Validation of the required challenges did not complete successfully

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

desbloqueo.ti.ec.pe

I ran this command:

[initial setup] in CertifyTheWeb

It produced this output:

Validation of the required challenges did not complete successfully

My web server is (include version): windosw server 2016 IIS 8.0

The operating system my web server runs on is (include version): windows server 2016

My hosting provider, if applicable, is:

AWS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): ertify SSL Manager

+++++++++++++++++++

2024-07-12 16:22:58.914 -05:00 [INF] [Progress] All Tests Completed OK
2024-07-12 16:23:48.223 -05:00 [INF] ---- Beginning Request [PSS] ----
2024-07-12 16:23:48.223 -05:00 [INF] Certify/6.0.18.0 (Windows; Microsoft Windows NT 10.0.14393.0)
2024-07-12 16:23:48.223 -05:00 [INF] Beginning certificate request process: PSS using ACME provider Anvil
2024-07-12 16:23:48.223 -05:00 [INF] The selected Certificate Authority is: Let's Encrypt
2024-07-12 16:23:48.223 -05:00 [INF] Requested identifiers to include on certificate: desbloqueo.ti.ec.pe [dns]
2024-07-12 16:23:49.192 -05:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/1833579347/286724012167
2024-07-12 16:23:50.130 -05:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/376186226997/f4s0zQ
2024-07-12 16:23:50.375 -05:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/376186226997/XP33cA
2024-07-12 16:23:54.645 -05:00 [INF] Http Challenge Server process available.
2024-07-12 16:23:54.645 -05:00 [INF] Preparing automated challenge responses for: desbloqueo.ti.ec.pe [dns]
2024-07-12 16:23:54.645 -05:00 [INF] Preparing challenge response for the issuing Certificate Authority to check at: http://desbloqueo.ti.ec.pe/.well-known/acme-challenge/N_CRZ6PQzq2VIjVrnHZDus5wOUM_f3z75BhMLEns-cU with content N_CRZ6PQzq2VIjVrnHZDus5wOUM_f3z75BhMLEns-cU.mA_9A-P5ah4Ps3igrFpfH05EiYOzBR4xPaR0suLUflc
2024-07-12 16:23:54.645 -05:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued.
2024-07-12 16:23:54.659 -05:00 [INF] Using website path D:\WebApp\PSS
2024-07-12 16:23:54.660 -05:00 [INF] Checking URL is accessible: http://desbloqueo.ti.ec.pe/.well-known/acme-challenge/N_CRZ6PQzq2VIjVrnHZDus5wOUM_f3z75BhMLEns-cU [proxyAPI: True, timeout: 5000ms]
2024-07-12 16:23:59.676 -05:00 [WRN] Problem checking URL is accessible : http://desbloqueo.ti.ec.pe/.well-known/acme-challenge/N_CRZ6PQzq2VIjVrnHZDus5wOUM_f3z75BhMLEns-cU A task was canceled.
2024-07-12 16:23:59.677 -05:00 [INF] Checking URL is accessible: http://desbloqueo.ti.ec.pe/.well-known/acme-challenge/N_CRZ6PQzq2VIjVrnHZDus5wOUM_f3z75BhMLEns-cU [proxyAPI: False, timeout: 5000ms]
2024-07-12 16:23:59.801 -05:00 [INF] (local check) URL is accessible. Check passed. HTTP OK
2024-07-12 16:23:59.802 -05:00 [INF] Resuming certificate request using CA: Let's Encrypt
2024-07-12 16:23:59.802 -05:00 [INF] Attempting challenge response validation for: desbloqueo.ti.ec.pe [dns]
2024-07-12 16:23:59.802 -05:00 [INF] [Progress] Checking automated challenge response for: desbloqueo.ti.ec.pe [dns]
2024-07-12 16:23:59.802 -05:00 [INF] Submitting challenge for validation: desbloqueo.ti.ec.pe [dns] http://desbloqueo.ti.ec.pe/.well-known/acme-challenge/N_CRZ6PQzq2VIjVrnHZDus5wOUM_f3z75BhMLEns-cU
