Urn:acme:error:connection :: The server could not connect to the client to verify the domain

Help
1

I have set up an Letsencypt CA server and I am trying to generate a certificate from this server with the help of Certbot. all systems are running on the local network and ubuntu.

When I run the command below;

"certbot certonly --standalone --server http://localca:4000/directory -d localdomain.com

Output is;

Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for localdomain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. localdomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://localdomain.com/.well-known/acme-challenge/rjjWqhInCrwk7UHx90Ij3DtAIyfFyyjtLQZYAuVSpK4: Connection refused

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: localdomain.com
   Type:   connection
   Detail: Fetching
   http://localdomain.com/.well-known/acme-challenge/rjjWqhInCrwk7UHx90Ij3DtAIyfFyyjtLQZYAuVSpK4:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

And the letsencypt log is:

    2019-06-27 15:38:40,374:DEBUG:certbot.main:certbot version: 0.31.0
2019-06-27 15:38:40,375:DEBUG:certbot.main:Arguments: ['--standalone', '--server', 'http://localca:4000/directory', '-d', 'localdomain']
2019-06-27 15:38:40,376:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-06-27 15:38:40,385:DEBUG:certbot.log:Root logging level set at 20
2019-06-27 15:38:40,385:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-06-27 15:38:40,386:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2019-06-27 15:38:40,480:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f83d868c6d8>
Prep: True
2019-06-27 15:38:40,481:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f83d868c6d8> and installer None
2019-06-27 15:38:40,481:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2019-06-27 15:38:40,504:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(uri='http://localca:4000/acme/reg/3', terms_of_service=None, body=Registration(only_return_existing=None, extern$
2019-06-27 15:38:40,506:DEBUG:acme.client:Sending GET request to http://localca:4000/directory.
2019-06-27 15:38:40,510:INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): localca
2019-06-27 15:38:40,512:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 584
2019-06-27 15:38:40,513:DEBUG:acme.client:Received response:
HTTP 200
Date: Thu, 27 Jun 2019 12:38:40 GMT
Content-Type: application/json
Content-Length: 584
Cache-Control: public, max-age=0, no-cache
Replay-Nonce: S_HNTw71IYM8iWx_KipijVJgwkJxtwSs3EQGrhhJhCU

{
  "key-change": "http://localca:4000/acme/key-change",
  "meta": {
    "caaIdentities": [
      "happy-hacker-ca.invalid"
    ],
    "terms-of-service": "http://boulder:4000/terms/v1",
    "website": "https://github.com/letsencrypt/boulder"
  },
  "new-authz": "http://localca:4000/acme/new-authz",
  "new-cert": "http://localca:4000/acme/new-cert",
  "new-reg": "http://localca:4000/acme/new-reg",
  "revoke-cert": "http://localca:4000/acme/revoke-cert",
  "xsrsNtQOaJA": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
}
2019-06-27 15:38:40,514:INFO:certbot.main:Obtaining a new certificate
2019-06-27 15:38:40,663:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0115_key-certbot.pem
2019-06-27 15:38:40,667:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0115_csr-certbot.pem
2019-06-27 15:38:40,668:DEBUG:acme.client:Requesting fresh nonce
2019-06-27 15:38:40,668:DEBUG:acme.client:Sending HEAD request to http://localca:4000/acme/new-authz.
2019-06-27 15:38:40,670:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2019-06-27 15:38:40,671:DEBUG:acme.client:Received response:
HTTP 405
Allow: POST
Date: Thu, 27 Jun 2019 12:38:40 GMT
Content-Length: 91
Replay-Nonce: J137nXMD2y-Lg_Csa_wuyOYBbr1lLfHaKFOgqPBUCI8
Content-Type: application/problem+json
2019-06-27 15:38:40,671:DEBUG:acme.client:Storing nonce: J137nXMD2y-Lg_Csa_wuyOYBbr1lLfHaKFOgqPBUCI8
2019-06-27 15:38:40,671:DEBUG:acme.client:JWS payload:
b'{\n  "resource": "new-authz",\n  "identifier": {\n    "type": "dns",\n    "value": "localdomain"\n  }\n}'
2019-06-27 15:38:40,674:DEBUG:acme.client:Sending POST request to http://localca:4000/acme/new-authz:
{
  "payload": "ewogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiLAogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwKICAgICJ2YWx1ZSI6ICJyb2J1c3Q1Lm1xdHQuY29tIgogIH0KfQ",
  "protected": "eyJqd2siOiB7Imt0eSI6ICJSU0EiLCAiZSI6ICJBUUFCIiwgIm4iOiAidGJMQUNscFR4bjBUd2t0ZXI4cXpackVhREoxNXBzV1MtbDRkV3ZJYnRRVzNyQjIyRWJOLVQtOS1oanB6eXFQd0RkbW1QVUNZdzdTbkJOM3NkeDdMNUlVMXZSdjdOTWZTRDNaRm$
  "signature": "TqT0HF0eNHa_Gt4B8wcbPp5TReb4ZKGtvR0p6bcj1kU_E1_vNsApW96I1Q9IjGPNlTJu6t6YUbLW5JkDbFhKgbIVkAJAvTsk91CkzsCtzXmnc9-oiO4Yrdi_zCWGVo9N84WMPbMBQT_vhrWz4BAPFJqICJciIUasiIf24uh8nqaizi4AD0gqEhN9FEf2-p$
}
2019-06-27 15:38:40,688:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 935
2019-06-27 15:38:40,689:DEBUG:acme.client:Received response:
HTTP 201
Location: http://localca:4000/acme/authz/j_YMkgogruGpmsfFDmZCxWioxkDtm8ZBLTuXMp70Bcs
Link: <http://localca:4000/acme/new-cert>;rel="next"
Boulder-Requester: 3
Date: Thu, 27 Jun 2019 12:38:40 GMT
Content-Length: 935
Cache-Control: public, max-age=0, no-cache
Content-Type: application/json
Replay-Nonce: C9KVfnMQggI06S_PrVUylNV2pg-PDDxpn8RzzdYjHH0

{
  "identifier": {
    "type": "dns",
    "value": "localdomain"
 },
  "status": "pending",
  "expires": "2019-07-04T12:38:40Z",
  "challenges": [
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "uri": "http://localca:4000/acme/challenge/j_YMkgogruGpmsfFDmZCxWioxkDtm8ZBLTuXMp70Bcs/25",
      "token": "Y7ofVG_QBpHtDazmQWfxJlhw6DxFdeNYR3cRD4of2-g"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "http://localca:4000/acme/challenge/j_YMkgogruGpmsfFDmZCxWioxkDtm8ZBLTuXMp70Bcs/26",
      "token": "I14ZrQyc_p19Jo5tQmQ6TOmnfkrptT0NJ6BilDQoqX0"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "http://localca:4000/acme/challenge/j_YMkgogruGpmsfFDmZCxWioxkDtm8ZBLTuXMp70Bcs/27",
      "token": "vbcMUeLszxvNQhsCk8wShbtha6Np_g8HUK2G04n0y1A"
    }
  ],
  "combinations": [
    [
      0
    ],
    [
      1
    ],
    [
      2
    ]
  ]
}
2019-06-27 15:38:40,689:DEBUG:acme.client:Storing nonce: C9KVfnMQggI06S_PrVUylNV2pg-PDDxpn8RzzdYjHH0
2019-06-27 15:38:40,690:INFO:certbot.auth_handler:Performing the following challenges:
2019-06-27 15:38:40,690:INFO:certbot.auth_handler:http-01 challenge for localdomain
2019-06-27 15:38:40,690:DEBUG:acme.standalone:Successfully bound to :80 using IPv6
2019-06-27 15:38:40,692:DEBUG:acme.standalone:Certbot wasn't able to bind to :80 using IPv4, this is often expected due to the dual stack nature of IPv6 socket implementations.
2019-06-27 15:38:40,695:INFO:certbot.auth_handler:Waiting for verification...
2019-06-27 15:38:40,696:DEBUG:acme.client:JWS payload:
b'{\n  "type": "http-01",\n  "keyAuthorization": "vbcMUeLszxvNQhsCk8wShbtha6Np_g8HUK2G04n0y1A.u_bhnTNJsYuuAK1UB8hTHC_G7rDJhn-0pwslpRA1jzA",\n  "resource": "challenge"\n}'
2019-06-27 15:38:40,698:DEBUG:acme.client:Sending POST request to http://localca:4000/acme/challenge/j_YMkgogruGpmsfFDmZCxWioxkDtm8ZBLTuXMp70Bcs/27:
{
  "payload": "ewogICJ0eXBlIjogImh0dHAtMDEiLAogICJrZXlBdXRob3JpemF0aW9uIjogInZiY01VZUxzenh2TlFoc0NrOHdTaGJ0aGE2TnBfZzhIVUsyRzA0bjB5MUEudV9iaG5UTkpzWXV1QUsxVUI4aFRIQ19HN3JESmhuLTBwd3NscFJBMWp6QSIsCiAgInJlc291$
  "protected": "eyJqd2siOiB7Imt0eSI6ICJSU0EiLCAiZSI6ICJBUUFCIiwgIm4iOiAidGJMQUNscFR4bjBUd2t0ZXI4cXpackVhREoxNXBzV1MtbDRkV3ZJYnRRVzNyQjIyRWJOLVQtOS1oanB6eXFQd0RkbW1QVUNZdzdTbkJOM3NkeDdMNUlVMXZSdjdOTWZTRDNaRm$
  "signature": "FxJYLSt26LL51R0a290IYEMVVn5YmxmLA9I55i8A7oK1QBPeSU12iBHBOzsvsIzaJAy5SYn8esHXSF3AgpWnkCnhv4Kgw9B1NKhDNmESobHt7c_wZ6AV4VxO1gpKmt7VBM_ISDhKZDI1kilC3kJnzIo3yi3MmwfXaBWx5Q5ZTsXNI1OFMzteFKbknQ_M0c$
}
2019-06-27 15:38:40,705:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/j_YMkgogruGpmsfFDmZCxWioxkDtm8ZBLTuXMp70Bcs/27 HTTP/1.1" 202 316
2019-06-27 15:38:40,705:DEBUG:acme.client:Received response:
HTTP 202
Location: http://localca:4000/acme/challenge/j_YMkgogruGpmsfFDmZCxWioxkDtm8ZBLTuXMp70Bcs/27
Link: <http://localca:4000/acme/authz/j_YMkgogruGpmsfFDmZCxWioxkDtm8ZBLTuXMp70Bcs>;rel="up"
Boulder-Requester: 3
Date: Thu, 27 Jun 2019 12:38:40 GMT
Content-Length: 316
Cache-Control: public, max-age=0, no-cache
Content-Type: application/json
Replay-Nonce: iyqQDjNnUsMdIqJtb50P5L7Q4iHi5oQEzCzHO4NfseU

