Missing proxy enviroment variables

Today while trying to request for a Let’s Encrypt certificate, I got a message stating the following:

ConnectionError: ('Connection aborted.', error(101, 'Network is unreachable'))
ERROR:certbot.log:An unexpected error occurred:

Since this server is behind a proxy I decided to check if certbot was using the proxy, I run this commands (as root) to check for any access rejection on my firewall:

cat /var/log/firewall.log  | grep -v 'PROTO=ICMP' | grep '192.168.9.8' | egrep 'DPT|SRC|PROTO'
Jun 20 09:00:00 heimdall kernel: Shorewall:loc2net:REJECT:IN=eth0 OUT=eth1 MAC=56:76:ab:e3:56:cb:26:fd:e5:36:b5:f8:08:00 SRC=192.168.9.8 DST=52.33.253.223 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=34759 DF PROTO=TCP SPT=60744 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0 
Jun 20 09:00:00 heimdall kernel: Shorewall:loc2net:REJECT:IN=eth0 OUT=eth1 MAC=56:76:ab:e3:56:cb:26:fd:e5:36:b5:f8:08:00 SRC=192.168.9.8 DST=52.10.161.120 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=12088 DF PROTO=TCP SPT=33876 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0 
Jun 20 09:00:10 heimdall kernel: Shorewall:loc2net:REJECT:IN=eth0 OUT=eth1 MAC=56:76:ab:e3:56:cb:26:fd:e5:36:b5:f8:08:00 SRC=192.168.9.8 DST=52.10.161.120 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=23735 DF PROTO=TCP SPT=33884 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0 
Jun 20 09:00:10 heimdall kernel: Shorewall:loc2net:REJECT:IN=eth0 OUT=eth1 MAC=56:76:ab:e3:56:cb:26:fd:e5:36:b5:f8:08:00 SRC=192.168.9.8 DST=52.40.141.131 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10869 DF PROTO=TCP SPT=59200 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0 
Jun 20 09:00:10 heimdall kernel: Shorewall:loc2net:REJECT:IN=eth0 OUT=eth1 MAC=56:76:ab:e3:56:cb:26:fd:e5:36:b5:f8:08:00 SRC=192.168.9.8 DST=52.24.180.93 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=54219 DF PROTO=TCP SPT=41772 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0 
Jun 20 09:00:10 heimdall kernel: Shorewall:loc2net:REJECT:IN=eth0 OUT=eth1 MAC=56:76:ab:e3:56:cb:26:fd:e5:36:b5:f8:08:00 SRC=192.168.9.8 DST=52.33.69.177 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=2665 DF PROTO=TCP SPT=53970 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0 
Jun 20 09:00:10 heimdall kernel: Shorewall:loc2net:REJECT:IN=eth0 OUT=eth1 MAC=56:76:ab:e3:56:cb:26:fd:e5:36:b5:f8:08:00 SRC=192.168.9.8 DST=35.166.101.60 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=33924 DF PROTO=TCP SPT=35694 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0 
Jun 20 09:00:10 heimdall kernel: Shorewall:loc2net:REJECT:IN=eth0 OUT=eth1 MAC=56:76:ab:e3:56:cb:26:fd:e5:36:b5:f8:08:00 SRC=192.168.9.8 DST=52.27.125.121 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=19929 DF PROTO=TCP SPT=45422 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0 

This server is trying to access the internet without using the proxy, I did some research and found this post, stating that certbot makes use of HTTPS_PROXY environment variable to access the internet through a proxy.
I checked the environment variables with this:

env | grep -i proxy
http_proxy=http://ratatosk:dc6-R007@192.168.9.4:3128
https_proxy=http://ratatosk:dc6-R007@192.168.9.4:3128

And as you can see HTTPS_PROXY environment variable is missing, I search the proxy template on smith and found out that the template only creates the http_proxy and https_proxy:

cat /etc/e-smith/templates/etc/profile.d/nethserver_proxy.sh/10base
{
    my $proxy_host = $proxy{host} || '';
    my $proxy_port = $proxy{port} || '3128';
    my $proxy_user = $proxy{user} || '';
    my $proxy_pass = $proxy{password} || '';

    $OUT = '';
    if (! $proxy_host eq ''){
        $OUT .= "http_proxy=\"http://";
        if (! $proxy_user eq '' && ! $proxy_pass eq ''){
            $OUT .= $proxy_user.':'.$proxy_pass.'@';
        }
        $OUT .= "$proxy_host:$proxy_port\"\n";
        $OUT .= "https_proxy=\$http_proxy\n";
        $OUT .= "export http_proxy\n";
        $OUT .= "export https_proxy\n";
    }
}

For a quick fix I decided to change this template directly (I know that we should create a custom template) with this code:

{
    my $proxy_host = $proxy{host} || '';
    my $proxy_port = $proxy{port} || '3128';
    my $proxy_user = $proxy{user} || '';
    my $proxy_pass = $proxy{password} || '';

    $OUT = '';
    if (! $proxy_host eq ''){
        $OUT .= "http_proxy=\"http://";
        if (! $proxy_user eq '' && ! $proxy_pass eq ''){
            $OUT .= $proxy_user.':'.$proxy_pass.'@';
        }
        $OUT .= "$proxy_host:$proxy_port\"\n";
        $OUT .= "https_proxy=\$http_proxy\n";
        $OUT .= "HTTP_PROXY=\$http_proxy\n";
        $OUT .= "HTTPS_PROXY=\$http_proxy\n";
        $OUT .= "export http_proxy\n";
        $OUT .= "export https_proxy\n";
        $OUT .= "export HTTP_PROXY\n";
        $OUT .= "export HTTPS_PROXY\n";
    }
}

This fix allows certbot to connect through the proxy, it would be nice the add this fix to Nethserver.