2024-07-12 16:24:03.518 -05:00 [INF] Waiting for the CA to validate the http-01 challenge response for: desbloqueo.ti.ec.pe [https://acme-v02.api.letsencrypt.org/acme/chall-v3/376186226997/f4s0zQ]
2024-07-12 16:24:06.762 -05:00 [INF] Waiting for the CA to validate the http-01 challenge response for: desbloqueo.ti.ec.pe [https://acme-v02.api.letsencrypt.org/acme/chall-v3/376186226997/f4s0zQ]
2024-07-12 16:24:10.024 -05:00 [INF] Waiting for the CA to validate the http-01 challenge response for: desbloqueo.ti.ec.pe [https://acme-v02.api.letsencrypt.org/acme/chall-v3/376186226997/f4s0zQ]
2024-07-12 16:24:13.274 -05:00 [INF] Waiting for the CA to validate the http-01 challenge response for: desbloqueo.ti.ec.pe [https://acme-v02.api.letsencrypt.org/acme/chall-v3/376186226997/f4s0zQ]
2024-07-12 16:24:13.512 -05:00 [ERR] [Progress] Validation failed: desbloqueo.ti.ec.pe [dns]
Response from Certificate Authority: 200.4.199.39: Fetching http://desbloqueo.ti.ec.pe/.well-known/acme-challenge/N_CRZ6PQzq2VIjVrnHZDus5wOUM_f3z75BhMLEns-cU: Timeout during connect (likely firewall problem) [BadRequest :: urn:ietf:params:acme:error:connection]
2024-07-12 16:24:13.527 -05:00 [ERR] Validation of the required challenges did not complete successfully. Validation failed: desbloqueo.ti.ec.pe [dns]
Response from Certificate Authority: 200.4.199.39: Fetching http://desbloqueo.ti.ec.pe/.well-known/acme-challenge/N_CRZ6PQzq2VIjVrnHZDus5wOUM_f3z75BhMLEns-cU: Timeout during connect (likely firewall problem) [BadRequest :: urn:ietf:params:acme:error:connection]
2024-07-12 16:27:18.152 -05:00 [INF] ---- Beginning Request [PSS] ----
2024-07-12 16:27:18.152 -05:00 [INF] Renewal Reason: Renewal attempt is due, item has failed 3 times.
2024-07-12 16:27:18.152 -05:00 [INF] Certify/6.0.18.0 (Windows; Microsoft Windows NT 10.0.14393.0)
2024-07-12 16:27:18.152 -05:00 [INF] Beginning certificate request process: PSS using ACME provider Anvil
2024-07-12 16:27:18.152 -05:00 [INF] The selected Certificate Authority is: Let's Encrypt
2024-07-12 16:27:18.152 -05:00 [INF] Requested identifiers to include on certificate: desbloqueo.ti.ec.pe [dns]
2024-07-12 16:27:19.456 -05:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/1833579347/286724654537
2024-07-12 16:27:20.996 -05:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/376187177667/l9AATg
2024-07-12 16:27:21.377 -05:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/376187177667/xa9Kfw
2024-07-12 16:27:24.795 -05:00 [INF] Http Challenge Server process available.
2024-07-12 16:27:24.795 -05:00 [INF] Preparing automated challenge responses for: desbloqueo.ti.ec.pe [dns]
2024-07-12 16:27:24.795 -05:00 [INF] Preparing challenge response for the issuing Certificate Authority to check at: http://desbloqueo.ti.ec.pe/.well-known/acme-challenge/JJmzYt2BW8bQIAr_5y9mV8nPWNq_tEzEutlXPAeMw3g with content JJmzYt2BW8bQIAr_5y9mV8nPWNq_tEzEutlXPAeMw3g.mA_9A-P5ah4Ps3igrFpfH05EiYOzBR4xPaR0suLUflc
2024-07-12 16:27:24.795 -05:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued.
2024-07-12 16:27:24.809 -05:00 [INF] Using website path D:\WebApp\PSS
2024-07-12 16:27:24.811 -05:00 [INF] Checking URL is accessible: http://desbloqueo.ti.ec.pe/.well-known/acme-challenge/JJmzYt2BW8bQIAr_5y9mV8nPWNq_tEzEutlXPAeMw3g [proxyAPI: True, timeout: 5000ms]