{
  "type": "http-01",
  "status": "pending",
  "uri": "http://localca:4000/acme/challenge/j_YMkgogruGpmsfFDmZCxWioxkDtm8ZBLTuXMp70Bcs/27",
  "token": "vbcMUeLszxvNQhsCk8wShbtha6Np_g8HUK2G04n0y1A",
  "keyAuthorization": "vbcMUeLszxvNQhsCk8wShbtha6Np_g8HUK2G04n0y1A.u_bhnTNJsYuuAK1UB8hTHC_G7rDJhn-0pwslpRA1jzA"
}
2019-06-27 15:38:40,705:DEBUG:acme.client:Storing nonce: iyqQDjNnUsMdIqJtb50P5L7Q4iHi5oQEzCzHO4NfseU
2019-06-27 15:38:43,709:DEBUG:acme.client:Sending GET request to http://localca:4000/acme/authz/j_YMkgogruGpmsfFDmZCxWioxkDtm8ZBLTuXMp70Bcs.
2019-06-27 15:38:43,716:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/j_YMkgogruGpmsfFDmZCxWioxkDtm8ZBLTuXMp70Bcs HTTP/1.1" 200 1522
2019-06-27 15:38:43,717:DEBUG:acme.client:Received response:
HTTP 200
Link: <http://localca:4000/acme/new-cert>;rel="next"
Date: Thu, 27 Jun 2019 12:38:43 GMT
Content-Length: 1522
Replay-Nonce: 94zq7jjiPDGREC-BIztCxpUqrQSVmEcZMOYp2iRJLr8
Content-Type: application/json
Cache-Control: public, max-age=0, no-cache

{
  "identifier": {
    "type": "dns",
    "value": "localdomain"
 },
  "status": "invalid",
  "expires": "2019-07-04T12:38:40Z",
  "challenges": [
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "uri": "http://localca:4000/acme/challenge/j_YMkgogruGpmsfFDmZCxWioxkDtm8ZBLTuXMp70Bcs/25",
      "token": "Y7ofVG_QBpHtDazmQWfxJlhw6DxFdeNYR3cRD4of2-g"
    },
    {
      "type": "dns-01",
      "status": "invalid",
      "uri": "http://localca:4000/acme/challenge/j_YMkgogruGpmsfFDmZCxWioxkDtm8ZBLTuXMp70Bcs/26",
      "token": "I14ZrQyc_p19Jo5tQmQ6TOmnfkrptT0NJ6BilDQoqX0"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:connection",
        "detail": "Fetching http://localdomain/.well-known/acme-challenge/vbcMUeLszxvNQhsCk8wShbtha6Np_g8HUK2G04n0y1A: Connection refused",
        "status": 400
      },
      "uri": "http://localca:4000/acme/challenge/j_YMkgogruGpmsfFDmZCxWioxkDtm8ZBLTuXMp70Bcs/27",
      "token": "vbcMUeLszxvNQhsCk8wShbtha6Np_g8HUK2G04n0y1A",
      "validationRecord": [
        {
     "url": "http://localdomain/.well-known/acme-challenge/vbcMUeLszxvNQhsCk8wShbtha6Np_g8HUK2G04n0y1A",
          "hostname": "localdomain",
          "port": "5002",
          "addressesResolved": [
            "172.17.0.1"
          ],
          "addressUsed": "172.17.0.1"
        }
      ]
    }
  ],
  "combinations": [
    [
      0
    ],
    [
      1
    ],
    [
      2
    ]
  ]
}
2019-06-27 15:38:43,718:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: localdomain
Type:   connection
Detail: Fetching http://localdomain/.well-known/acme-challenge/vbcMUeLszxvNQhsCk8wShbtha6Np_g8HUK2G04n0y1A: Connection refused
o fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer $
2019-06-27 15:38:43,718:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. localdomain (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://r$

2019-06-27 15:38:43,718:DEBUG:certbot.error_handler:Calling registered functions
2019-06-27 15:38:43,719:INFO:certbot.auth_handler:Cleaning up challenges
2019-06-27 15:38:43,719:DEBUG:certbot.plugins.standalone:Stopping server at :::80...
2019-06-27 15:38:44,197:DEBUG:certbot.log:Exiting abnormally:
2

Hi @oemegil06

your "localdomain" doesn't answer. So check your system, if your CA process can connect your "localdomain".

3

if I change FAKE_DNS value to “172.12.0.0” in docker-compose.yml, it’s an error. If I put “10.77.77.77” error is :
Detail: The key authorization file from the server did not match
this challenge
[FHB4B2ZcLMa1JV1K8-r_abU7MGc8lf31jJmH8XWxzbE.u_bhnTNJsYuuAK1UB8hTHC_G7rDJhn-0pwslpRA1jzA]
!=
My guess i use wrong FAKE_DNS…

4

:wave: hi @oemegil06,

Using 172.12.0.0 doesn't seem correct. If you are running Certbot on your host machine you probably need to use something like 172.12.0.1, but that entirely depends on your machine's configuration.

Using 10.77.77.77 is not correct - this value will direct Boulder to resolve all domains to the pebble-challtestsrv in the docker environment.

By default Boulder doesn't validate HTTP-01 over port 80, it uses the ports configured in the VA config. For test/config/va.json that will be 5002 for HTTP-01 and 5001 for TLS-ALPN-01 .

Certbot --standalone without aditional args will be binding port 80 and so your FAKE_DNS may correctly direct the VA to the host where your Certbot challenge response server is running but it will result in a connection refused error unless you change Certbot to bind 5002 or the VA to check port 80.

Can I ask what your end goal is? You might find it easier to use Pebble with Certbot instead of Boulder.

5

I want to obtain a certificate from my CA server…

I tried Pebble.

sudo REQUESTS_CA_BUNDLE=pebble.minica.pem certbot certonly --standalone -d robust5.mqtt.com --server https://localpebble:14000/dir

i getting error…

The request message was malformed :: JWS body included JSON with a deprecated ACME v1 “resource” field (“new-reg”)

log file is:

Content-Type: application/problem+json; charset=utf-8
Link: <https://localhost:14000/dir>;rel="index"
Content-Length: 169
Date: Thu, 27 Jun 2019 16:00:36 GMT
Replay-Nonce: CfMp8a7txCrJC5mOZse9xg
Cache-Control: public, max-age=0, no-cache

{
   "type": "urn:ietf:params:acme:error:malformed",
   "detail": "JWS body included JSON with a deprecated ACME v1 \"resource\" field (\"new-reg\")",
   "status": 400
}
6

When i tried boulder i getting "The key authorization file from the server did not match
this challenge
[FHB4B2ZcLMa1JV1K8-r_abU7MGc8lf31jJmH8XWxzbE.u_bhnTNJsYuuAK1UB8hTHC_G7rDJhn-0pwslpRA1jzA]
!= . " error. Actually boulder cannot create a key file.