4 Likes

Thanks for the well detailed bug report, providing also a solution. :+1:
Here’s some background info on env. vars type case:


1 Like

It would be wonderful to receive your PR :wink:

Public Relations ?
Personal Request ?
Permanent Residence ?

:rofl:

3 Likes

PR = Pull Request at Github.

1 Like

Done it

4 Likes

Just out of curiosity, if you are behind a proxy how LE checks the challenge?

Do you need to configure a reverse proxy on the public IP?

Please tell me more about your solution I may have a similar issue :wink:

1 Like

As soon as my DNS provider sets my DNS zone I will tell you
I also only have 1 IP address so I have to ask my DNS provider to create several CNAMES and a zone for NS/SOA request in order to create a LE certificate for each of my internal servers

The PR code is good. However I cannot reproduce your failed expectation, at least by calling Python Requests directly.

For this reason I didn’t open a #bug and I just merged the PR.

As far as I can understand, Python Requests is the library used by Certbot to perform HTTP requests, and is responsible for proxy settings enforcement.

This is my experiment:

  1. configure a proxy in Network page
  2. open a shell and start in background:
    tcpdump 'port 80 or port 443 or port 3128' &
  3. send some HTTP/S requests
[root@vm5 ~]# python -c 'import requests; requests.get("https://community.nethserver.org")'
16:00:59.464189 IP vm5.dpnet.nethesis.it.38384 > nethsecurity.nethesis.it.squid: Flags [S], seq 3012915020, win 29200, options [mss 1460,sackOK,TS val 13588448 ecr 0,nop,wscale 7], length 0
...
[root@vm5 ~]# python -c 'import requests; requests.get("http://community.nethserver.org")'
16:01:46.492357 IP vm5.dpnet.nethesis.it.38386 > nethsecurity.nethesis.it.squid: Flags [S], seq 1814472289, win 29200, options [mss 1460,sackOK,TS val 13635476 ecr 0,nop,wscale 7], length 0
16:01:46.492870 IP nethsecurity.nethesis.it.squid > vm5.dpnet.nethesis.it.38386: Flags [S.], seq 3256028747, ack 1814472290, win 28960, options [mss 1460,sackOK,TS val 2944775490 ecr 13635476,nop,wscale 7], length 0

Proxy settings are honored by the Python library, even if HTTP_PROXY and HTTPS_PROXY are not set. I have the lowercase vars in the environment:

[root@vm5 ~]# env | grep -i http
http_proxy=http://nethsecurity.nethesis.it:3128
https_proxy=http://nethsecurity.nethesis.it:3128

Even if I didn’t run certbot, as the checked library is a certbot dependency I think certbot can work with lowercase variables too :thinking:

I’m pretty sure this code reference proves it:

/usr/lib/python2.7/site-packages/requests/utils.py:491:    get_proxy = lambda k: os.environ.get(k) or os.environ.get(k.upper())

@jfernandez would you mind running some tests with my commands above by your side too?

As you requested, first I disable both uppercase environment variables, then I run both command, this is the output.

[root@ratatosk ~]# unset HTTP_PROXY
[root@ratatosk ~]# unset HTTPS_PROXY
[root@ratatosk ~]# env | grep -i http
http_proxy=http://proxy_username:proxy_password@192.168.9.4:3128
https_proxy=http://proxy_username:proxy_password@192.168.9.4:3128
[root@ratatosk ~]# tcpdump 'port 80 or port 443 or port 3128' &
[1] 6142
[root@ratatosk ~]# tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

