Let's encrypt not work (not renew, not create)

giordy · May 28, 2020, 12:26am

I have a community installation with nextcolud installed above that 10 days ago it stopped updating the let’s encrypt certificates.
It worked for almost 2 years without problems and then it stopped working. The server was NS 7.6, so hoping to fix it I updated the system at 7.8. Now the server is updated, but my problem persists

port 80 and 443 can be reached without problems
I checked and there is no .httpacces blocking the system
into logs I found

Detail: Fetching http://mio.dominio.it/.well-known/acme-challenge/RAq12brFToPO0eGiOK115Pyt1DpKsQgO4yLipLArDgE: Timeout during connect (likely firewall problem)

so I tried disabling shorewall

I tried the one suggested here:

I canceled the certificate as suggested here and retry to create certificate:

httpd -S

VirtualHost configuration:
*:443 is a NameVirtualHost
default server mio.dominio.it (/etc/httpd/conf.d/nethserver.conf:44)
port 443 namevhost mio.dominio.it (/etc/httpd/conf.d/nethserver.conf:44)
port 443 namevhost mio.dominio.it (/etc/httpd/conf.d/ssl.conf:56)
ServerRoot: “/etc/httpd”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/etc/httpd/logs/error_log”
Mutex default: dir=“/run/httpd/” mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
PidFile: “/run/httpd/httpd.pid”
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“apache” id=48
Group: name=“apache” id=48

log letsencrypt:

server: nginx
connection: keep-alive
link: https://acme-staging-v02.api.letsencrypt.org/directory;rel=“index”
boulder-requester: 13894753
date: Thu, 28 May 2020 00:06:43 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0002sOLioQXugUARvvKFo0ZUmORm1TxRYpGxfl3wl8cGTmg

{
“identifier”: {
“type”: “dns”,
“value”: “mio.dominio.it”
},
“status”: “invalid”,
“expires”: “2020-06-04T00:06:32Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://mio.dominio.it/.well-known/acme-challenge/qXCZtey2qB_B0lquVTkFfcX0THM1xL8Nh2GjV7qZiw8: Timeout during connect (likely firewall problem)”,
“status”: 400
},
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/59761228/21G0zw”,
“token”: “qXCZtey2qB_B0lquVTkFfcX0THM1xL8Nh2GjV7qZiw8”,
“validationRecord”: [
{
“url”: “http://mio.dominio.it/.well-known/acme-challenge/qXCZtey2qB_B0lquVTkFfcX0THM1xL8Nh2GjV7qZiw8”,
“hostname”: “mio.dominio.it”,
“port”: “80”,
“addressesResolved”: [
“88.123.99.11”
],
“addressUsed”: “88.123.99.11”
}
]
}
]
}
2020-05-28 02:06:43,266:DEBUG:acme.client:Storing nonce: 0002sOLioQXugUARvvKFo0ZUmORm1TxRYpGxfl3wl8cGTmg
2020-05-28 02:06:43,267:WARNING:certbot._internal.auth_handler:Challenge failed for domain mio.dominio.it
2020-05-28 02:06:43,267:INFO:certbot._internal.auth_handler:http-01 challenge for mio.dominio.it
2020-05-28 02:06:43,268:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: mio.dominio.it
Type: connection
Detail: Fetching http://mio.dominio.it/.well-known/acme-challenge/qXCZtey2qB_B0lquVTkFfcX0THM1xL8Nh2GjV7qZiw8: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2020-05-28 02:06:43,269:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.

2020-05-28 02:06:43,269:DEBUG:certbot._internal.error_handler:Calling registered functions
2020-05-28 02:06:43,270:INFO:certbot._internal.auth_handler:Cleaning up challenges
2020-05-28 02:06:43,270:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/qXCZtey2qB_B0lquVTkFfcX0THM1xL8Nh2GjV7qZiw8
2020-05-28 02:06:43,270:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2020-05-28 02:06:43,271:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 9, in
load_entry_point(‘certbot==1.3.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 15, in main
return internal_main.main(cli_args)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1347, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1233, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python2.7/site-packages/certbot/_internal/client.py”, line 410, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python2.7/site-packages/certbot/_internal/client.py”, line 344, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python2.7/site-packages/certbot/_internal/client.py”, line 391, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.

michelandre · May 28, 2020, 4:53am

Hi Giordano,

Not long ago I started to have a strange problem with Let’s Encryp having a hard time with one of the domains; error on checking - cannot communicate.
I checked all logs and deleting domain name after domain name to no avail until I deleted the complete Let’s Encrypt folder and installed it again. All went fine after that.

I don’t know if it is related but you should check you installation of Let’s encrypt. Maybe corruption in one of the files ?

Just my 2 cents,

Michel-André

giordy · May 28, 2020, 9:28am

thank’s, i try this night

danb35 · May 28, 2020, 9:35am

You linked to my post, but did you actually check all the things I said to check? Because when I try to go to http://mio.domino.it, I get a domain parking page that probably isn’t hosted on your Neth server, and when I run dig mio.domino.it, I get an error. domino.it exists (with an IP address of 213.215.227.61), but not mio.domino.it.

If you own domino.it, you need to add a DNS record for mio.

pike · May 28, 2020, 9:55am

@danb35 i think that mio.dominio.it is just an obfuscation of the actual hostname/DNS domain.

giordy · May 28, 2020, 10:05am

Yes, right
same thing also for the ip address

danb35 · May 28, 2020, 10:12am

That’s going to make it harder to troubleshoot.

In that case, the IP address that Let’s Encrypt found (88.123.99.11) does indeed fail to respond to queries on port 80. It doesn’t refuse or block connections, it just doesn’t answer. So it’s back to the same steps I gave in my linked post above:

Make sure that actually is the correct external IP address for your domain.
Make sure your ISP hasn’t started blocking port 80
Make sure any firewalls in play (on the Neth box or elsewhere) allow connections on port 80 from the whole Internet. It was common (though incorrect) practice for some time to whitelist just a handful of IP addresses for Let’s Encrypt; this will no longer work
If your Neth server is behind a separate firewall, make sure the port forwarding rules are set correctly

giordy · May 28, 2020, 10:54pm

uninstalled everything containing letsencrypt
searched for any file containing letcencrypt and deleted it, rebooted and re-installed letsencrypt

it works thanks a lot

giordy · May 28, 2020, 10:57pm

danb35:

That’s going to make it harder to troubleshoot.

In that case, the IP address that Let’s Encrypt found (88.123.99.11) does indeed fail to respond to queries on port 80. It doesn’t refuse or block connections, it just doesn’t answer. So it’s back to the same steps I gave in my linked post above:

Make sure that actually is the correct external IP address for your domain.

Make sure your ISP hasn’t started blocking port 80

Make sure any firewalls in play (on the Neth box or elsewhere) allow connections on port 80 from the whole Internet . It was common (though incorrect) practice for some time to whitelist just a handful of IP addresses for Let’s Encrypt; this will no longer work

If your Neth server is behind a separate firewall, make sure the port forwarding rules are set correctly

thanks to the availability. I solved it as suggested by @michelandre