I am getting OK for http://localdomain/.well-known/test but boulder never create a key file…

7

Run Pebble without -strict if you want to use this Certbot version without error (or pull the tip of Certbot master, I believe @adferrand fixed this bug)

8

Thank you for your answer @cpu
“The key authorization file from the server did not match
this challenge”
[FHB4B2ZcLMa1JV1K8-r_abU7MGc8lf31jJmH8XWxzbE.u_bhnTNJsYuuAK1UB8hTHC_G7rDJhn-0pwslpRA1jzA]
!= . "

What is the reason for this error?

9

Sorry, but I can't say without knowing more. Can you provide the Certbot command you ran, the full Certbot verbose log, and the Pebble-side output and configuration file?

10

My certbot command is = “certbot certonly --standalone --server http://localca:4000/directory -d localdomain”

Certbot Log is =
2019-07-01 14:05:08,231:DEBUG:certbot.main:certbot version: 0.31.0
2019-07-01 14:05:08,232:DEBUG:certbot.main:Arguments: [’–standalone’, ‘–server’, ‘http://localca:4000/directory’, ‘-d’, ‘localdomain.com’]
2019-07-01 14:05:08,233:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-07-01 14:05:08,241:DEBUG:certbot.log:Root logging level set at 20
2019-07-01 14:05:08,242:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-07-01 14:05:08,243:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2019-07-01 14:05:08,340:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f801c626ef0>
Prep: True
2019-07-01 14:05:08,341:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f801c626ef0> and installer None
2019-07-01 14:05:08,341:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2019-07-01 14:05:08,364:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(new_authzr_uri=‘http://localca:4000/acme/new-authz’, body=Registration(agreement=None, key=None, only_return_exi$
2019-07-01 14:05:08,365:DEBUG:acme.client:Sending GET request to http://localca:4000/directory.
2019-07-01 14:05:08,369:INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 192.168.6.91
2019-07-01 14:05:08,371:DEBUG:requests.packages.urllib3.connectionpool:“GET /directory HTTP/1.1” 200 584
2019-07-01 14:05:08,372:DEBUG:acme.client:Received response:
HTTP 200
Cache-Control: public, max-age=0, no-cache
Content-Type: application/json
Content-Length: 584
Date: Mon, 01 Jul 2019 11:05:08 GMT
Replay-Nonce: TSNeUEHsPFwX7_zjlKI4WsyDHDr3jsl2-59s5kU8oo4

{
  "H5IFooHPYU0": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "key-change": "http://localca:4000/acme/key-change",
  "meta": {
    "caaIdentities": [
      "happy-hacker-ca.invalid"
    ],
    "terms-of-service": "http://boulder:4000/terms/v1",
    "website": "https://github.com/letsencrypt/boulder"
  },
  "new-authz": "http://localca:4000/acme/new-authz",
  "new-cert": "http://localca:4000/acme/new-cert",
  "new-reg": "http://localca:4000/acme/new-reg",
  "revoke-cert": "http://localca:4000/acme/revoke-cert"
}
2019-07-01 14:05:08,372:INFO:certbot.main:Obtaining a new certificate
2019-07-01 14:05:08,469:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
2019-07-01 14:05:08,473:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0154_csr-certbot.pem
2019-07-01 14:05:08,475:DEBUG:acme.client:Requesting fresh nonce
2019-07-01 14:05:08,475:DEBUG:acme.client:Sending HEAD request to http://localca:4000/acme/new-authz.
2019-07-01 14:05:08,476:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2019-07-01 14:05:08,477:DEBUG:acme.client:Received response:
HTTP 405
Cache-Control: public, max-age=0, no-cache
Content-Type: application/problem+json
Content-Length: 91
Replay-Nonce: rX4LcE8jDiENK8ImIG33ZfCFZZutK6NGgpJgufTPEVo
Date: Mon, 01 Jul 2019 11:05:08 GMT
Allow: POST


2019-07-01 14:05:08,477:DEBUG:acme.client:Storing nonce: rX4LcE8jDiENK8ImIG33ZfCFZZutK6NGgpJgufTPEVo
2019-07-01 14:05:08,477:DEBUG:acme.client:JWS payload:
b'{\n  "identifier": {\n    "value": "localdomain.com",\n    "type": "dns"\n  },\n  "resource": "new-authz"\n}'
2019-07-01 14:05:08,481:DEBUG:acme.client:Sending POST request to http://localca:4000/acme/new-authz:
{
  "protected": "eyJub25jZSI6ICJyWDRMY0U4akRpRU5LOEltSUczM1pmQ0ZaWnV0SzZOR2dwSmd1ZlRQRVZvIiwgImp3ayI6IHsibiI6ICJ6VVQzUnFNajZySUdleHBISHo5SmhNSEUtazNKajhaaUY2NER3VDR1a3ZCVi1FTUJZQmFTaEJwUXVNcjlvTDE5bzdqVW5TdU$
  "signature": "XrfRdJrasoodIRZeTv4upBYkvPVytj7vQUwchPd7UW7Dm72F7alqJkBWL2nuAzl-0OheZAV0Nxe3IncrU-WctDy7n9r4RgGCQBxQwQIyjGqtW-S5SNPiKvwCV6F7psWFEiopdg3ELFONqSkI5LW5vn6BU1TzyPjHDbW93B1-EAQdew0y1hP5r3skOOIiLD$
  "payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInZhbHVlIjogInJvYnVzdDUubXF0dC5jb20iLAogICAgInR5cGUiOiAiZG5zIgogIH0sCiAgInJlc291cmNlIjogIm5ldy1hdXRoeiIKfQ"
}
2019-07-01 14:05:08,493:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 932
2019-07-01 14:05:08,494:DEBUG:acme.client:Received response:
HTTP 201
Cache-Control: public, max-age=0, no-cache
Boulder-Requester: 1
Link: <http://localca:4000/acme/new-cert>;rel="next"
Location: http://localca:4000/acme/authz/01gJatRICrH7dAu-VUbaBOG0ALkeW1oXrdGM4cHopvc
Content-Type: application/json
Content-Length: 932
Date: Mon, 01 Jul 2019 11:05:08 GMT
Replay-Nonce: 6RtHTatn6xqOgvQxNDR1iE5Wyb3Be1RcCPBVd7rRwoE
{
  "identifier": {
      "type": "dns",
    "value": "localdomain.com"
  },
  "status": "pending",
  "expires": "2019-07-08T11:05:08Z",
  "challenges": [
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "uri": "http://localca:4000/acme/challenge/01gJatRICrH7dAu-VUbaBOG0ALkeW1oXrdGM4cHopvc/4",
      "token": "Fv961dVoCHNHSOlme4JfUgvSTpWZqDR3tYlW5QwQgh8"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "http://localca:4000/acme/challenge/01gJatRICrH7dAu-VUbaBOG0ALkeW1oXrdGM4cHopvc/5",
      "token": "AS2wmwQJk8GGiSnjFo9-8_GS8QhyMIonFVMN7GbFDcg"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "http://localca:4000/acme/challenge/01gJatRICrH7dAu-VUbaBOG0ALkeW1oXrdGM4cHopvc/6",
      "token": "UkO-HM73AQbppVOduz6Zo5e1DBvrEOzzY83ig-YB4CE"
    }
  ],
  "combinations": [
    [
  0
    ],
    [
      1
    ],
    [
      2
    ]
  ]
}
2019-07-01 14:05:08,494:DEBUG:acme.client:Storing nonce: 6RtHTatn6xqOgvQxNDR1iE5Wyb3Be1RcCPBVd7rRwoE
2019-07-01 14:05:08,494:INFO:certbot.auth_handler:Performing the following challenges:
2019-07-01 14:05:08,495:INFO:certbot.auth_handler:http-01 challenge for localdomain.com
2019-07-01 14:05:08,495:DEBUG:acme.standalone:Successfully bound to :80 using IPv6
2019-07-01 14:05:08,495:DEBUG:acme.standalone:Certbot wasn't able to bind to :80 using IPv4, this is often expected due to the dual stack nature of IPv6 socket implementations.
2019-07-01 14:05:08,500:INFO:certbot.auth_handler:Waiting for verification...
2019-07-01 14:05:08,501:DEBUG:acme.client:JWS payload:
b'{\n  "keyAuthorization": "UkO-HM73AQbppVOduz6Zo5e1DBvrEOzzY83ig-YB4CE.ss4YGWuApXIi2eRFeAmBTZtBUeYN9BCT_j8039ur23Y",\n  "resource": "challenge",\n  "type": "http-01"\n}'
2019-07-01 14:05:08,503:DEBUG:acme.client:Sending POST request to http://localca:4000/acme/challenge/01gJatRICrH7dAu-VUbaBOG0ALkeW1oXrdGM4cHopvc/6:
{
  "protected": "eyJub25jZSI6ICI2UnRIVGF0bjZ4cU9ndlF4TkRSMWlFNVd5YjNCZTFSY0NQQlZkN3JSd29FIiwgImp3ayI6IHsibiI6ICJ6VVQzUnFNajZySUdleHBISHo5SmhNSEUtazNKajhaaUY2NER3VDR1a3ZCVi1FTUJZQmFTaEJwUXVNcjlvTDE5bzdqVW5TdU$
  "signature": "tcdpiwx3MVlq3yJjFVlnpV8Cs8yUehgkilwv8ozsbMIoQ1Mdf-iU4pne6Ce8EhMNXdpsMwDgBgTPvTVd-h7CQkyb5AT9YDNsJ2impAD7ki45sQufpxFzR7qZJxiPjQKEpJMUghMwWoB36t_rRJMCXP7LR8_cA6u8no0_xFpNeI8nGxMXsfAJCgfpUFNAMh$
  "payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogIlVrTy1ITTczQVFicHBWT2R1ejZabzVlMURCdnJFT3p6WTgzaWctWUI0Q0Uuc3M0WUdXdUFwWElpMmVSRmVBbUJUWnRCVWVZTjlCQ1RfajgwMzl1cjIzWSIsCiAgInJlc291cmNlIjogImNoYWxsZW5nZSIsCiAg$
}
2019-07-01 14:05:08,509:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/01gJatRICrH7dAu-VUbaBOG0ALkeW1oXrdGM4cHopvc/6 HTTP/1.1" 202 315
2019-07-01 14:05:08,510:DEBUG:acme.client:Received response:
HTTP 202
Cache-Control: public, max-age=0, no-cache
Boulder-Requester: 1
Link: <http://localca:4000/acme/authz/01gJatRICrH7dAu-VUbaBOG0ALkeW1oXrdGM4cHopvc>;rel="up"
Location: http://localca:4000/acme/challenge/01gJatRICrH7dAu-VUbaBOG0ALkeW1oXrdGM4cHopvc/6
Content-Type: application/json
Content-Length: 315
Date: Mon, 01 Jul 2019 11:05:08 GMT
Replay-Nonce: 8jH_3lb2mbl9P6A-6UAUPag9_VVVwtDPAiZ77juBiQ4