[root@ratatosk ~]# python -c 'import requests; requests.get("https://community.nethserver.org")'
12:12:15.318944 IP ratatosk.local.durerocaribe.cu.58634 > heimdall.durerocaribe.cu.squid: Flags [S], seq 1256868346, win 29200, options [mss 1460,sackOK,TS val 356877674 ecr 0,nop,wscale 7], length 0
12:12:15.319330 IP heimdall.durerocaribe.cu.squid > ratatosk.local.durerocaribe.cu.58634: Flags [S.], seq 636750635, ack 1256868347, win 28960, options [mss 1460,sackOK,TS val 782348523 ecr 356877674,nop,wscale 7], length 0
12:12:15.319394 IP ratatosk.local.durerocaribe.cu.58634 > heimdall.durerocaribe.cu.squid: Flags [.], ack 1, win 229, options [nop,nop,TS val 356877674 ecr 782348523], length 0
12:12:15.319558 IP ratatosk.local.durerocaribe.cu.58634 > heimdall.durerocaribe.cu.squid: Flags [P.], seq 1:48, ack 1, win 229, options [nop,nop,TS val 356877674 ecr 782348523], length 47
12:12:15.319760 IP heimdall.durerocaribe.cu.squid > ratatosk.local.durerocaribe.cu.58634: Flags [.], ack 48, win 227, options [nop,nop,TS val 782348524 ecr 356877674], length 0
12:12:15.319785 IP ratatosk.local.durerocaribe.cu.58634 > heimdall.durerocaribe.cu.squid: Flags [P.], seq 48:103, ack 1, win 229, options [nop,nop,TS val 356877675 ecr 782348524], length 55
12:12:15.319905 IP heimdall.durerocaribe.cu.squid > ratatosk.local.durerocaribe.cu.58634: Flags [.], ack 103, win 227, options [nop,nop,TS val 782348524 ecr 356877675], length 0
12:12:16.089835 IP heimdall.durerocaribe.cu.squid > ratatosk.local.durerocaribe.cu.58634: Flags [P.], seq 1:40, ack 103, win 227, options [nop,nop,TS val 782349294 ecr 356877675], length 39
12:12:16.090015 IP ratatosk.local.durerocaribe.cu.58634 > heimdall.durerocaribe.cu.squid: Flags [.], ack 40, win 229, options [nop,nop,TS val 356878445 ecr 782349294], length 0
12:12:16.099621 IP ratatosk.local.durerocaribe.cu.58634 > heimdall.durerocaribe.cu.squid: Flags [P.], seq 103:620, ack 40, win 229, options [nop,nop,TS val 356878454 ecr 782349294], length 517
12:12:16.100020 IP heimdall.durerocaribe.cu.squid > ratatosk.local.durerocaribe.cu.58634: Flags [.], ack 620, win 235, options [nop,nop,TS val 782349304 ecr 356878454], length 0
12:12:16.772901 IP heimdall.durerocaribe.cu.squid > ratatosk.local.durerocaribe.cu.58634: Flags [P.], seq 40:1488, ack 620, win 235, options [nop,nop,TS val 782349977 ecr 356878454], length 1448
12:12:16.812937 IP ratatosk.local.durerocaribe.cu.58634 > heimdall.durerocaribe.cu.squid: Flags [.], ack 1488, win 251, options [nop,nop,TS val 356879168 ecr 782349977], length 0
12:12:19.474644 IP heimdall.durerocaribe.cu.squid > ratatosk.local.durerocaribe.cu.58634: Flags [P.], seq 1488:3549, ack 620, win 235, options [nop,nop,TS val 782352678 ecr 356879168], length 2061
12:12:19.474818 IP ratatosk.local.durerocaribe.cu.58634 > heimdall.durerocaribe.cu.squid: Flags [.], ack 3549, win 283, options [nop,nop,TS val 356881830 ecr 782352678], length 0
12:12:19.476867 IP ratatosk.local.durerocaribe.cu.58634 > heimdall.durerocaribe.cu.squid: Flags [P.], seq 620:746, ack 3549, win 283, options [nop,nop,TS val 356881832 ecr 782352678], length 126
12:12:19.477243 IP heimdall.durerocaribe.cu.squid > ratatosk.local.durerocaribe.cu.58634: Flags [.], ack 746, win 235, options [nop,nop,TS val 782352681 ecr 356881832], length 0
12:12:19.740816 IP heimdall.durerocaribe.cu.squid > ratatosk.local.durerocaribe.cu.58634: Flags [P.], seq 3549:3823, ack 746, win 235, options [nop,nop,TS val 782352945 ecr 356881832], length 274
12:12:19.741810 IP ratatosk.local.durerocaribe.cu.58634 > heimdall.durerocaribe.cu.squid: Flags [P.], seq 746:976, ack 3823, win 306, options [nop,nop,TS val 356882097 ecr 782352945], length 230
12:12:19.742074 IP heimdall.durerocaribe.cu.squid > ratatosk.local.durerocaribe.cu.58634: Flags [.], ack 976, win 243, options [nop,nop,TS val 782352946 ecr 356882097], length 0
12:12:20.199818 IP heimdall.durerocaribe.cu.squid > ratatosk.local.durerocaribe.cu.58634: Flags [P.], seq 3823:5271, ack 976, win 243, options [nop,nop,TS val 782353404 ecr 356882097], length 1448
12:12:20.207385 IP heimdall.durerocaribe.cu.squid > ratatosk.local.durerocaribe.cu.58634: Flags [P.], seq 5271:6719, ack 976, win 243, options [nop,nop,TS val 782353411 ecr 356882097], length 1448
12:12:20.207504 IP ratatosk.local.durerocaribe.cu.58634 > heimdall.durerocaribe.cu.squid: Flags [.], ack 6719, win 351, options [nop,nop,TS val 356882562 ecr 782353404], length 0
12:12:21.264600 IP heimdall.durerocaribe.cu.squid > ratatosk.local.durerocaribe.cu.58634: Flags [P.], seq 6719:9089, ack 976, win 243, options [nop,nop,TS val 782354468 ecr 356882562], length 2370
12:12:21.264735 IP ratatosk.local.durerocaribe.cu.58634 > heimdall.durerocaribe.cu.squid: Flags [.], ack 9089, win 388, options [nop,nop,TS val 356883619 ecr 782354468], length 0
12:12:21.266975 IP ratatosk.local.durerocaribe.cu.58634 > heimdall.durerocaribe.cu.squid: Flags [F.], seq 976, ack 9089, win 388, options [nop,nop,TS val 356883622 ecr 782354468], length 0
12:12:21.267380 IP heimdall.durerocaribe.cu.squid > ratatosk.local.durerocaribe.cu.58634: Flags [F.], seq 9089, ack 977, win 243, options [nop,nop,TS val 782354471 ecr 356883622], length 0
12:12:21.267410 IP ratatosk.local.durerocaribe.cu.58634 > heimdall.durerocaribe.cu.squid: Flags [.], ack 9090, win 388, options [nop,nop,TS val 356883622 ecr 782354471], length 0

