Let's encrypt fails to validate domain

vbn · March 18, 2023, 9:11pm

NethServer Version: 7.9.2009
Module: Let’s Encrypt Cert

Certificate got messed up through some hardware change. Applied for new certificate, result denied, unable to validate domain. Let’s Debug shows that there is no
ANotWorking

ERROR

mddomain has an A (IPv4) record (135.180.185.75) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

Get “http:/mydomain/.well-known/acme-challenge/letsdebug-test”: dial tcp 135.180.185.xxx:80: connect: no route to host

Trace:
@0ms: Making a request to http://remote.billeskov.us/.well-known/acme-challenge/letsdebug-test (using initial IP 135.180.185.xxx)
@0ms: Dialing 135.180.185.xxx
@3081ms: Experienced error: dial tcp 135.180.185.xxx:80: connect: no route to host

IssueFromLetsEncrypt

ERROR

A test authorization for remote.billeskov.us to the Let’s Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

135.180.185.xxx: Fetching http://mydomain/.well-known/acme-challenge/e44rBAUF_UbNGXKy-KA0cG4PtVil6G9AAyBr6yZKb40: Error getting validation data

As far as I can tell tell port 80 is open and firewall so indicates. DNS records A and Cname are correct.

The logs at /var/log/letsencrypt show the following:

2023-03-18 12:51:31,501:DEBUG:certbot._internal.main:certbot version: 1.11.0
2023-03-18 12:51:31,501:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2023-03-18 12:51:31,502:DEBUG:certbot._internal.main:Arguments: [‘–text’, ‘–non-interactive’, ‘–agree-tos’, ‘–email’, ‘me@mydomain’, ‘–preferred-challenges’, ‘http’, ‘–webroot’, ‘–webroot-path’$$-path’, ‘/var/www/html/’, ‘-d’, ‘mydomain’, ‘–test-cert’, ‘–preferred-chain’, ‘ISRG Root X1’, ‘–quiet’]
2023-03-18 12:51:31,502:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-03-18 12:51:33,204:DEBUG:certbot._internal.log:Root logging level set at 30
2023-03-18 12:51:33,205:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2023-03-18 12:51:33,208:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2023-03-18 12:51:33,218:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f0c127f2f10>
Prep: True
2023-03-18 12:51:33,219:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f0c127f2f10> and installer None
2023-03-18 12:51:33,220:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2023-03-18 12:51:33,751:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2023-03-18 12:51:33,805:INFO:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
2023-03-18 12:51:33,948:DEBUG:urllib3.connectionpool:“GET /directory HTTP/1.1” 200 830
2023-03-18 12:51:33,950:DEBUG:acme.client:Received response:
HTTP 200
content-length: 830
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
cache-control: public, max-age=0, no-cache
date: Sat, 18 Mar 2023 19:51:33 GMT
x-frame-options: DENY
content-type: application/json

{
“TttCUJTmeLk”: “Adding random entries to the directory - API Announcements - Let's Encrypt Community Support”,
“keyChange”: “https://acme-staging-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
“letsencrypt.org”
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf”,
“website”: “Staging Environment - Let's Encrypt”
},
“newAccount”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-order”,
server: nginx
connection: keep-alive
cache-control: public, max-age=0, no-cache
date: Sat, 18 Mar 2023 19:51:33 GMT
x-frame-options: DENY
content-type: application/json

{
“TttCUJTmeLk”: “Adding random entries to the directory - API Announcements - Let's Encrypt Community Support”,
“keyChange”: “https://acme-staging-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
“letsencrypt.org”
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf”,
“website”: “Staging Environment - Let's Encrypt”
},
“newAccount”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-order”,
“renewalInfo”: “https://acme-staging-v02.api.letsencrypt.org/get/draft-ietf-acme-ari-00/renewalInfo/”,
“revokeCert”: “https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert”
}

I have no clue what is going on here. Can anyone tell what’s wrong here?

danb35 · March 18, 2023, 9:35pm

I’m also having trouble; your server doesn’t seem to be responding on port 80:

 dan@Dan-MBP-2019  ~  curl http://remote.billeskov.us/.well-known/acme-challenge/letsdebug-test
curl: (7) Failed to connect to remote.billeskov.us port 80 after 7185 ms: Couldn't connect to server

Traceroute is having problems too:

 ✘ dan@Dan-MBP-2019  ~  traceroute remote.billeskov.us
traceroute to remote.billeskov.us (135.180.185.75), 64 hops max, 52 byte packets
[first few snipped]
 5  96.108.42.1 (96.108.42.1)  22.148 ms  18.882 ms  13.936 ms
 6  ae-25-ar02.westside.fl.jacksvil.comcast.net (68.86.168.49)  19.605 ms  16.797 ms  16.092 ms
 7  be-33612-cs01.56marietta.ga.ibone.comcast.net (96.110.43.113)  29.123 ms
    be-33622-cs02.56marietta.ga.ibone.comcast.net (96.110.43.117)  29.999 ms  33.944 ms
 8  be-2111-pe11.56marietta.ga.ibone.comcast.net (96.110.32.22)  30.222 ms
    be-2411-pe11.56marietta.ga.ibone.comcast.net (96.110.32.34)  29.834 ms
    be-2111-pe11.56marietta.ga.ibone.comcast.net (96.110.32.22)  33.141 ms
 9  * * be3039.ccr41.atl04.atlas.cogentco.com (154.54.10.117)  29.365 ms
10  be2848.ccr42.atl01.atlas.cogentco.com (154.54.6.117)  30.532 ms
    be2847.ccr41.atl01.atlas.cogentco.com (154.54.6.101)  32.029 ms
    be2848.ccr42.atl01.atlas.cogentco.com (154.54.6.117)  30.499 ms
11  be2690.ccr42.iah01.atlas.cogentco.com (154.54.28.130)  47.976 ms
    be2687.ccr41.iah01.atlas.cogentco.com (154.54.28.70)  44.543 ms
    be2690.ccr42.iah01.atlas.cogentco.com (154.54.28.130)  44.039 ms
12  be2927.ccr21.elp01.atlas.cogentco.com (154.54.29.222)  67.023 ms
    be2928.ccr21.elp01.atlas.cogentco.com (154.54.30.162)  118.522 ms
    be2927.ccr21.elp01.atlas.cogentco.com (154.54.29.222)  66.419 ms
13  be2929.ccr31.phx01.atlas.cogentco.com (154.54.42.65)  74.301 ms
    be2930.ccr32.phx01.atlas.cogentco.com (154.54.42.77)  74.781 ms  74.678 ms
14  be2931.ccr41.lax01.atlas.cogentco.com (154.54.44.86)  78.801 ms
    be2932.ccr42.lax01.atlas.cogentco.com (154.54.45.162)  77.404 ms
    be2931.ccr41.lax01.atlas.cogentco.com (154.54.44.86)  75.737 ms
15  be3176.ccr21.sjc01.atlas.cogentco.com (154.54.31.190)  84.687 ms  136.773 ms
    be3177.ccr22.sjc01.atlas.cogentco.com (154.54.40.146)  94.128 ms
16  be3142.ccr41.sjc03.atlas.cogentco.com (154.54.1.194)  86.617 ms
    be3144.ccr41.sjc03.atlas.cogentco.com (154.54.5.102)  86.098 ms  86.125 ms
17  be2431.ccr31.sjc04.atlas.cogentco.com (154.54.88.190)  108.522 ms  89.698 ms  85.308 ms
18  38.104.141.82 (38.104.141.82)  125.596 ms  84.321 ms  94.180 ms
19  102.ae1.cr1.pao1.sonic.net (70.36.205.5)  95.397 ms  89.894 ms  115.104 ms
20  * * *
21  0.ae4.cr3.colaca01.sonic.net (157.131.209.70)  164.620 ms  107.539 ms  165.546 ms
22  157-131-211-62.static.sonic.net (157.131.211.62)  292.622 ms  107.951 ms  108.870 ms
23  300.ae0.bras1.snmtca11.sonic.net (157.131.211.204)  98.143 ms  91.109 ms  87.929 ms
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
31  * * *
32  * * *
33  * * *
34  * * *
35  * * *
36  * * *
37  * * *

vbn · March 19, 2023, 12:05am

I have been working on another nethserver, with only one nic in order to have a router as the gateway. My life is in danger when internet connections go down so I thought this might be an acceptable compromise since I am alway messing with the server, and not always in a good way. Anyway, I have now switched to that server and have the same problem except that that do not yet have mail set up.
But then again, I did not wait for A and Cname record changes to propagate. I will report back in a few hours

vbn · March 19, 2023, 6:14pm

Nothing has changed, Back to original 2 nic setup. At least I can still receive mail with this server.

vbn · March 19, 2023, 6:15pm

I should mention that my one nic setup is a vm in ProxMox ve.