Urn:acme:error:connection - Challenge Failed

preetham · March 11, 2017, 7:26am

Hi All,

My boulder instance is running fine in a ubuntu VM box.

Im having a ACME client and have connected to Boulder. While generating certificates, challenge fails. Here is the error stack.

JSON TOKEN: {“type”:“http-01”,“status”:“invalid”,“error”:{“type”:“urn:acme:error:connection”,“detail”:“Could not connect to www.provteam.in:5002”,“status”:400},“uri”:“http://192.168.1.143:4000/acme/challenge/0ba_zpYl6yl_41tmj3q-_GdZKqANyWx-y1Yrr2jTWtU/37",“token”:“ZLAMteETbUOWdoK82fxakDIoTo3daAy5qly7T0XytvQ”,“keyAuthorization”:“ZLAMteETbUOWdoK82fxakDIoTo3daAy5qly7T0XytvQ.yzBaTGln-PILBEuo8dTkTtK59vmWsw4ypwcejxCJ7ts”,“validationRecord”:[{“url”:“http://www.provteam.in:5002/.well-known/acme-challenge/ZLAMteETbUOWdoK82fxakDIoTo3daAy5qly7T0XytvQ”,“hostname”:“www.provteam.in”,“port”:“5002”,“addressesResolved”:[“127.0.0.1”],“addressUsed”:"127.0.0.1”}]}

I have opened port 5002 and no services running in this port.

is any config i need to change?

Thanks in advance.

serverco · March 11, 2017, 9:54am

Can you provide a little more background detail ? the http-01 challenge will be on port 80 (not 5002). You also have a link to an internal IP ( 192.168.1.143:400 )

preetham · March 11, 2017, 10:01am

Sure serverco.

192.168.1.143:4000 is where i have installed boulder instance.

BY default in boulder VA is configured to connect 5002 to validate HTTP-01 challenge. As im facing error, I have changed VA configuration port config to port 80 and 443. But still im facing the challenge failed.

Fake DNS for my boulder is 172.17.0.1. I have modified this in docker-compose file. No im getting the below error.

JSON TOKEN: {“type”:“http-01”,“status”:“invalid”,“error”:{“type”:“urn:acme:error:connection”,“detail”:“Could not connect to www.provteam.in”,“status”:400},“uri”:“http://192.168.1.143:4000/acme/challenge/Cuv6CmbM8-gNqkoOlEX6XAUiJaUP_hYMgX30iEtV2iE/59",“token”:“JGpnwSgJdztH9VTPNdtoZDdQTklvAlFYDw0ZJf6Jbok”,“keyAuthorization”:“JGpnwSgJdztH9VTPNdtoZDdQTklvAlFYDw0ZJf6Jbok.nItNAASpmAdMIfl8PldWo6xQoVQ9QrB2aVRkiYny1go”,“validationRecord”:[{“url”:“http://www.provteam.in/.well-known/acme-challenge/JGpnwSgJdztH9VTPNdtoZDdQTklvAlFYDw0ZJf6Jbok”,“hostname”:“www.provteam.in”,“port”:“80”,“addressesResolved”:[“172.17.0.1”],“addressUsed”:"172.17.0.1”}]}

serverco · March 11, 2017, 10:09am

Thanks - I’d completely missed that you were running your own docker

The error being - Could not connect to www.provteam.in",“status”

If you manually try going to http://www.provteam.in/.well-known/acme-challenge/JGpnwSgJdztH9VTPNdtoZDdQTklvAlFYDw0ZJf6Jbok can you reach that location and obtain a response ?

preetham · March 11, 2017, 10:12am

Yes . I can able to reach it from my browser and can able to view the response.

Have you checked the address resolved and address used. It is 172.17.0.1 which is fake DNS for docker. But the address resolved and address used ip should be my domain’s IP. Please correct me if iam wrong.

serverco · March 11, 2017, 10:19am

It depends what machine you are running the ACME client on

From Boulder

In order to talk to a letsencrypt client running on the host, the fake DNS client used in Boulder's start.py needs to know what the host's IP is from the perspective of the container. The default value is 127.0.0.1. If you'd like your Boulder instance to always talk to some other host, you can set FAKE_DNS to that host's IP address.

From another thread -

preetham · March 11, 2017, 10:32am

Hey gotttt itttt…

I have mapped the fake dns to my host server ip and the challenge succeded.

thanks a lottttt…

system · April 10, 2017, 10:32am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.