However if you go to [ Server certificate] -> [ Request a new Let’s Encrypt certificate] in the WebUI you get the following error (With the uppercase environment variables disabled):

    Domains
        An unexpected error occurred: ConnectionError: ('Connection aborted.', error(101, 'Network is unreachable')) Please see the logfiles in /var/log/letsencrypt for more details. 

Only after seting uppercase environment variables correctly, you get this other error:

Domains
    Challenge failed for domain ratatosk.local.durerocaribe.cu Some challenges have failed. 

I assume this other error is due to not having a NS/SOA, since this guide states that if you can create NS and CNAME records on your DNS provider, you can then use acme-dns to automate the DNS updates needed to get and renew your certificates (whether wildcard or not).

So I’m waiting for my DNS provider to define a zone for my domain in order to keep testing the [Let’s Encrypt] certificate for my internals servers.

1 Like

So there must be some “magic” in certbot code that overrides the underlying library behavior!

Just for the record, the requirements for LE are explained in the manual, and acme-dns is (still) not implemented in NethServer.

http://docs.nethserver.org/en/v7/base_system.html#server-certificate

Update: the environment settings are blocked by sudo

[root@vm5 ~]#  /usr/bin/sudo  env | grep http
[root@vm5 ~]#  /usr/bin/sudo -i env | grep http
http_proxy=http://nethsecurity.nethesis.it:3128
HTTPS_PROXY=http://nethsecurity.nethesis.it:3128
https_proxy=http://nethsecurity.nethesis.it:3128
HTTP_PROXY=http://nethsecurity.nethesis.it:3128

When certbot is invoked by Server Manager (Nethgui) it runs in an environment limited by sudo /cc @dev_team

The same happens with all signal-event invocations: why we didn’t notice it before?

3 Likes

Quick solution would be to add the following to /etc/sudoers

Defaults env_keep += "HTTP_PROXY HTTPS_PROXY http_proxy https_proxy"
1 Like

I guess you already tested it but…

Is it safe?

My test consisted on …

sudo /usr/libexec/nethserver/letsencrypt-certs -e informatica@durerocaribe.cu -t -d ratatosk.local.durerocaribe.cu
Challenge failed for domain ratatosk.local.durerocaribe.cu
Some challenges have failed.

As usual this fail, this makes a log file on /var/log/letsencrypt/letsencrypt.log:

2019-06-25 12:37:09,290:DEBUG:certbot.main:certbot version: 0.34.2
2019-06-25 12:37:09,290:DEBUG:certbot.main:Arguments: ['--webroot', '--webroot-path', '/var/www/html/', '--text', '--non-interactive', '--agree-tos', '--email', 'informatica@durerocaribe.cu', '-d', 'ratatosk.local.durerocaribe.cu', '--test-cert', '--quiet']
2019-06-25 12:37:09,290:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-06-25 12:37:09,329:DEBUG:certbot.log:Root logging level set at 30
2019-06-25 12:37:09,330:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-06-25 12:37:09,331:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2019-06-25 12:37:09,332:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f5107416c10>
Prep: True
2019-06-25 12:37:09,333:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f5107416c10> and installer None
2019-06-25 12:37:09,333:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2019-06-25 12:37:09,898:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2019-06-25 12:37:09,906:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
2019-06-25 12:37:14,182:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 724
2019-06-25 12:37:14,183:DEBUG:acme.client:Received response:
HTTP 200
content-length: 724
expires: Tue, 25 Jun 2019 16:37:14 GMT
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Tue, 25 Jun 2019 16:37:14 GMT
x-frame-options: DENY
content-type: application/json

{
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert",
  "zstYh2Tlftw": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
}
2019-06-25 12:37:14,184:DEBUG:acme.client:Requesting fresh nonce
2019-06-25 12:37:14,184:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
2019-06-25 12:37:14,520:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-nonce HTTP/1.1" 200 0
2019-06-25 12:37:14,520:DEBUG:acme.client:Received response:
HTTP 200
content-length: 0
expires: Tue, 25 Jun 2019 16:37:15 GMT
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Tue, 25 Jun 2019 16:37:15 GMT
x-frame-options: DENY
replay-nonce: ZjyNM2IEyw23ihfG3pdLs4UaRxCEK9-7CjDA0e73JJc


