenges loaded. Press continue to submit to CA. Pass “-v” for more info about
challenges.


Press Enter to Continue
JWS payload:
b’{\n “resource”: “challenge”,\n “type”: “http-01”\n}’
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/44164380/ARMsGQ:
{
“protected”: “eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMjc5ODA1NSIsICJub25jZSI6ICIwMDAyV2lpeVRtZUtvUmlLb3JfWUlwb0cycXFIVkYzdXdwaVRIdFViWW9RRGhtUSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My80NDE2NDM4MC9BUk1zR1EifQ”,
“signature”: “wuR8DVXJFfISSX-vanS7vaKUOB3bYcG6-NVqS9QyHlKWRS2DNE5rNZIxD_9dZfqjs8fTUqg2VqZHfyIKWY5w9gw1qyeo8kjpmrFXTNy_1ajlhAcs3_TlIfF-f-cZIl3biChPr9HBGt-qee1mwbszuUNUN0St6Vi_yl_L5jOqWKHl9FK4lb8dAv8Rqh2HPLElTCpUx875o-ec5-CUwdBjM-7ZxBkoD8dbASGeUWQ3KhJCYOu3x6DbAuojJZ80InDlc55JJJfdvy6RBEOxVQZhF3hIkafZVXpcrvDEBNiSWB8Iuj7ad_awaHQjzYPOIfI7Wo8p3vMG10l6mvNnVZYtSQ”,
“payload”: “ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiCn0”
}
https://acme-staging-v02.api.letsencrypt.org:443 “POST /acme/chall-v3/44164380/ARMsGQ HTTP/1.1” 200 191
Received response:
HTTP 200
Server: nginx
Date: Tue, 17 Mar 2020 08:19:33 GMT
Content-Type: application/json
Content-Length: 191
Connection: keep-alive
Boulder-Requester: 12798055
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel=“index”, https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/44164380;rel=“up”
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/44164380/ARMsGQ
Replay-Nonce: 0002Ek9N-353ysXb2GBGjyhqm64znhS-iey_wswhbseeyxE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/44164380/ARMsGQ”,
“token”: “PFPT3SQ60Z92vGe_dy9Bk70pCM7-O6Lm_q4KNhbWSBo”
}
Storing nonce: 0002Ek9N-353ysXb2GBGjyhqm64znhS-iey_wswhbseeyxE
::ffff:127.0.0.1 - - Incoming request
::ffff:127.0.0.1 - - Serving HTTP01 with token ‘PFPT3SQ60Z92vGe_dy9Bk70pCM7-O6Lm_q4KNhbWSBo’
::ffff:127.0.0.1 - - “GET /.well-known/acme-challenge/PFPT3SQ60Z92vGe_dy9Bk70pCM7-O6Lm_q4KNhbWSBo HTTP/1.1” 200 -
JWS payload:
b’’
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/44164380:
{
“protected”: “eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMjc5ODA1NSIsICJub25jZSI6ICIwMDAyRWs5Ti0zNTN5c1hiMkdCR2p5aHFtNjR6bmhTLWlleV93c3doYnNlZXl4RSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80NDE2NDM4MCJ9”,
“signature”: “vvi1kTJj90F4q-G0prtWV_53lusj4LMOCn5E_8TfmzXD4BejY4P_NBdDva4O3gXGsTd0Go5xgpxA4f7zjqFDhYlvH8YS6YFGlEHs4WgAsdJN15M8ovoxZ3sqMWDd5BurZq1eaO12bALBYs3vabFsxhQ1sQBkUmlMNxbvu1V8d_Rjvd-4IcDNPQJZsNpALIjPsKIzdJpkvsrvYWZ_KGLxIdhE64okQP9ninju-iT-76obm4xqwpiXK5R9kDM8mGj1wmQeRpGWGOoM_VTIvY2mHUFYJEQHTW1iTbOrc8yAYouFR2Ay0mIL2K_PiN_i-dvNwufFNHOGDiozFNtx3-FOKg”,
“payload”: “”
}
https://acme-staging-v02.api.letsencrypt.org:443 “POST /acme/authz-v3/44164380 HTTP/1.1” 200 1078
Received response:
HTTP 200
Server: nginx
Date: Tue, 17 Mar 2020 08:19:36 GMT
Content-Type: application/json
Content-Length: 1078
Connection: keep-alive
Boulder-Requester: 12798055
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0001QtsdG2xdx90SJTi3fdr1iUb02-gEdacRYUMO3iT33vw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“identifier”: {
“type”: “dns”,
“value”: “dev.mediakit.moto-station.com
},
“status”: “invalid”,
“expires”: “2020-03-24T08:19:29Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “During secondary validation: Invalid response from http://dev.mediakit.moto-station.com/.well-known/acme-challenge/PFPT3SQ60Z92vGe_dy9Bk70pCM7-O6Lm_q4KNhbWSBo [195.154.143.35]: 401”,
“status”: 403
},
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/44164380/ARMsGQ”,
“token”: “PFPT3SQ60Z92vGe_dy9Bk70pCM7-O6Lm_q4KNhbWSBo”,
“validationRecord”: [
{
“url”: “http://dev.mediakit.moto-station.com/.well-known/acme-challenge/PFPT3SQ60Z92vGe_dy9Bk70pCM7-O6Lm_q4KNhbWSBo”,
“hostname”: “dev.mediakit.moto-station.com”,
“port”: “80”,
“addressesResolved”: [
“195.154.143.35”
],
“addressUsed”: “195.154.143.35”
}
]
}
]
}
Storing nonce: 0001QtsdG2xdx90SJTi3fdr1iUb02-gEdacRYUMO3iT33vw
Reporting to user: The following errors were reported by the server:

Domain: dev.mediakit.moto-station.com
Type: unauthorized
Detail: During secondary validation: Invalid response from http://dev.mediakit.moto-station.com/.well-known/acme-challenge/PFPT3SQ60Z92vGe_dy9Bk70pCM7-O6Lm_q4KNhbWSBo [195.154.143.35]: 401

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 239, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. dev.mediakit.moto-station.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: During secondary validation: Invalid response from http://dev.mediakit.moto-station.com/.well-known/acme-challenge/PFPT3SQ60Z92vGe_dy9Bk70pCM7-O6Lm_q4KNhbWSBo [195.154.143.35]: 401

Calling registered functions
Cleaning up challenges
Stopping server at :::8000…
Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.31.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1365, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1250, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 410, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 353, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 389, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 239, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. dev.mediakit.moto-station.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: During secondary validation: Invalid response from http://dev.mediakit.moto-station.com/.well-known/acme-challenge/PFPT3SQ60Z92vGe_dy9Bk70pCM7-O6Lm_q4KNhbWSBo [195.154.143.35]: 401
Failed authorization procedure. dev.mediakit.moto-station.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: During secondary validation: Invalid response from http://dev.mediakit.moto-station.com/.well-known/acme-challenge/PFPT3SQ60Z92vGe_dy9Bk70pCM7-O6Lm_q4KNhbWSBo [195.154.143.35]: 401

IMPORTANT NOTES:

My web server is (include version):

haproxy
frontend
acl is_certbot path_beg -i /.well-known/acme-challenge
backend certbot
log global
mode http
server certbot 127.0.0.1:8000

The operating system my web server runs on is (include version):
Ubuntu 18.04
My hosting provider, if applicable, is:
myself
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
N/A
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.30.0

1 Like

this url asks for user/password. the authenticator won’t provide that.

1 Like

I forget to mention …

after doing some debug on the working and not working domain I have following difference

Working domaine

Storing nonce: 00018HClqjyUkZUOp1kWaALR8JAiyt49jR9Nimy0G67qVnA

::ffff:127.0.0.1 - - Incoming request
::ffff:127.0.0.1 - - Serving HTTP01 with token ‘s-YqfMZW8vqXpLiQlgffFmTB0X8SVIR-fYcq3CGYZzU’
::ffff:127.0.0.1 - - “GET /.well-known/acme-challenge/s-YqfMZW8vqXpLiQlgffFmTB0X8SVIR-fYcq3CGYZzU HTTP/1.1” 200 -
::ffff:127.0.0.1 - - Incoming request
::ffff:127.0.0.1 - - Serving HTTP01 with token ‘s-YqfMZW8vqXpLiQlgffFmTB0X8SVIR-fYcq3CGYZzU’
::ffff:127.0.0.1 - - “GET /.well-known/acme-challenge/s-YqfMZW8vqXpLiQlgffFmTB0X8SVIR-fYcq3CGYZzU HTTP/1.1” 200 -
::ffff:127.0.0.1 - - Incoming request
::ffff:127.0.0.1 - - Serving HTTP01 with token ‘s-YqfMZW8vqXpLiQlgffFmTB0X8SVIR-fYcq3CGYZzU’
::ffff:127.0.0.1 - - “GET /.well-known/acme-challenge/s-YqfMZW8vqXpLiQlgffFmTB0X8SVIR-fYcq3CGYZzU HTTP/1.1” 200 -
::ffff:127.0.0.1 - - Incoming request
::ffff:127.0.0.1 - - Serving HTTP01 with token ‘s-YqfMZW8vqXpLiQlgffFmTB0X8SVIR-fYcq3CGYZzU’
::ffff:127.0.0.1 - - “GET /.well-known/acme-challenge/s-YqfMZW8vqXpLiQlgffFmTB0X8SVIR-fYcq3CGYZzU HTTP/1.1” 200 -
JWS payload:
b’’
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/44164841:

None working domain

Storing nonce: 0002Ek9N-353ysXb2GBGjyhqm64znhS-iey_wswhbseeyxE

::ffff:127.0.0.1 - - Incoming request
::ffff:127.0.0.1 - - Serving HTTP01 with token ‘PFPT3SQ60Z92vGe_dy9Bk70pCM7-O6Lm_q4KNhbWSBo’
::ffff:127.0.0.1 - - “GET /.well-known/acme-challenge/PFPT3SQ60Z92vGe_dy9Bk70pCM7-O6Lm_q4KNhbWSBo HTTP/1.1” 200 -
JWS payload:
b’’
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/44164380:

But I don’t no why …

1 Like

This means that most probably your acl is blocking something it’s not supposed to.

How is your acl configured?

1 Like

I have an all for certbot’s ip

acl certbot src 66.133.109.36/32

has this changed ??

1 Like

Yes.

You should not block any IP, they can change at any moment.

(currently, it’s random anonymous AWS IPs)

1 Like

yes just seen it …

I have changed the haproxy access all’s and now it’s working !!

Thank you to point out the problem ! it’s driving me crazy for a couple of days !

Regard’s
Claude

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.