2024-07-12 16:27:29.822 -05:00 [WRN] Problem checking URL is accessible : http://desbloqueo.ti.ec.pe/.well-known/acme-challenge/JJmzYt2BW8bQIAr_5y9mV8nPWNq_tEzEutlXPAeMw3g A task was canceled.
2024-07-12 16:27:29.823 -05:00 [INF] Checking URL is accessible: http://desbloqueo.ti.ec.pe/.well-known/acme-challenge/JJmzYt2BW8bQIAr_5y9mV8nPWNq_tEzEutlXPAeMw3g [proxyAPI: False, timeout: 5000ms]
2024-07-12 16:27:29.946 -05:00 [INF] (local check) URL is accessible. Check passed. HTTP OK
2024-07-12 16:27:29.946 -05:00 [INF] Resuming certificate request using CA: Let's Encrypt
2024-07-12 16:27:29.946 -05:00 [INF] Attempting challenge response validation for: desbloqueo.ti.ec.pe [dns]
2024-07-12 16:27:29.946 -05:00 [INF] [Progress] Checking automated challenge response for: desbloqueo.ti.ec.pe [dns]
2024-07-12 16:27:29.946 -05:00 [INF] Submitting challenge for validation: desbloqueo.ti.ec.pe [dns] http://desbloqueo.ti.ec.pe/.well-known/acme-challenge/JJmzYt2BW8bQIAr_5y9mV8nPWNq_tEzEutlXPAeMw3g
2024-07-12 16:27:34.100 -05:00 [INF] Waiting for the CA to validate the http-01 challenge response for: desbloqueo.ti.ec.pe [https://acme-v02.api.letsencrypt.org/acme/chall-v3/376187177667/l9AATg]
2024-07-12 16:27:37.493 -05:00 [INF] Waiting for the CA to validate the http-01 challenge response for: desbloqueo.ti.ec.pe [https://acme-v02.api.letsencrypt.org/acme/chall-v3/376187177667/l9AATg]
2024-07-12 16:27:40.883 -05:00 [INF] Waiting for the CA to validate the http-01 challenge response for: desbloqueo.ti.ec.pe [https://acme-v02.api.letsencrypt.org/acme/chall-v3/376187177667/l9AATg]
2024-07-12 16:27:41.280 -05:00 [ERR] [Progress] Validation failed: desbloqueo.ti.ec.pe [dns]
Response from Certificate Authority: 200.4.199.39: Fetching http://desbloqueo.ti.ec.pe/.well-known/acme-challenge/JJmzYt2BW8bQIAr_5y9mV8nPWNq_tEzEutlXPAeMw3g: Timeout during connect (likely firewall problem) [BadRequest :: urn:ietf:params:acme:error:connection]
2024-07-12 16:27:41.295 -05:00 [ERR] Validation of the required challenges did not complete successfully. Validation failed: desbloqueo.ti.ec.pe [dns]
Response from Certificate Authority: 200.4.199.39: Fetching http://desbloqueo.ti.ec.pe/.well-known/acme-challenge/JJmzYt2BW8bQIAr_5y9mV8nPWNq_tEzEutlXPAeMw3g: Timeout during connect (likely firewall problem) [BadRequest :: urn:ietf:params:acme:error:connection]
2024-07-12 17:16:02.205 -05:00 [INF] ---- Beginning Request [PSS] ----
2024-07-12 17:16:02.205 -05:00 [INF] Certify/6.0.18.0 (Windows; Microsoft Windows NT 10.0.14393.0)
2024-07-12 17:16:02.205 -05:00 [INF] Beginning certificate request process: PSS using ACME provider Anvil
2024-07-12 17:16:02.205 -05:00 [INF] The selected Certificate Authority is: Let's Encrypt
2024-07-12 17:16:02.205 -05:00 [INF] Requested identifiers to include on certificate: desbloqueo.ti.ec.pe [dns]
2024-07-12 17:16:03.960 -05:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/1833579347/286734612987
2024-07-12 17:16:05.078 -05:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/376201921007/igq8Xg
2024-07-12 17:16:05.337 -05:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/376201921007/0iLuoQ
2024-07-12 17:16:08.637 -05:00 [INF] Http Challenge Server process available.