2019-06-25 12:37:14,521:DEBUG:acme.client:Storing nonce: ZjyNM2IEyw23ihfG3pdLs4UaRxCEK9-7CjDA0e73JJc
2019-06-25 12:37:14,521:DEBUG:acme.client:JWS payload:
{
  "termsOfServiceAgreed": true, 
  "resource": "new-reg", 
  "contact": [
    "mailto:informatica@durerocaribe.cu"
  ]
}
2019-06-25 12:37:14,527:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-acct:
{
  "protected": "eyJub25jZSI6ICJaanlOTTJJRXl3MjNpaGZHM3BkTHM0VWFSeENFSzktN0NqREEwZTczSkpjIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1hY2N0IiwgImp3ayI6IHsiZSI6ICJBUUFCIiwgImt0eSI6ICJSU0EiLCAibiI6ICJ6YzlGWFBtZlF1eVUyVzJZY3JoMWRvZTAzRGkzU3BDUGlLMUhqei1BN2Z5emI0a3B5a1JtOU00VS16VXFfb0FGc1hQd0lJVmNING1YU2tiRkljSk1hSkNHcURRWEpjTkxmZm4xVE9IUzJ2dHpwQ3VNZ3dTMVNrYTQxMk9mcmlVWlNaQ0ZYN0pIanZ6N1g3V09WUWxUbDNySURJdXg4a0p4OERHV3lqNWtobHdPaG9UUkYzd1dNV2cxZ3VSRF9mOGVXS1RFSVJIRkdibEVrNXpVcmlEUWFaakVySVdPSmdFc3Z4S2xPbUVaa2NydUxUdVI0Qk50V21XLS1Kdlk3TmFUcnNDemlDNjRBV0ZhdkZtV1E5Vjl6a2hqb2J1VnNEWEVENVB6ZC1IaWZfcU9FZ2NpTkFRQm13ekh3RzVUVy1XbWkyVzl6a3R5NXc2bmxMVUtEdENmY1EifSwgImFsZyI6ICJSUzI1NiJ9", 
  "payload": "ewogICJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWUsIAogICJyZXNvdXJjZSI6ICJuZXctcmVnIiwgCiAgImNvbnRhY3QiOiBbCiAgICAibWFpbHRvOmluZm9ybWF0aWNhQGR1cmVyb2NhcmliZS5jdSIKICBdCn0", 
  "signature": "sNHE2gMRhNZiR5MxOwTuWyJac4BmfiT5yBErv7KtiIyAAT24yq2aa8Mkpplt0Zx49yOQob4DV078APlb5H6Yko4cglB1XJ-JGiFeSYIixz2nnaw-fMGN2sUUoOVWqAZJ2G1t8IplbesRaP9LPo2MVuPVsMnuPO18coBPhLo3_BUD8CJeH7ypAwBpY_Ia6XLjVuZncAns2QUFCXjrBbv_8_IPTYLq2hfuK4ItsYiveb4xbRqAOC_TjVGgm5WCp-XdC8y719bZ3VRXMhOt7-rk2jYSxB0egaFDkWhR2SDsT1ntWfljy6gtsFz-t1kPyXNbWsbT1l1SwZtteyuTGqPVxA"
}
2019-06-25 12:37:15,441:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-acct HTTP/1.1" 201 571
2019-06-25 12:37:15,442:DEBUG:acme.client:Received response:
HTTP 201
content-length: 571
expires: Tue, 25 Jun 2019 16:37:15 GMT
cache-control: max-age=0, no-cache, no-store
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>;rel="terms-of-service"
location: https://acme-staging-v02.api.letsencrypt.org/acme/acct/9728768
pragma: no-cache
boulder-requester: 9728768
date: Tue, 25 Jun 2019 16:37:15 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: A0Tz3D9IdvrLVzgdFqXUg7sY6cpDsZy2LibyZFV0RVs