{
  "type": "http-01",
  "status": "pending",
  "uri": "http://localca:4000/acme/challenge/01gJatRICrH7dAu-VUbaBOG0ALkeW1oXrdGM4cHopvc/6",
  "token": "UkO-HM73AQbppVOduz6Zo5e1DBvrEOzzY83ig-YB4CE",
  "keyAuthorization": "UkO-HM73AQbppVOduz6Zo5e1DBvrEOzzY83ig-YB4CE.ss4YGWuApXIi2eRFeAmBTZtBUeYN9BCT_j8039ur23Y"
}
2019-07-01 14:05:08,510:DEBUG:acme.client:Storing nonce: 8jH_3lb2mbl9P6A-6UAUPag9_VVVwtDPAiZ77juBiQ4
2019-07-01 14:05:11,514:DEBUG:acme.client:Sending GET request to http://localca:4000/acme/authz/01gJatRICrH7dAu-VUbaBOG0ALkeW1oXrdGM4cHopvc.
2019-07-01 14:05:11,519:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/01gJatRICrH7dAu-VUbaBOG0ALkeW1oXrdGM4cHopvc HTTP/1.1" 200 1567
2019-07-01 14:05:11,520:DEBUG:acme.client:Received response:
HTTP 200
Cache-Control: public, max-age=0, no-cache
Link: <http://localca:4000/acme/new-cert>;rel="next"
Content-Type: application/json
Content-Length: 1567
Date: Mon, 01 Jul 2019 11:05:11 GMT
Replay-Nonce: jMsGdg1-zwdf9OSA1WGFa8MxpyJbX7Z5WsyCh6SJxAY

{
  "identifier": {
    "type": "dns",
    "value": "localdomain.com"
  },
  "status": "invalid",
  "expires": "2019-07-08T11:05:08Z",
  "challenges": [
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "uri": "http://localca:4000/acme/challenge/01gJatRICrH7dAu-VUbaBOG0ALkeW1oXrdGM4cHopvc/4",
      "token": "Fv961dVoCHNHSOlme4JfUgvSTpWZqDR3tYlW5QwQgh8"
    },
    {
      "type": "dns-01",
      "status": "invalid",
      "uri": "http://localca:4000/acme/challenge/01gJatRICrH7dAu-VUbaBOG0ALkeW1oXrdGM4cHopvc/5",
      "token": "AS2wmwQJk8GGiSnjFo9-8_GS8QhyMIonFVMN7GbFDcg"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:unauthorized",
        "detail": "The key authorization file from the server did not match this challenge [UkO-HM73AQbppVOduz6Zo5e1DBvrEOzzY83ig-YB4CE.ss4YGWuApXIi2eRFeAmBTZtBUeYN9BCT_j8039ur23Y] != []",

   "status": 403
      },
      "uri": "http://localca:4000/acme/challenge/01gJatRICrH7dAu-VUbaBOG0ALkeW1oXrdGM4cHopvc/6",
      "token": "UkO-HM73AQbppVOduz6Zo5e1DBvrEOzzY83ig-YB4CE",
      "validationRecord": [
        {
          "url": "http://localdomain.com/.well-known/acme-challenge/UkO-HM73AQbppVOduz6Zo5e1DBvrEOzzY83ig-YB4CE",
          "hostname": "localdomain.com",
          "port": "5002",
          "addressesResolved": [
            "10.77.77.77"
          ],
          "addressUsed": "10.77.77.77"
        }
      ]
    }
  ],
  "combinations": [
    [
      0
    ],
    [
      1
    ],
    [
      2
    ]
2019-07-01 14:05:11,521:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: localdomain.com
Type:   unauthorized
Detail: The key authorization file from the server did not match this challenge [UkO-HM73AQbppVOduz6Zo5e1DBvrEOzzY83ig-YB4CE.ss4YGWuApXIi2eRFeAmBTZtBUeYN9BCT_j8039ur23Y] != []

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2019-07-01 14:05:11,521:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. localdomain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the s$

2019-07-01 14:05:11,521:DEBUG:certbot.error_handler:Calling registered functions
2019-07-01 14:05:11,521:INFO:certbot.auth_handler:Cleaning up challenges
2019-07-01 14:05:11,522:DEBUG:certbot.plugins.standalone:Stopping server at :::80...
2019-07-01 14:05:12,000:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
 return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1250, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. localdomain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the s$

Boulder side output:

boulder_1    | I110508 boulder-va [AUDIT] Checked CAA records for localdomain.com, [Present: false, Account ID: 1, Challenge: http-01, Valid for issuance: true] Records=null
boulder_1    | I110508 boulder-va [AUDIT] Validation result JSON={"ID":"01gJatRICrH7dAu-VUbaBOG0ALkeW1oXrdGM4cHopvc","Requester":1,"Hostname":"localdomain.com","Challenge":{"id":6,"type":"http-01","status":"invalid","error":{"type":"unauthorized","detail":"The key authorization file from the server did not match this challenge [UkO-HM73AQbppVOduz6Zo5e1DBvrEOzzY83ig-YB4CE.ss4YGWuApXIi2eRFeAmBTZtBUeYN9BCT_j8039ur23Y] != []","status":403},"token":"UkO-HM73AQbppVOduz6Zo5e1DBvrEOzzY83ig-YB4CE","keyAuthorization":"UkO-HM73AQbppVOduz6Zo5e1DBvrEOzzY83ig-YB4CE.ss4YGWuApXIi2eRFeAmBTZtBUeYN9BCT_j8039ur23Y","validationRecord":[{"url":"http://localdomain.com/.well-known/acme-challenge/UkO-HM73AQbppVOduz6Zo5e1DBvrEOzzY83ig-YB4CE","hostname":"localdomain.com","port":"5002","addressesResolved":["10.77.77.77"],"addressUsed":"10.77.77.77"}]},"ValidationLatency":0.003,"Error":"unauthorized :: The key authorization file from the server did not match this challenge [UkO-HM73AQbppVOduz6Zo5e1DBvrEOzzY83ig-YB4CE.ss4YGWuApXIi2eRFeAmBTZtBUeYN9BCT_j8039ur23Y] != []"}
boulder_1    | I110508 boulder-va Validations: {ID:01gJatRICrH7dAu-VUbaBOG0ALkeW1oXrdGM4cHopvc Identifier:{Type: Value:} RegistrationID:1 Status: Expires:<nil> Challenges:[] Combinations:[] Wildcard:false V2:false}

docker-compose.yml is:

version: '3'
services:
    boulder:
        # To minimize fetching this should be the same version used below
        image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.12}:2019-04-08
        environment:
            FAKE_DNS: 10.77.77.77
            PKCS11_PROXY_SOCKET: tcp://boulder-hsm:5657
            BOULDER_CONFIG_DIR: test/config
            GO111MODULE: "on"
            GOFLAGS: "-mod=vendor"
        volumes:
          - .:/go/src/github.com/letsencrypt/boulder
          - ./.gocache:/root/.cache/go-build
        networks:
          bluenet:
            ipv4_address: 10.77.77.77
            aliases:
              - sa1.boulder
              - ca1.boulder
              - ra1.boulder
              - va1.boulder
              - publisher1.boulder
              - ocsp-updater.boulder
              - admin-revoker.boulder
              - nonce1.boulder
          rednet:
            ipv4_address: 10.88.88.88
            aliases:
              - sa2.boulder
              - ca2.boulder
              - ra2.boulder
              - va2.boulder
              - publisher2.boulder
              - nonce2.boulder
        # Use sd-test-srv as a backup to Docker's embedded DNS server
        # (https://docs.docker.com/config/containers/container-networking/#dns-services).
        # If there's a name Docker's DNS server doesn't know about, it will
        # forward the query to this IP (running sd-test-srv). We have
        # special logic there that will return multiple IP addresses for
        # service names.
        dns: 10.77.77.77
        ports:
          - 4000:4000 # ACME
          - 4001:4001 # ACMEv2
          - 4002:4002 # OCSP
          - 4003:4003 # OCSP
          - 4430:4430 # ACME via HTTPS
          - 4431:4431 # ACMEv2 via HTTPS
          - 8055:8055 # dns-test-srv updates
        depends_on:
          - bhsm
          - bmysql
 entrypoint: test/entrypoint.sh
        working_dir: /go/src/github.com/letsencrypt/boulder
    bhsm:
        # To minimize fetching this should be the same version used above
        image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.12}:2019-04-08
        environment:
            PKCS11_DAEMON_SOCKET: tcp://0.0.0.0:5657
        command: /usr/local/bin/pkcs11-daemon /usr/lib/softhsm/libsofthsm2.so
        expose:
          - 5657
        networks:
          bluenet:
            aliases:
              - boulder-hsm
    bmysql:
        image: mariadb:10.3
        networks:
          bluenet:
            aliases:
              - boulder-mysql
        environment:
            MYSQL_ALLOW_EMPTY_PASSWORD: "yes"
        command: mysqld --bind-address=0.0.0.0
        logging:
            driver: none
    netaccess:
        image: letsencrypt/boulder-tools-go${TRAVIS_GO_VERSION:-1.12}:2019-04-08
 environment:
            GO111MODULE: "on"
            GOFLAGS: "-mod=vendor"
        networks:
          - bluenet
        volumes:
          - .:/go/src/github.com/letsencrypt/boulder
        working_dir: /go/src/github.com/letsencrypt/boulder
        entrypoint: test/entrypoint-netaccess.sh
        depends_on:
          - bmysql

networks:
  bluenet:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 10.77.77.0/24
  rednet:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 10.88.88.0/24

Thank you for your answer…

11

You switched back to Boulder? Did you see my earlier answers?

Your docker compose is still using the pebble-challtestsrv address.

12

Yes i switched and i saw but I don’t understand what to do.

Now, i changed FAKE_DNS to my local id address : 192.168.6.91 and i chnaged va.json to;

"va": {
    "userAgent": "boulder",
    "debugAddr": ":8004",
    "portConfig": {
      "httpPort": 80,
      "httpsPort": 443,
      "tlsPort": 443
    },
    "maxConcurrentRPCServerRequests": 100000,
    "dnsTries": 3,
    "dnsResolvers": [
      "127.0.0.1:8053",
      "127.0.0.1:8054"
    ],
    "issuerDomain": "happy-hacker-ca.invalid",
    "tls": {
      "caCertfile": "test/grpc-creds/minica.pem",
      "certFile": "test/grpc-creds/va.boulder/cert.pem",
      "keyFile": "test/grpc-creds/va.boulder/key.pem"
    },
    "grpc": {
      "address": ":9092",
      "clientNames": [
        "ra.boulder"
      ]
    },
    "features": {
    }
  },

  "syslog": {
    "stdoutlevel": 6,
    "sysloglevel": 4
  },

  "common": {
    "dnsTimeout": "1s",
    "dnsAllowLoopbackAddresses": true
  }
}

and i ran same command on certbot. And i getting connection refused error.
Certbot verbose log;

2019-07-01 17:10:09,933:DEBUG:certbot.main:certbot version: 0.31.0
2019-07-01 17:10:09,934:DEBUG:certbot.main:Arguments: ['--standalone', '--server', 'http://192.168.6.91:4000/directory', '-d', 'robust5.mqtt.com']
2019-07-01 17:10:09,934:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-07-01 17:10:09,943:DEBUG:certbot.log:Root logging level set at 20
2019-07-01 17:10:09,944:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-07-01 17:10:09,944:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2019-07-01 17:10:10,074:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7ff59e962d30>
Prep: True
2019-07-01 17:10:10,075:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7ff59e962d30> and installer None
2019-07-01 17:10:10,075:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2019-07-01 17:10:10,097:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(only_return_existing=None, external_account_binding=None, contact=(), agreement=None, status=None, $
2019-07-01 17:10:10,099:DEBUG:acme.client:Sending GET request to http://192.168.6.91:4000/directory.
2019-07-01 17:10:10,103:INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 192.168.6.91
2019-07-01 17:10:10,105:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 584
2019-07-01 17:10:10,105:DEBUG:acme.client:Received response:
HTTP 200
Cache-Control: public, max-age=0, no-cache
Replay-Nonce: w8XiZboxbo_sNOFKg2vlyx2l6Do9NBb6aIyYQ0lAuDs
Content-Length: 584
Content-Type: application/json
Date: Mon, 01 Jul 2019 14:10:10 GMT

{
  "V_UpKRwCzyk": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "key-change": "http://192.168.6.91:4000/acme/key-change",
  "meta": {
    "caaIdentities": [
      "happy-hacker-ca.invalid"
    ],
    "terms-of-service": "http://boulder:4000/terms/v1",
    "website": "https://github.com/letsencrypt/boulder"
  },
  "new-authz": "http://192.168.6.91:4000/acme/new-authz",
  "new-cert": "http://192.168.6.91:4000/acme/new-cert",
  "new-reg": "http://192.168.6.91:4000/acme/new-reg",
  "revoke-cert": "http://192.168.6.91:4000/acme/revoke-cert"
}
2019-07-01 17:10:10,106:INFO:certbot.main:Obtaining a new certificate
2019-07-01 17:10:10,185:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0008_key-certbot.pem
2019-07-01 17:10:10,189:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0161_csr-certbot.pem
2019-07-01 17:10:10,190:DEBUG:acme.client:Requesting fresh nonce
2019-07-01 17:10:10,190:DEBUG:acme.client:Sending HEAD request to http://192.168.6.91:4000/acme/new-authz.
2019-07-01 17:10:10,192:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2019-07-01 17:10:10,193:DEBUG:acme.client:Received response:
HTTP 405
Content-Length: 91
Cache-Control: public, max-age=0, no-cache
Allow: POST
Replay-Nonce: 0dMe1y1TzEAqPDvb1SWnkIiCr3FsGTHBkRVgnxjEDvk
Content-Type: application/problem+json
Date: Mon, 01 Jul 2019 14:10:10 GMT


2019-07-01 17:10:10,193:DEBUG:acme.client:Storing nonce: 0dMe1y1TzEAqPDvb1SWnkIiCr3FsGTHBkRVgnxjEDvk
2019-07-01 17:10:10,193:DEBUG:acme.client:JWS payload:
b'{\n  "identifier": {\n    "type": "dns",\n    "value": "robust5.mqtt.com"\n  },\n  "resource": "new-authz"\n}'
2019-07-01 17:10:10,196:DEBUG:acme.client:Sending POST request to http://192.168.6.91:4000/acme/new-authz:
{
  "payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwKICAgICJ2YWx1ZSI6ICJyb2J1c3Q1Lm1xdHQuY29tIgogIH0sCiAgInJlc291cmNlIjogIm5ldy1hdXRoeiIKfQ",
  "protected": "eyJhbGciOiAiUlMyNTYiLCAibm9uY2UiOiAiMGRNZTF5MVR6RUFxUER2YjFTV25rSWlDcjNGc0dUSEJrUlZnbnhqRUR2ayIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJuIjogInpVVDNScU1qNnJJR2V4cEhIejlKaE1IRS1rM0pqOFppRjY0RHdUNHVrdk$
  "signature": "lGW9hP1ooQNBr1yb_CpBNqDqyf6aBUAcNTUHt0fDIQdr3ONo6qvGjFUdA2qvmAhim_DuftuaNkI42wNCuUrK8e7Q38Trm_FGbhVPacRqkwi6WKJMZZcgMGuJcNAJ76aLdnG0dHR4XrsxSX0f4BRRaf_bYOtLnHyH6hjzg7XDwOkP6fBul--LQucCSOjk0R$
}
2019-07-01 17:10:10,213:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 935
2019-07-01 17:10:10,213:DEBUG:acme.client:Received response:
HTTP 201
Location: http://192.168.6.91:4000/acme/authz/W18rrpGTp78rY39GDGY1AwohSksJfmeF9oWtWBYJdvI
Link: <http://192.168.6.91:4000/acme/new-cert>;rel="next"
Cache-Control: public, max-age=0, no-cache
Boulder-Requester: 1
Replay-Nonce: paWk_ZV40K9eCUhrNC3ChKrp4qGD-unztQlX4-vq1EM
Content-Length: 935
Content-Type: application/json
Date: Mon, 01 Jul 2019 14:10:10 GMT

