I have NS7 working with primary hostname (that shown on login of SSH) but cannot make it work toany other hostname.
I have tryed to put hostname in HOSTS via DNS page, in vHOSTS via Virtual Hosts page.
None of them works.
I can ping the new hostname (mail.antinsect.com.br!) and even get a Jader.txt from outside using http://mail.antinsect.com.br/.well-known/acme-challenge/Jader.txt but cannot get it working from LetEncrypt page of SME.
It looks like it never wrote the challenge file to /var/www/html/.well-known/challenge but I can see it on logs:
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2025-01-13 20:36:16,759:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.
I should add another info: I have 2 internet links using LB.
I’ve just remember that so I created a exit rule to use one link as main link to get on IP of LE.
I also verified the token file is created = it’s created ok:
[root@agulhao ~]# ls -lart /var/www/html/.well-known/acme-challenge/
total 8
drwxr-xr-x. 4 root root 63 Jan 13 14:05 …
-rw-r–r-- 1 root root 39 Jan 13 14:07 Jader.txt
-rw-r–r-- 1 root root 87 Jan 14 03:08 dmgrjRYM9xAJXtkRbLSPskcUUJ52Qe4z8ZRnt5HT1uI
drwxrwxrwx. 2 root root 74 Jan 14 03:08 .
[root@agulhao ~]# ls -lart /var/www/html/.well-known/acme-challenge/
total 4
drwxr-xr-x. 4 root root 63 Jan 13 14:05 …
-rw-r–r-- 1 root root 39 Jan 13 14:07 Jader.txt
drwxrwxrwx. 2 root root 23 Jan 14 03:08 .
[root@agulhao ~]# grep “dmgrjRYM9xAJXtkRbLSPskcUUJ52Qe4z8ZRnt5HT1uI” /var/log/letsencrypt/letsencrypt.log
“token”: “dmgrjRYM9xAJXtkRbLSPskcUUJ52Qe4z8ZRnt5HT1uI”
“token”: “dmgrjRYM9xAJXtkRbLSPskcUUJ52Qe4z8ZRnt5HT1uI”
“token”: “dmgrjRYM9xAJXtkRbLSPskcUUJ52Qe4z8ZRnt5HT1uI”
2025-01-14 03:08:06,276:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /var/www/html/.well-known/acme-challenge/dmgrjRYM9xAJXtkRbLSPskcUUJ52Qe4z8ZRnt5HT1uI
“token”: “dmgrjRYM9xAJXtkRbLSPskcUUJ52Qe4z8ZRnt5HT1uI”
“token”: “dmgrjRYM9xAJXtkRbLSPskcUUJ52Qe4z8ZRnt5HT1uI”
“token”: “dmgrjRYM9xAJXtkRbLSPskcUUJ52Qe4z8ZRnt5HT1uI”
“token”: “dmgrjRYM9xAJXtkRbLSPskcUUJ52Qe4z8ZRnt5HT1uI”
“token”: “dmgrjRYM9xAJXtkRbLSPskcUUJ52Qe4z8ZRnt5HT1uI”
“token”: “dmgrjRYM9xAJXtkRbLSPskcUUJ52Qe4z8ZRnt5HT1uI”
“token”: “dmgrjRYM9xAJXtkRbLSPskcUUJ52Qe4z8ZRnt5HT1uI”
“token”: “dmgrjRYM9xAJXtkRbLSPskcUUJ52Qe4z8ZRnt5HT1uI”
“token”: “dmgrjRYM9xAJXtkRbLSPskcUUJ52Qe4z8ZRnt5HT1uI”
“token”: “dmgrjRYM9xAJXtkRbLSPskcUUJ52Qe4z8ZRnt5HT1uI”
“detail”: “177.128.71.254: Fetching http://mail.antinsect.com.br/.well-known/acme-challenge/dmgrjRYM9xAJXtkRbLSPskcUUJ52Qe4z8ZRnt5HT1uI: Timeout during connect (likely firewall problem)”,
“token”: “dmgrjRYM9xAJXtkRbLSPskcUUJ52Qe4z8ZRnt5HT1uI”,
“url”: “http://mail.antinsect.com.br/.well-known/acme-challenge/dmgrjRYM9xAJXtkRbLSPskcUUJ52Qe4z8ZRnt5HT1uI”,
Detail: 177.128.71.254: Fetching http://mail.antinsect.com.br/.well-known/acme-challenge/dmgrjRYM9xAJXtkRbLSPskcUUJ52Qe4z8ZRnt5HT1uI: Timeout during connect (likely firewall problem)
2025-01-14 03:08:17,265:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/dmgrjRYM9xAJXtkRbLSPskcUUJ52Qe4z8ZRnt5HT1uI
[root@agulhao ~]#
OK… I’ve figured out! It’s a network problem.
I have 2 links (load balancing) so I have a round robin DNS for incoming connections:
ubuntu@www:~$ dig a agulhao.antinsect.com.br
agulhao.antinsect.com.br. 1175 IN A 45.238.65.82
agulhao.antinsect.com.br. 1175 IN A 177.128.71.254
ubuntu@www:~$ dig a mail.antinsect.com.br
mail.antinsect.com.br. 1065 IN A 45.238.65.82
mail.antinsect.com.br. 1065 IN A 177.128.71.254
and
ubuntu@www:~$ time curl link-pontual.antinsect.com.br/.well-known/acme-challenge/Jader.txt
dentro do acme-challenge
Jader Marasca
real 0m0.294s
user 0m0.004s
sys 0m0.003s
ubuntu@www:~$ time curl link-webmax.antinsect.com.br/.well-known/acme-challenge/Jader.txt
curl: (28) Failed to connect to link-webmax.antinsect.com.br port 80 after 133869 ms: Connection timed out
real 2m13.876s
user 0m0.005s
sys 0m0.006s
Not sure why this is happening just with one hostname, but that’s something my ISP will try to solve at 8AM (now it’s 3:30 AM here!)
I would bet it has to do with DNS caching, somewhere along the way.
While DNS round robin generally works, it does have issues for users connected when a failover occurs - the DNS is not always requeried - leading to whatever is using or connected to attempt the failed connection again…,
It was simpler: ISP was blocking port 80 (HTTP) … started a few weeks ago as standard procedure because of a DDOS attack and forgot to let it open to our usage (we have a firewall).
After I proved it has to be with their link was a matter of 10min to get it open!