2024-07-12 17:16:08.637 -05:00 [INF] Preparing automated challenge responses for: desbloqueo.ti.ec.pe [dns]
2024-07-12 17:16:08.637 -05:00 [INF] Preparing challenge response for the issuing Certificate Authority to check at: http://desbloqueo.ti.ec.pe/.well-known/acme-challenge/wh8iziNk9AFYaiZs-zO0vPW_yHjtXfXOaf72TUXTCO8 with content wh8iziNk9AFYaiZs-zO0vPW_yHjtXfXOaf72TUXTCO8.mA_9A-P5ah4Ps3igrFpfH05EiYOzBR4xPaR0suLUflc
2024-07-12 17:16:08.637 -05:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued.
2024-07-12 17:16:08.652 -05:00 [INF] Using website path D:\WebApp\PSS
2024-07-12 17:16:08.655 -05:00 [INF] Checking URL is accessible: http://desbloqueo.ti.ec.pe/.well-known/acme-challenge/wh8iziNk9AFYaiZs-zO0vPW_yHjtXfXOaf72TUXTCO8 [proxyAPI: True, timeout: 5000ms]
2024-07-12 17:16:13.666 -05:00 [WRN] Problem checking URL is accessible : http://desbloqueo.ti.ec.pe/.well-known/acme-challenge/wh8iziNk9AFYaiZs-zO0vPW_yHjtXfXOaf72TUXTCO8 A task was canceled.
2024-07-12 17:16:13.666 -05:00 [INF] Checking URL is accessible: http://desbloqueo.ti.ec.pe/.well-known/acme-challenge/wh8iziNk9AFYaiZs-zO0vPW_yHjtXfXOaf72TUXTCO8 [proxyAPI: False, timeout: 5000ms]
2024-07-12 17:16:13.789 -05:00 [INF] (local check) URL is accessible. Check passed. HTTP OK
2024-07-12 17:16:13.789 -05:00 [INF] Resuming certificate request using CA: Let's Encrypt
2024-07-12 17:16:13.789 -05:00 [INF] Attempting challenge response validation for: desbloqueo.ti.ec.pe [dns]
2024-07-12 17:16:13.789 -05:00 [INF] [Progress] Checking automated challenge response for: desbloqueo.ti.ec.pe [dns]
2024-07-12 17:16:13.789 -05:00 [INF] Submitting challenge for validation: desbloqueo.ti.ec.pe [dns] http://desbloqueo.ti.ec.pe/.well-known/acme-challenge/wh8iziNk9AFYaiZs-zO0vPW_yHjtXfXOaf72TUXTCO8
2024-07-12 17:16:17.568 -05:00 [INF] Waiting for the CA to validate the http-01 challenge response for: desbloqueo.ti.ec.pe [https://acme-v02.api.letsencrypt.org/acme/chall-v3/376201921007/igq8Xg]
2024-07-12 17:16:20.835 -05:00 [INF] Waiting for the CA to validate the http-01 challenge response for: desbloqueo.ti.ec.pe [https://acme-v02.api.letsencrypt.org/acme/chall-v3/376201921007/igq8Xg]
2024-07-12 17:16:24.108 -05:00 [INF] Waiting for the CA to validate the http-01 challenge response for: desbloqueo.ti.ec.pe [https://acme-v02.api.letsencrypt.org/acme/chall-v3/376201921007/igq8Xg]
2024-07-12 17:16:27.383 -05:00 [INF] Waiting for the CA to validate the http-01 challenge response for: desbloqueo.ti.ec.pe [https://acme-v02.api.letsencrypt.org/acme/chall-v3/376201921007/igq8Xg]
2024-07-12 17:16:27.647 -05:00 [ERR] [Progress] Validation failed: desbloqueo.ti.ec.pe [dns]
Response from Certificate Authority: 200.4.199.39: Fetching http://desbloqueo.ti.ec.pe/.well-known/acme-challenge/wh8iziNk9AFYaiZs-zO0vPW_yHjtXfXOaf72TUXTCO8: Timeout during connect (likely firewall problem) [BadRequest :: urn:ietf:params:acme:error:connection]
2024-07-12 17:16:27.660 -05:00 [ERR] Validation of the required challenges did not complete successfully. Validation failed: desbloqueo.ti.ec.pe [dns]
Response from Certificate Authority: 200.4.199.39: Fetching http://desbloqueo.ti.ec.pe/.well-known/acme-challenge/wh8iziNk9AFYaiZs-zO0vPW_yHjtXfXOaf72TUXTCO8: Timeout during connect (likely firewall problem) [BadRequest :: urn:ietf:params:acme:error:connection]