{
  "identifier": {
     "type": "dns",
    "value": "robust5.mqtt.com"
  },
  "status": "pending",
  "expires": "2019-07-08T14:10:10Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "http://192.168.6.91:4000/acme/challenge/W18rrpGTp78rY39GDGY1AwohSksJfmeF9oWtWBYJdvI/25",
      "token": "rmQyrF2kRxJbuaQS1DyWNZcZ1gFEMt3-_wToYjnbO3o"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "uri": "http://192.168.6.91:4000/acme/challenge/W18rrpGTp78rY39GDGY1AwohSksJfmeF9oWtWBYJdvI/26",
      "token": "_iv6j0CYaTlfsfbvPIFRUi39jzkRMBEEH9RWf2kUd90"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "http://192.168.6.91:4000/acme/challenge/W18rrpGTp78rY39GDGY1AwohSksJfmeF9oWtWBYJdvI/27",
      "token": "LmKD1sm-sgI8xZQMR_eCT7gtT6o5bfKNnjF5KhspAnU"
    }
  ],
  "combinations": [
    [
[
      0
    ],
    [
      1
    ],
    [
      2
    ]
  ]
}
2019-07-01 17:10:10,214:DEBUG:acme.client:Storing nonce: paWk_ZV40K9eCUhrNC3ChKrp4qGD-unztQlX4-vq1EM
2019-07-01 17:10:10,214:INFO:certbot.auth_handler:Performing the following challenges:
2019-07-01 17:10:10,214:INFO:certbot.auth_handler:http-01 challenge for robust5.mqtt.com
2019-07-01 17:10:10,215:DEBUG:acme.standalone:Successfully bound to :80 using IPv6
2019-07-01 17:10:10,216:DEBUG:acme.standalone:Certbot wasn't able to bind to :80 using IPv4, this is often expected due to the dual stack nature of IPv6 socket implementations.
2019-07-01 17:10:10,222:INFO:certbot.auth_handler:Waiting for verification...
2019-07-01 17:10:10,223:DEBUG:acme.client:JWS payload:
b'{\n  "resource": "challenge",\n  "keyAuthorization": "LmKD1sm-sgI8xZQMR_eCT7gtT6o5bfKNnjF5KhspAnU.ss4YGWuApXIi2eRFeAmBTZtBUeYN9BCT_j8039ur23Y",\n  "type": "http-01"\n}'
2019-07-01 17:10:10,227:DEBUG:acme.client:Sending POST request to http://192.168.6.91:4000/acme/challenge/W18rrpGTp78rY39GDGY1AwohSksJfmeF9oWtWBYJdvI/27:
{
  "payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJrZXlBdXRob3JpemF0aW9uIjogIkxtS0Qxc20tc2dJOHhaUU1SX2VDVDdndFQ2bzViZktObmpGNUtoc3BBblUuc3M0WUdXdUFwWElpMmVSRmVBbUJUWnRCVWVZTjlCQ1RfajgwMzl1cjIzWSIsCiAg$
  "protected": "eyJhbGciOiAiUlMyNTYiLCAibm9uY2UiOiAicGFXa19aVjQwSzllQ1Vock5DM0NoS3JwNHFHRC11bnp0UWxYNC12cTFFTSIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJuIjogInpVVDNScU1qNnJJR2V4cEhIejlKaE1IRS1rM0pqOFppRjY0RHdUNHVrdk$
  "signature": "VP-ceFYqNjNB223Lraa7x5ulOi1exUgmX0fGLsnwSOY6ntbI1ELuESLat70u3Scz_sl8-vBJzonuDt2-dz_Hg9K33qwAR1iRVKKN7__NFQnYq544cdDl61aXhlfXG60mqWDqbdKZ8hi2rQsuWjResHnxsjpSmruBuN8txBUvcNyr95DkOeP1YNX7w5ewQY$
}
2019-07-01 17:10:10,237:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/W18rrpGTp78rY39GDGY1AwohSksJfmeF9oWtWBYJdvI/27 HTTP/1.1" 202 316
2019-07-01 17:10:10,238:DEBUG:acme.client:Received response:
HTTP 202
Location: http://192.168.6.91:4000/acme/challenge/W18rrpGTp78rY39GDGY1AwohSksJfmeF9oWtWBYJdvI/27
Link: <http://192.168.6.91:4000/acme/authz/W18rrpGTp78rY39GDGY1AwohSksJfmeF9oWtWBYJdvI>;rel="up"
Cache-Control: public, max-age=0, no-cache
Boulder-Requester: 1
Replay-Nonce: CaQ3WV5djIsOdM-bTxA7-9w6jEjScLBaQu170ENS6Aw
Content-Length: 316
Content-Type: application/json
Date: Mon, 01 Jul 2019 14:10:10 GMT

{
  "type": "http-01",
  "status": "pending",
  "uri": "http://192.168.6.91:4000/acme/challenge/W18rrpGTp78rY39GDGY1AwohSksJfmeF9oWtWBYJdvI/27",
  "token": "LmKD1sm-sgI8xZQMR_eCT7gtT6o5bfKNnjF5KhspAnU",
  "keyAuthorization": "LmKD1sm-sgI8xZQMR_eCT7gtT6o5bfKNnjF5KhspAnU.ss4YGWuApXIi2eRFeAmBTZtBUeYN9BCT_j8039ur23Y"
}
2019-07-01 17:10:10,238:DEBUG:acme.client:Storing nonce: CaQ3WV5djIsOdM-bTxA7-9w6jEjScLBaQu170ENS6Aw
2019-07-01 17:10:13,241:DEBUG:acme.client:Sending GET request to http://192.168.6.91:4000/acme/authz/W18rrpGTp78rY39GDGY1AwohSksJfmeF9oWtWBYJdvI.
2019-07-01 17:10:13,248:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/W18rrpGTp78rY39GDGY1AwohSksJfmeF9oWtWBYJdvI HTTP/1.1" 200 1810
2019-07-01 17:10:13,249:DEBUG:acme.client:Received response:
HTTP 200
Link: <http://192.168.6.91:4000/acme/new-cert>;rel="next"
Cache-Control: public, max-age=0, no-cache
Content-Length: 1810
Replay-Nonce: I7i36RLeHlRCPNiD7tkcZUyLntgkwX85pIq-W-3NdhU
Content-Type: application/json
Date: Mon, 01 Jul 2019 14:10:13 GMT

{
  "identifier": {
    "type": "dns",
    "value": "robust5.mqtt.com"
  },
  "status": "invalid",
  "expires": "2019-07-08T14:10:10Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "uri": "http://192.168.6.91:4000/acme/challenge/W18rrpGTp78rY39GDGY1AwohSksJfmeF9oWtWBYJdvI/25",
      "token": "rmQyrF2kRxJbuaQS1DyWNZcZ1gFEMt3-_wToYjnbO3o"
    },
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "uri": "http://192.168.6.91:4000/acme/challenge/W18rrpGTp78rY39GDGY1AwohSksJfmeF9oWtWBYJdvI/26",
      "token": "_iv6j0CYaTlfsfbvPIFRUi39jzkRMBEEH9RWf2kUd90"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:unauthorized",
        "detail": "Invalid response from http://robust5.mqtt.com/.well-known/acme-challenge/LmKD1sm-sgI8xZQMR_eCT7gtT6o5bfKNnjF5KhspAnU [192.168.6.91]: \"\u003chtml\u003e\\r\\n\u003chead\u003e\u003ctitle\u0$
    "status": 403
      },
      "uri": "http://192.168.6.91:4000/acme/challenge/W18rrpGTp78rY39GDGY1AwohSksJfmeF9oWtWBYJdvI/27",
      "token": "LmKD1sm-sgI8xZQMR_eCT7gtT6o5bfKNnjF5KhspAnU",
      "validationRecord": [
        {
          "url": "http://robust5.mqtt.com/.well-known/acme-challenge/LmKD1sm-sgI8xZQMR_eCT7gtT6o5bfKNnjF5KhspAnU",
          "hostname": "robust5.mqtt.com",
          "port": "80",
          "addressesResolved": [
            "192.168.6.91"
          ],
          "addressUsed": "192.168.6.91"
        }
      ]
    }
  ],
  "combinations": [
    [
      0
    ],
    [
      1
    ],
    [
      2
    ]
]
}
2019-07-01 17:10:13,250:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: robust5.mqtt.com
Type:   unauthorized
Detail: Invalid response from http://robust5.mqtt.com/.well-known/acme-challenge/LmKD1sm-sgI8xZQMR_eCT7gtT6o5bfKNnjF5KhspAnU [192.168.6.91]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgc$