{
  "key": {
    "kty": "RSA",
    "n": "zc9FXPmfQuyU2W2Ycrh1doe03Di3SpCPiK1Hjz-A7fyzb4kpykRm9M4U-zUq_oAFsXPwIIVcH4mXSkbFIcJMaJCGqDQXJcNLffn1TOHS2vtzpCuMgwS1Ska412OfriUZSZCFX7JHjvz7X7WOVQlTl3rIDIux8kJx8DGWyj5khlwOhoTRF3wWMWg1guRD_f8eWKTEIRHFGblEk5zUriDQaZjErIWOJgEsvxKlOmEZkcruLTuR4BNtWmW--JvY7NaTrsCziC64AWFavFmWQ9V9zkhjobuVsDXED5Pzd-Hif_qOEgciNAQBmwzHwG5TW-Wmi2W9zkty5w6nlLUKDtCfcQ",
    "e": "AQAB"
  },
  "contact": [
    "mailto:informatica@durerocaribe.cu"
  ],
  "initialIp": "190.92.117.211",
  "createdAt": "2019-06-25T16:37:15.919796442Z",
  "status": "valid"
}
2019-06-25 12:37:15,442:DEBUG:acme.client:Storing nonce: A0Tz3D9IdvrLVzgdFqXUg7sY6cpDsZy2LibyZFV0RVs
2019-06-25 12:37:15,445:DEBUG:certbot.reporter:Reporting to user: Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
2019-06-25 12:37:15,447:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=u'valid', terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(u'mailto:informatica@durerocaribe.cu',), key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f5106fe6790>)>), external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/9728768', new_authzr_uri=None, terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'), 91ef8cd1ecf33e5c0723f39be27f4643, Meta(creation_host='ratatosk.local.durerocaribe.cu', creation_dt=datetime.datetime(2019, 6, 25, 16, 37, 15, tzinfo=<UTC>)))>
2019-06-25 12:37:15,448:INFO:certbot.main:Obtaining a new certificate
2019-06-25 12:37:15,668:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
2019-06-25 12:37:15,672:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
2019-06-25 12:37:15,673:DEBUG:acme.client:JWS payload:
{
  "identifiers": [
    {
      "type": "dns", 
      "value": "ratatosk.local.durerocaribe.cu"
    }
  ]
}
2019-06-25 12:37:15,677:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJub25jZSI6ICJBMFR6M0Q5SWR2ckxWemdkRnFYVWc3c1k2Y3BEc1p5MkxpYnlaRlYwUlZzIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0Lzk3Mjg3NjgiLCAiYWxnIjogIlJTMjU2In0", 
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwgCiAgICAgICJ2YWx1ZSI6ICJyYXRhdG9zay5sb2NhbC5kdXJlcm9jYXJpYmUuY3UiCiAgICB9CiAgXQp9", 
  "signature": "ZRuq2iZQA5cEGzVGIwKEyLYPvJY8XzF9F-HopMuAWBtRxG3so7EYhY1M97Kj2NnJf0yCqEGMGb0agdCxdNpJpYPGdxsitNNdofsBTlh61dmMd1ipJ5EDouytvZWvyZ4HMkkgjY1tlV9wdezY88eoRCIH6aqzf3Qg1EWm6aCIPmJ_9ys4vJnqFDuC0PPF-yVX7HvMaznc4RegYfN0Gs9yEAl2V-luds0irLbhajqIj2T2IhOiwst67XyNsc4Q4OqynDCtnVgCQleS3AJvv4anciE96kVGy8YLMiC5Lxg9ydXzBh3JCKwKktH53dfw_R0KJd-eVxgjGB-M6jh6NVwrZg"
}
2019-06-25 12:37:16,094:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-order HTTP/1.1" 201 403
2019-06-25 12:37:16,095:DEBUG:acme.client:Received response:
HTTP 201
content-length: 403
expires: Tue, 25 Jun 2019 16:37:16 GMT
cache-control: max-age=0, no-cache, no-store
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
location: https://acme-staging-v02.api.letsencrypt.org/acme/order/9728768/38233503
pragma: no-cache
boulder-requester: 9728768
date: Tue, 25 Jun 2019 16:37:16 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: Lj1C-2OJjGlUG0TJD6wM3Xu73Ki3x8ceLsB4Tc5DCP4

{
  "status": "pending",
  "expires": "2019-07-02T16:37:16.569102965Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "ratatosk.local.durerocaribe.cu"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz/gx_dCY2GzKv7e0Ec9HrAoUFL92YJ5NXddh70hQtkFh8"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/9728768/38233503"
}
2019-06-25 12:37:16,096:DEBUG:acme.client:Storing nonce: Lj1C-2OJjGlUG0TJD6wM3Xu73Ki3x8ceLsB4Tc5DCP4
2019-06-25 12:37:16,098:DEBUG:acme.client:JWS payload:

2019-06-25 12:37:16,102:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/gx_dCY2GzKv7e0Ec9HrAoUFL92YJ5NXddh70hQtkFh8:
{
  "protected": "eyJub25jZSI6ICJMajFDLTJPSmpHbFVHMFRKRDZ3TTNYdTczS2kzeDhjZUxzQjRUYzVEQ1A0IiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6L2d4X2RDWTJHekt2N2UwRWM5SHJBb1VGTDkyWUo1TlhkZGg3MGhRdGtGaDgiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85NzI4NzY4IiwgImFsZyI6ICJSUzI1NiJ9", 
  "payload": "", 
  "signature": "MX7eYWvwD0nX4SFf5oFQ-dpVSAkFUpVwYhd3eMO5jf9dS8fKfIfhZ4pr-TIQC8qtKoDJ7lvlmAFYhLJANHWGdf2EX-Sf5HCN_EsBB8jotKXRKxprGmd_CbWAOn2OlvF8H6V8ewmUpv1t3wyIgM56XbbwoOhx1RtCBOIAUVY4E7rUFD2imsOLrWSUEufWdB7Xbicijcsp0YvtjtsgSZDTryg0ycWw2a7UlUdRr6tCZnWU4OwIY9uReCwlLwsHnYiByKdBQrG5I0E4BGE-aQ8ysyB3u8lKJhxvYkMt2SzDlHCp5rAxDVjRKP78JuTTMS8GppwZczyNkBhBOFWZH5qIAA"
}
2019-06-25 12:37:17,267:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/authz/gx_dCY2GzKv7e0Ec9HrAoUFL92YJ5NXddh70hQtkFh8 HTTP/1.1" 200 943
2019-06-25 12:37:17,268:DEBUG:acme.client:Received response:
HTTP 200
content-length: 943
expires: Tue, 25 Jun 2019 16:37:16 GMT
cache-control: max-age=0, no-cache, no-store
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
pragma: no-cache
boulder-requester: 9728768
date: Tue, 25 Jun 2019 16:37:16 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: iT3i7fuaFsRDu36Q7i6GxGgTotHQAbj6Ia19aANawBk

