Unable to reach Challenge URL. Max retries exceeded

Please fill out the fields below so we can help you better.

My domain is: www.expo.exchange

Using jrcs/letsencrypt-nginx-proxy-companion

It produced this output:

Creating/renewal www.expo.exchange certificates... (www.expo.exchange)
2017-02-21 03:03:17,442:INFO:simp_le:1211: Generating new account key
2017-02-21 03:03:18,443:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-02-21 03:03:19,436:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): letsencrypt.org
2017-02-21 03:03:20,460:INFO:requests.packages.urllib3.connectionpool:207: Starting new HTTP connection (1): www.expo.exchange
2017-02-21 03:05:27,857:ERROR:acme.challenges:256: Unable to reach http://www.expo.exchange/.well-known/acme-challenge/6qJfCUjX0RbwYjclZ5rQoa09R4WG2wFEDtIuSbBOQLI: HTTPConnectionPool(host='www.expo.exchange', port=80): Max retries exceeded with url: /.well-known/acme-challenge/6qJfCUjX0RbwYjclZ5rQoa09R4WG2wFEDtIuSbBOQLI (Caused by NewConnectionError('<requests.packages.urllib3.connection.HTTPConnection object at 0x7fd7ecfe7190>: Failed to establish a new connection: [Errno 110] Operation timed out',))
2017-02-21 03:05:27,858:WARNING:simp_le:1303: www.expo.exchange was not successfully self-verified. CA is likely to fail as well!
2017-02-21 03:05:28,073:INFO:simp_le:1313: Generating new certificate private key
2017-02-21 03:05:29,013:INFO:simp_le:391: Saving account_key.json
2017-02-21 03:05:29,014:INFO:simp_le:391: Saving key.pem
2017-02-21 03:05:29,014:INFO:simp_le:391: Saving chain.pem
2017-02-21 03:05:29,015:INFO:simp_le:391: Saving fullchain.pem
2017-02-21 03:05:29,015:INFO:simp_le:391: Saving cert.pem
Reloading nginx proxy...

My operating system is (include version):

My web server is (include version): Nginx-proxy

My hosting provider, if applicable, is: Docker on DigitalOcean, DNS via Route53

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

More Details:

When I hit the challenge URL directly, it force downloads a file. Not sure why the connection is timing out for LetsEncrypt.

Hi @danmandle, one possibility would be a firewall rule on the server that stops it from connecting directly to itself (thus making simp_le wrongly think that the challenge isn’t set up correctly). Could you try accessing the challenge URL with curl on your server, instead of from your browser on your desktop computer? Do you see the same contents that way as you do in the file that gets downloaded in the browser?

Thanks for the quick response! Good thinking on the curl command. You’re right:

<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.11.9</center>
</body>
</html>

So that’s interesting. I’ll have to take a closer look at why that’s happening.

You can add a -v to find out where it thinks it moved to… that might help for investigating this further.

$ curl -vI http://www.expo.exchange/.well-known/acme-challenge/6qJfCUjX0RbwYjclZ5rQoa09R4WG2wFEDtIuSbBOQLI
*   Trying 138.68.228.41...
* Connected to www.expo.exchange (138.68.228.41) port 80 (#0)
> HEAD /.well-known/acme-challenge/6qJfCUjX0RbwYjclZ5rQoa09R4WG2wFEDtIuSbBOQLI HTTP/1.1
> Host: www.expo.exchange
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
> Accept: */*
> Referer:
>
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Server: nginx/1.11.9
Server: nginx/1.11.9
< Date: Tue, 21 Feb 2017 03:42:39 GMT
Date: Tue, 21 Feb 2017 03:42:39 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 185
Content-Length: 185
< Connection: keep-alive
Connection: keep-alive
< Location: https://www.expo.exchange/.well-known/acme-challenge/6qJfCUjX0RbwYjclZ5rQoa09R4WG2wFEDtIuSbBOQLI
Location: https://www.expo.exchange/.well-known/acme-challenge/6qJfCUjX0RbwYjclZ5rQoa09R4WG2wFEDtIuSbBOQLI

<
* Connection #0 to host www.expo.exchange left intact
dm-macbook:~ danmandle$ curl -vI
dm-macbook:~ danmandle$ curl -vLI http://www.expo.exchange/.well-known/acme-challenge/6qJfCUjX0RbwYjclZ5rQoa09R4WG2wFEDtIuSbBOQLI
*   Trying 138.68.228.41...
* Connected to www.expo.exchange (138.68.228.41) port 80 (#0)
> HEAD /.well-known/acme-challenge/6qJfCUjX0RbwYjclZ5rQoa09R4WG2wFEDtIuSbBOQLI HTTP/1.1
> Host: www.expo.exchange
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
> Accept: */*
> Referer:
>
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Server: nginx/1.11.9
Server: nginx/1.11.9
< Date: Tue, 21 Feb 2017 03:42:54 GMT
Date: Tue, 21 Feb 2017 03:42:54 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 185
Content-Length: 185
< Connection: keep-alive
Connection: keep-alive
< Location: https://www.expo.exchange/.well-known/acme-challenge/6qJfCUjX0RbwYjclZ5rQoa09R4WG2wFEDtIuSbBOQLI
Location: https://www.expo.exchange/.well-known/acme-challenge/6qJfCUjX0RbwYjclZ5rQoa09R4WG2wFEDtIuSbBOQLI

<
* Connection #0 to host www.expo.exchange left intact
* Issue another request to this URL: 'https://www.expo.exchange/.well-known/acme-challenge/6qJfCUjX0RbwYjclZ5rQoa09R4WG2wFEDtIuSbBOQLI'
* Found bundle for host www.expo.exchange: 0x7fcfc150fee0
*   Trying 138.68.228.41...
* Connected to www.expo.exchange (138.68.228.41) port 443 (#1)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: www.expo.exchange
* Server certificate: Let's Encrypt Authority X3
* Server certificate: DST Root CA X3
> HEAD /.well-known/acme-challenge/6qJfCUjX0RbwYjclZ5rQoa09R4WG2wFEDtIuSbBOQLI HTTP/1.1
> Host: www.expo.exchange
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
> Accept: */*
> Referer: http://www.expo.exchange/.well-known/acme-challenge/6qJfCUjX0RbwYjclZ5rQoa09R4WG2wFEDtIuSbBOQLI
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.11.9
Server: nginx/1.11.9
< Date: Tue, 21 Feb 2017 03:42:54 GMT
Date: Tue, 21 Feb 2017 03:42:54 GMT
< Content-Type: application/octet-stream
Content-Type: application/octet-stream
< Content-Length: 87
Content-Length: 87
< Last-Modified: Tue, 21 Feb 2017 03:03:20 GMT
Last-Modified: Tue, 21 Feb 2017 03:03:20 GMT
< Connection: keep-alive
Connection: keep-alive
< ETag: "58abadf8-57"
ETag: "58abadf8-57"
< Strict-Transport-Security: max-age=31536000
Strict-Transport-Security: max-age=31536000
< Accept-Ranges: bytes
Accept-Ranges: bytes

<
* Connection #1 to host www.expo.exchange left intact

Can you get the challenge response with curl -L, which should follow the redirect?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.