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2019-07-01 17:10:13,250:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. robust5.mqtt.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://robust5.$

2019-07-01 17:10:13,250:DEBUG:certbot.error_handler:Calling registered functions
2019-07-01 17:10:13,250:INFO:certbot.auth_handler:Cleaning up challenges
2019-07-01 17:10:13,251:DEBUG:certbot.plugins.standalone:Stopping server at :::80...
2019-07-01 17:10:13,722:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
 return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1250, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. robust5.mqtt.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://robust5.$
13

I don't think that's the correct value to use for your FAKE_DNS. You probably want the IP address of the docker0 interface on your host machine. That looks like the IP of a more traditional network interface.

On my machine docker0 is configured like this:

$ ip address show docker0
8: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:df:27:d8:c3 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever

and so I use the FAKE_DNS value 172.17.0.1 when I want my Boulder container to resolve queries to my host machine.

A light weight way to verify you have the correct IP address is to run a netcat listener on port 80 on your host:

sudo nc -l 80

and then, from within the Boulder container, try to connect to it:

 docker-compose run boulder curl <FAKE_DNS address you're configured here>

If everything is configured correctly you should see

curl: (52) Empty reply from server

and not any errors about connections being refused or problems routing to the host.

14

Thank you so much.

Now i create a certificate from the boulder machine(Boulder machine ip address is:192.168.6.91 , and certificate robust6.mqtt.com machine ip address: 192.168.6.91 )

I ran : " certbot certonly --standalone --server http://192.168.6.91:4000/directory -d robust6.mqtt.com" and created certificate.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTP connection (1): 192.168.6.91
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for robust6.mqtt.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/robust6.mqtt.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/robust6.mqtt.com/privkey.pem
   Your cert will expire on 2019-09-30. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Now, i want to create a another machine from boulder server. (90machine.com is 192.168.6.90)

i ran same command "certbot certonly --standalone --server http://192.168.6.91:4000/directory -d 90machine.com "

I getting error :

2019-07-02 13:50:20,862:DEBUG:certbot.main:certbot version: 0.31.0
2019-07-02 13:50:20,863:DEBUG:certbot.main:Arguments: ['--standalone', '--server', 'http://192.168.6.91:4000/directory', '-d', '90machine.com']
2019-07-02 13:50:20,864:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-07-02 13:50:20,873:DEBUG:certbot.log:Root logging level set at 20
2019-07-02 13:50:20,873:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-07-02 13:50:20,874:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2019-07-02 13:50:20,970:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7fc06dc41d30>
Prep: True
2019-07-02 13:50:20,970:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7fc06dc41d30> and installer None
2019-07-02 13:50:20,971:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2019-07-02 13:50:20,992:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(uri='http://192.168.6.91:4000/acme/reg/1', body=Registration(key=None, only_return_existing=None, agreement=None, con$
2019-07-02 13:50:20,994:DEBUG:acme.client:Sending GET request to http://192.168.6.91:4000/directory.
2019-07-02 13:50:20,998:INFO:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): 192.168.6.91
2019-07-02 13:50:21,000:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 584
2019-07-02 13:50:21,000:DEBUG:acme.client:Received response:
HTTP 200
Replay-Nonce: c0XbNFDpe4xKUjBQssKwDt2Y7nPT9vhylO3AUVEJstk
Content-Length: 584
Date: Tue, 02 Jul 2019 10:50:21 GMT
Content-Type: application/json
Cache-Control: public, max-age=0, no-cache

{
  "0LCSy3shuuc": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "key-change": "http://192.168.6.91:4000/acme/key-change",
  "meta": {
    "caaIdentities": [
      "happy-hacker-ca.invalid"
    ],
    "terms-of-service": "http://boulder:4000/terms/v1",
    "website": "https://github.com/letsencrypt/boulder"
  },
  "new-authz": "http://192.168.6.91:4000/acme/new-authz",
  "new-cert": "http://192.168.6.91:4000/acme/new-cert",
  "new-reg": "http://192.168.6.91:4000/acme/new-reg",
  "revoke-cert": "http://192.168.6.91:4000/acme/revoke-cert"
}
2019-07-02 13:50:21,001:INFO:certbot.main:Obtaining a new certificate
2019-07-02 13:50:21,073:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0022_key-certbot.pem
2019-07-02 13:50:21,076:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0175_csr-certbot.pem
2019-07-02 13:50:21,078:DEBUG:acme.client:Requesting fresh nonce
2019-07-02 13:50:21,078:DEBUG:acme.client:Sending HEAD request to http://192.168.6.91:4000/acme/new-authz.
2019-07-02 13:50:21,080:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2019-07-02 13:50:21,080:DEBUG:acme.client:Received response:
HTTP 405
Allow: POST
Content-Type: application/problem+json
Cache-Control: public, max-age=0, no-cache
Replay-Nonce: 3drmU-5f1R__UbS1mm6RB7reAKMjKNVp85Lg72hvO20
Content-Length: 91
Date: Tue, 02 Jul 2019 10:50:21 GMT


2019-07-02 13:50:21,080:DEBUG:acme.client:Storing nonce: 3drmU-5f1R__UbS1mm6RB7reAKMjKNVp85Lg72hvO20
2019-07-02 13:50:21,081:DEBUG:acme.client:JWS payload:
b'{\n  "resource": "new-authz",\n  "identifier": {\n    "type": "dns",\n    "value": "90machine.com"\n  }\n}'
2019-07-02 13:50:21,084:DEBUG:acme.client:Sending POST request to http://192.168.6.91:4000/acme/new-authz:
{
  "payload": "ewogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiLAogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwKICAgICJ2YWx1ZSI6ICI5MG1hY2hpbmUuY29tIgogIH0KfQ",
  "signature": "IbNffHrHU-inoYKss3_SJyCoIn3O2lrnobinG_TvlUlaGjDo66TtcF8hVKcEfOl_JhWyR67_o3tBMAIpZdc18QVSgbEGpEdrzY5akte0syMCuvJIeNwPzH9srUbdnS-GwhK9hYNpjA3Eavw6Oh-Fhcs3tdYn98GMNaOMZQiDF_-nZM-xjigv2JjS6x3SQB$
  "protected": "eyJub25jZSI6ICIzZHJtVS01ZjFSX19VYlMxbW02UkI3cmVBS01qS05WcDg1TGc3Mmh2TzIwIiwgImp3ayI6IHsiZSI6ICJBUUFCIiwgImt0eSI6ICJSU0EiLCAibiI6ICJ6VVQzUnFNajZySUdleHBISHo5SmhNSEUtazNKajhaaUY2NER3VDR1a3ZCVi$
}
2019-07-02 13:50:21,097:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 932
2019-07-02 13:50:21,098:DEBUG:acme.client:Received response:
HTTP 201
Boulder-Requester: 1
Location: http://192.168.6.91:4000/acme/authz/BIkyMv7ipufPgVwhLZ4AdEqgOky12n7ztzsK4NQlHmw
Content-Type: application/json
Cache-Control: public, max-age=0, no-cache
Replay-Nonce: rb91cKmt3COnwWqpFN47d09V5oKzh_JNHvZ0sjmLePE
Content-Length: 932
Date: Tue, 02 Jul 2019 10:50:21 GMT
Link: <http://192.168.6.91:4000/acme/new-cert>;rel="next"