{
  "identifier": {
    "type": "dns",
    "value": "ratatosk.local.durerocaribe.cu"
  },
  "status": "pending",
  "expires": "2019-07-02T16:37:16Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/gx_dCY2GzKv7e0Ec9HrAoUFL92YJ5NXddh70hQtkFh8/324954847",
      "token": "LtkYsWbDIJWycW_hAi_fXnSub3wrm8C2YnZUXoN2jKA"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/gx_dCY2GzKv7e0Ec9HrAoUFL92YJ5NXddh70hQtkFh8/324954848",
      "token": "w67xJhB47toymmQYebnuD3cwUwpfztWa6vBaDJM5Kc4"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/gx_dCY2GzKv7e0Ec9HrAoUFL92YJ5NXddh70hQtkFh8/324954849",
      "token": "kadCYmPvIiOLEUIb56lLCN2t2Cbj68CyHr8zqHV2W10"
    }
  ]
}
2019-06-25 12:37:17,269:DEBUG:acme.client:Storing nonce: iT3i7fuaFsRDu36Q7i6GxGgTotHQAbj6Ia19aANawBk
2019-06-25 12:37:17,270:INFO:certbot.auth_handler:Performing the following challenges:
2019-06-25 12:37:17,270:INFO:certbot.auth_handler:http-01 challenge for ratatosk.local.durerocaribe.cu
2019-06-25 12:37:17,271:INFO:certbot.plugins.webroot:Using the webroot path /var/www/html for all unmatched domains.
2019-06-25 12:37:17,271:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/www/html/.well-known/acme-challenge
2019-06-25 12:37:17,277:DEBUG:certbot.plugins.webroot:Attempting to save validation to /var/www/html/.well-known/acme-challenge/LtkYsWbDIJWycW_hAi_fXnSub3wrm8C2YnZUXoN2jKA
2019-06-25 12:37:17,278:INFO:certbot.auth_handler:Waiting for verification...
2019-06-25 12:37:17,278:DEBUG:acme.client:JWS payload:
{
  "type": "http-01", 
  "resource": "challenge"
}
2019-06-25 12:37:17,281:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/challenge/gx_dCY2GzKv7e0Ec9HrAoUFL92YJ5NXddh70hQtkFh8/324954847:
{
  "protected": "eyJub25jZSI6ICJpVDNpN2Z1YUZzUkR1MzZRN2k2R3hHZ1RvdEhRQWJqNklhMTlhQU5hd0JrIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsZW5nZS9neF9kQ1kyR3pLdjdlMEVjOUhyQW9VRkw5MllKNU5YZGRoNzBoUXRrRmg4LzMyNDk1NDg0NyIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0Lzk3Mjg3NjgiLCAiYWxnIjogIlJTMjU2In0", 
  "payload": "ewogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9", 
  "signature": "LL5D3etu7IIbo2RHhl8c5XJHMxRyLX47AzVeU9Mld2yeraHWnrw-h3u6Wcabu1crfzT33ja2tDKXzMMbW9xlYW7J8Oct9TemqTD4LExcZo7kecbW_E965BVQdlKRgjWJyQcKMORwLBwCM1PQgIqWmg2AiRNpeX6Qe-pPw_PMH0lWm_x6ZvIAdLQp9ytsBRI8VdpTTFxjonpN5Val6oIEtzxuHjEjuX0lnNpmPDUF-_Agv7x6bT9mviNMLVxGGHgb1alqV0XZtqo43gD433q0NMFG5zqp8IryvTOHIw52bk4HD8ev9QUIY1OheU8_WewsXM3KWTrj4Suvx4pHS-6y5w"
}
2019-06-25 12:37:19,501:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/gx_dCY2GzKv7e0Ec9HrAoUFL92YJ5NXddh70hQtkFh8/324954847 HTTP/1.1" 200 230
2019-06-25 12:37:19,502:DEBUG:acme.client:Received response:
HTTP 200
content-length: 230
expires: Tue, 25 Jun 2019 16:37:18 GMT
cache-control: max-age=0, no-cache, no-store
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz/gx_dCY2GzKv7e0Ec9HrAoUFL92YJ5NXddh70hQtkFh8>;rel="up"
location: https://acme-staging-v02.api.letsencrypt.org/acme/challenge/gx_dCY2GzKv7e0Ec9HrAoUFL92YJ5NXddh70hQtkFh8/324954847
pragma: no-cache
boulder-requester: 9728768
date: Tue, 25 Jun 2019 16:37:18 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: U6jrzMClZm2noxxw7Bg2yF3Idb6tNJx_eHHdUVpVo_s