1 Like
2

Welcome to the Let's Encrypt Community! :slightly_smiling_face:

While I surmise that this error message correctly indicates the likely problem:

I will call upon @webprofusion (author of Certify The Web) to assist

4 Likes
3

And, while we wait you could check your Fortinet firewall. Make sure it allows inbound requests of the form below. That is needed to use an HTTP Challenge

http://(domain)/.well-known/acme-challenge/ChallengeTokenValue

I can reach your domain using HTTPS (port 443) and see a cert issued by Fortinet. But, it does not allow any requests with HTTP (port 80). Not even for your "home" page

3 Likes
4

Hi;

according the logs, I verify the URL is passed

2024-07-16 14:07:27.492 -05:00 [INF] Checking URL is accessible: http://desbloqueo.ti.ec.pe/.well-known/acme-challenge/2yginGlJU-R_1TanJXG3MaiM2i-62jlk1PmXYQKEfdg [proxyAPI: True, timeout: 5000ms]
2024-07-16 14:07:27.554 -05:00 [INF] URL is accessible. Check passed.

++++++++++++++++

I can see that CA is not responding

2024-07-16 14:06:59.450 -05:00 [INF] Waiting for the CA to validate the http-01 challenge response for: desbloqueo.ti.ec.pe [https://acme-v02.api.letsencrypt.org/acme/chall-v3/377877769647/p9a-Kg]
2024-07-16 14:07:02.851 -05:00 [INF] Waiting for the CA to validate the http-01 challenge response for: desbloqueo.ti.ec.pe [https://acme-v02.api.letsencrypt.org/acme/chall-v3/377877769647/p9a-Kg]
2024-07-16 14:07:06.255 -05:00 [INF] Waiting for the CA to validate the http-01 challenge response for: desbloqueo.ti.ec.pe [https://acme-v02.api.letsencrypt.org/acme/chall-v3/377877769647/p9a-Kg]
2024-07-16 14:07:09.648 -05:00 [INF] Waiting for the CA to validate the http-01 challenge response for: desbloqueo.ti.ec.pe [https://acme-v02.api.letsencrypt.org/acme/chall-v3/377877769647/p9a-Kg]
2024-07-16 14:07:10.038 -05:00 [ERR] [Progress] Validation failed: desbloqueo.ti.ec.pe [dns]

5

I am pretty sure that is just the pre-check from Certify the Web running in your own network. Requests from the public internet still fail. You could try a mobile phone with wifi disabled to test from the carrier network.

From my own test server HTTP still fails but HTTPS sees a Fortinet cert and failure screen. My own test server runs in an AWS EC2 in US East Coast region.

curl -i -m7 http://desbloqueo.ti.ec.pe
curl: (28) Connection timed out after 7001 milliseconds

curl -ik -m7 https://desbloqueo.ti.ec.pe
HTTP/1.1 403 Forbidden
5 Likes
6
  • Could please you say me what is your public IP , since you´re trying to connect at 200.4.199.39?
  • I´ve requested to open port 80 for verify
7

could you please test again?

8

You can test that yourself using: https://letsdebug.net

I just retried that for your domain and it fails in the same way. Although, the response to HTTPS is now different. That connection uses your expired ZeroSSL cert now rather than the one from Fortinet

I see you have been using certs from ZeroSSL for over 3 years. Is there some specific reason you are now trying Let's Encrypt?

image
image2835×696 251 KB

5 Likes
9

Hi @Frank_Penia

I can confirm that your server is currently accessible to the public on TCP port 80 (or it could be nothing is listening).

If enabled, the HTTP pre-validation check that Certify does tests from your local machine (ProxyAPI:false) then remotely via the certifytheweb.com API (which is a cloudflare worker, ProxyAPI:true). Currently either counts as a pass but really we should only count the remote as a pass and that will change in the future.

If the remote test works usually Let's Encrypts HTTP validation will work as well but a couple of things can still stop validation working:

  • Firewalls filtering on specific user agent, e.g. preventing the Let's Encrypt validation servers
  • Firewalls filtering geographically or only allowing specific IP ranges. Let's Encrypt conducts validation from multiple geographic perspectives and you need to either allow all or just allow all http requests to /.well-known/acme-challenge/

As others have noted you have perhaps switched from using ZeroSSL to using Let's Encrypt, so validation traffic will be coming from new IPs and these IPs may constantly change.

As you noted, the CA did take a long time to complete HTTP validation according to one of your logs (when you did also have your firewall open). Intermittent CA API issues are expected and the app will eventually recover from things like that automatically.

I think your domain DNS is hosted with AWS, in which case you can also consider using DNS domain validation instead of HTTP validation if firewalls are going to be a problem. DNS Validation (dns-01) | Certify The Web Docs

4 Likes
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.