{
  "identifier": {
 "type": "dns",
    "value": "90machine.com"
  },
  "status": "pending",
  "expires": "2019-07-09T10:50:21Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "http://192.168.6.91:4000/acme/challenge/BIkyMv7ipufPgVwhLZ4AdEqgOky12n7ztzsK4NQlHmw/67",
      "token": "upsLBiUDediySFCKAsPKJp29bYL3FNsaw6Y6dRK6seo"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "uri": "http://192.168.6.91:4000/acme/challenge/BIkyMv7ipufPgVwhLZ4AdEqgOky12n7ztzsK4NQlHmw/68",
      "token": "1QdCP-oWB68dMwpECxQuQKEX2Pk0J1FYrWindv2C2E0"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "http://192.168.6.91:4000/acme/challenge/BIkyMv7ipufPgVwhLZ4AdEqgOky12n7ztzsK4NQlHmw/69",
      "token": "ZAWs2gnvWWH5X9FV6s_hkEM6dN3V7-_0Wn50ZD8hQec"
    }
  ],
  "combinations": [
    [
   0
    ],
    [
      1
    ],
    [
      2
    ]
  ]
}
2019-07-02 13:50:21,098:DEBUG:acme.client:Storing nonce: rb91cKmt3COnwWqpFN47d09V5oKzh_JNHvZ0sjmLePE
2019-07-02 13:50:21,098:INFO:certbot.auth_handler:Performing the following challenges:
2019-07-02 13:50:21,099:INFO:certbot.auth_handler:http-01 challenge for 90machine.com
2019-07-02 13:50:21,099:DEBUG:acme.standalone:Successfully bound to :80 using IPv6
2019-07-02 13:50:21,100:DEBUG:acme.standalone:Certbot wasn't able to bind to :80 using IPv4, this is often expected due to the dual stack nature of IPv6 socket implementations.
2019-07-02 13:50:21,104:INFO:certbot.auth_handler:Waiting for verification...
2019-07-02 13:50:21,104:DEBUG:acme.client:JWS payload:
b'{\n  "resource": "challenge",\n  "type": "http-01",\n  "keyAuthorization": "ZAWs2gnvWWH5X9FV6s_hkEM6dN3V7-_0Wn50ZD8hQec.ss4YGWuApXIi2eRFeAmBTZtBUeYN9BCT_j8039ur23Y"\n}'
2019-07-02 13:50:21,107:DEBUG:acme.client:Sending POST request to http://192.168.6.91:4000/acme/challenge/BIkyMv7ipufPgVwhLZ4AdEqgOky12n7ztzsK4NQlHmw/69:
{
  "payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiLAogICJrZXlBdXRob3JpemF0aW9uIjogIlpBV3MyZ252V1dINVg5RlY2c19oa0VNNmROM1Y3LV8wV241MFpEOGhRZWMuc3M0WUdXdUFwWElpMmVSRmVBbUJUWnRCVWVZ$
  "signature": "aQDQd5f5rk9nOQK1bKZJwHMI7yynUWSa2N0Vf_ZWuvW8Z8rS5ncZJAIcozgyG4z_BO1Ipr01hMe7Rzx9DMJWlI3RtUhOmIkklumg3r2KwWwd4xhqnIT7e6FMZIiEsWOL6m1HbxDBCJNRmyqwKfH_-D_fJaTtFBsvo3jHcgaq18wFUGtLUh_e_01oPn27Ml$
  "protected": "eyJub25jZSI6ICJyYjkxY0ttdDNDT253V3FwRk40N2QwOVY1b0t6aF9KTkh2WjBzam1MZVBFIiwgImp3ayI6IHsiZSI6ICJBUUFCIiwgImt0eSI6ICJSU0EiLCAibiI6ICJ6VVQzUnFNajZySUdleHBISHo5SmhNSEUtazNKajhaaUY2NER3VDR1a3ZCVi$
}
2019-07-02 13:50:21,114:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/BIkyMv7ipufPgVwhLZ4AdEqgOky12n7ztzsK4NQlHmw/69 HTTP/1.1" 202 316
2019-07-02 13:50:21,115:DEBUG:acme.client:Received response:
HTTP 202
Boulder-Requester: 1
Location: http://192.168.6.91:4000/acme/challenge/BIkyMv7ipufPgVwhLZ4AdEqgOky12n7ztzsK4NQlHmw/69
Content-Type: application/json
Cache-Control: public, max-age=0, no-cache
Replay-Nonce: UFuiWDTfCpS0cjZeZZMjgas1HmR-LRujK_cmJ3ueRTw
Content-Length: 316
Date: Tue, 02 Jul 2019 10:50:21 GMT
Link: <http://192.168.6.91:4000/acme/authz/BIkyMv7ipufPgVwhLZ4AdEqgOky12n7ztzsK4NQlHmw>;rel="up"

{
  "type": "http-01",
  "status": "pending",
  "uri": "http://192.168.6.91:4000/acme/challenge/BIkyMv7ipufPgVwhLZ4AdEqgOky12n7ztzsK4NQlHmw/69",
  "token": "ZAWs2gnvWWH5X9FV6s_hkEM6dN3V7-_0Wn50ZD8hQec",
  "keyAuthorization": "ZAWs2gnvWWH5X9FV6s_hkEM6dN3V7-_0Wn50ZD8hQec.ss4YGWuApXIi2eRFeAmBTZtBUeYN9BCT_j8039ur23Y"
}
2019-07-02 13:50:21,115:DEBUG:acme.client:Storing nonce: UFuiWDTfCpS0cjZeZZMjgas1HmR-LRujK_cmJ3ueRTw
2019-07-02 13:50:24,118:DEBUG:acme.client:Sending GET request to http://192.168.6.91:4000/acme/authz/BIkyMv7ipufPgVwhLZ4AdEqgOky12n7ztzsK4NQlHmw.
2019-07-02 13:50:24,124:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/BIkyMv7ipufPgVwhLZ4AdEqgOky12n7ztzsK4NQlHmw HTTP/1.1" 200 1792
2019-07-02 13:50:24,124:DEBUG:acme.client:Received response:
HTTP 200
Date: Tue, 02 Jul 2019 10:50:24 GMT
Content-Type: application/json
Link: <http://192.168.6.91:4000/acme/new-cert>;rel="next"
Replay-Nonce: 3B-E02JPV82BA-K1uY4PisZ9NDmHpMvVPLEQdbO4NyI
Content-Length: 1792
Cache-Control: public, max-age=0, no-cache

{
  "identifier": {
    "type": "dns",
    "value": "90machine.com"
  },
  "status": "invalid",
  "expires": "2019-07-09T10:50:21Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "uri": "http://192.168.6.91:4000/acme/challenge/BIkyMv7ipufPgVwhLZ4AdEqgOky12n7ztzsK4NQlHmw/67",
      "token": "upsLBiUDediySFCKAsPKJp29bYL3FNsaw6Y6dRK6seo"
    },
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "uri": "http://192.168.6.91:4000/acme/challenge/BIkyMv7ipufPgVwhLZ4AdEqgOky12n7ztzsK4NQlHmw/68",
      "token": "1QdCP-oWB68dMwpECxQuQKEX2Pk0J1FYrWindv2C2E0"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:unauthorized",
        "detail": "Invalid response from http://90machine.com/.well-known/acme-challenge/ZAWs2gnvWWH5X9FV6s_hkEM6dN3V7-_0Wn50ZD8hQec [172.17.0.1]: \"\u003chtml\u003e\\r\\n\u003chead\u003e\u003ctitle\u003e40$
    "status": 403
      },
      "uri": "http://192.168.6.91:4000/acme/challenge/BIkyMv7ipufPgVwhLZ4AdEqgOky12n7ztzsK4NQlHmw/69",
      "token": "ZAWs2gnvWWH5X9FV6s_hkEM6dN3V7-_0Wn50ZD8hQec",
      "validationRecord": [
        {
          "url": "http://90machine.com/.well-known/acme-challenge/ZAWs2gnvWWH5X9FV6s_hkEM6dN3V7-_0Wn50ZD8hQec",
          "hostname": "90machine.com",
          "port": "80",
          "addressesResolved": [
            "172.17.0.1"
          ],
          "addressUsed": "172.17.0.1"
        }
      ]
    }
  ],
  "combinations": [
    [
      0
    ],
    [
      1
    ],
    [
      2
    ]
]
}
2019-07-02 13:50:24,125:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: 90machine.com
Type:   unauthorized
Detail: Invalid response from http://90machine.com/.well-known/acme-challenge/ZAWs2gnvWWH5X9FV6s_hkEM6dN3V7-_0Wn50ZD8hQec [172.17.0.1]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=$

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2019-07-02 13:50:24,125:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. 90machine.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://90machine.c$

2019-07-02 13:50:24,126:DEBUG:certbot.error_handler:Calling registered functions
2019-07-02 13:50:24,126:INFO:certbot.auth_handler:Cleaning up challenges
2019-07-02 13:50:24,126:DEBUG:certbot.plugins.standalone:Stopping server at :::80...
2019-07-02 13:50:24,605:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
   return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1250, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. 90machine.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://90machine.c$

Do you have any idea for this reason?

15

@oemegil06 The reason is in in the problem detail: the HTTP server that Boulder's VA connected to didn't return the expected HTTP-01 key authorization for the challenge being validated, it returned a 404 HTML document.

This doesn't appear to be a Boulder problem, likely the IP address is incorrect, or the Certbot standalone server you're running isn't what is responding to the validation request.

Good luck with the rest of your experimentation,

16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.