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/gx_dCY2GzKv7e0Ec9HrAoUFL92YJ5NXddh70hQtkFh8/324954847",
  "token": "LtkYsWbDIJWycW_hAi_fXnSub3wrm8C2YnZUXoN2jKA"
}
2019-06-25 12:37:19,502:DEBUG:acme.client:Storing nonce: U6jrzMClZm2noxxw7Bg2yF3Idb6tNJx_eHHdUVpVo_s
2019-06-25 12:37:20,504:DEBUG:acme.client:JWS payload:

2019-06-25 12:37:20,507:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/gx_dCY2GzKv7e0Ec9HrAoUFL92YJ5NXddh70hQtkFh8:
{
  "protected": "eyJub25jZSI6ICJVNmpyek1DbFptMm5veHh3N0JnMnlGM0lkYjZ0Tkp4X2VISGRVVnBWb19zIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6L2d4X2RDWTJHekt2N2UwRWM5SHJBb1VGTDkyWUo1TlhkZGg3MGhRdGtGaDgiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85NzI4NzY4IiwgImFsZyI6ICJSUzI1NiJ9", 
  "payload": "", 
  "signature": "JLfLtnL0tQL3PHHCTf3HBE4_mF_W5GngfcYiIEX5kPSuDHolYSMchtWNbMtut6Md125drwaujn3pZqNq983d7mFZcSsO6YGGVXaCYvOJ2gYc7ySKBCY2CQbhnPOXsnnpi3La84Vv-2p2y48d3J1smONbMhsVnP20TBxBc-Bv7WEK8tf8PLv6zMV2C0ZN_PTfwneIKrQW6o7sVDkQmfUlAm5jIod4SE6sLIDiurVnrtWBZpyQevTye3-yX_HynOYMnI3pYOLVQ3K0IT-9CHw5o8MvBYiQlftd7-DE4UEPe9oBL3kswBlf31ZyFE6B4G5t-dyel1USOOxswwXRcfNLmA"
}
2019-06-25 12:37:22,025:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/authz/gx_dCY2GzKv7e0Ec9HrAoUFL92YJ5NXddh70hQtkFh8 HTTP/1.1" 200 1146
2019-06-25 12:37:22,026:DEBUG:acme.client:Received response:
HTTP 200
content-length: 1146
expires: Tue, 25 Jun 2019 16:37:22 GMT
cache-control: max-age=0, no-cache, no-store
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
pragma: no-cache
boulder-requester: 9728768
date: Tue, 25 Jun 2019 16:37:22 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: U_QVimA964xDaVGCbvNYQdqNBCN4h_MZ7YpNOB3oWRA

{
  "identifier": {
    "type": "dns",
    "value": "ratatosk.local.durerocaribe.cu"
  },
  "status": "invalid",
  "expires": "2019-07-02T16:37:16Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "dns :: DNS problem: NXDOMAIN looking up A for ratatosk.local.durerocaribe.cu",
        "status": 400
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/gx_dCY2GzKv7e0Ec9HrAoUFL92YJ5NXddh70hQtkFh8/324954847",
      "token": "LtkYsWbDIJWycW_hAi_fXnSub3wrm8C2YnZUXoN2jKA"
    },
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/gx_dCY2GzKv7e0Ec9HrAoUFL92YJ5NXddh70hQtkFh8/324954848",
      "token": "w67xJhB47toymmQYebnuD3cwUwpfztWa6vBaDJM5Kc4"
    },
    {
      "type": "dns-01",
      "status": "invalid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/gx_dCY2GzKv7e0Ec9HrAoUFL92YJ5NXddh70hQtkFh8/324954849",
      "token": "kadCYmPvIiOLEUIb56lLCN2t2Cbj68CyHr8zqHV2W10"
    }
  ]
}
2019-06-25 12:37:22,026:DEBUG:acme.client:Storing nonce: U_QVimA964xDaVGCbvNYQdqNBCN4h_MZ7YpNOB3oWRA
2019-06-25 12:37:22,027:WARNING:certbot.auth_handler:Challenge failed for domain ratatosk.local.durerocaribe.cu
2019-06-25 12:37:22,027:INFO:certbot.auth_handler:http-01 challenge for ratatosk.local.durerocaribe.cu
2019-06-25 12:37:22,028:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: ratatosk.local.durerocaribe.cu
Type:   connection
Detail: dns :: DNS problem: NXDOMAIN looking up A for ratatosk.local.durerocaribe.cu

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2019-06-25 12:37:22,029:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 154, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.

2019-06-25 12:37:22,029:DEBUG:certbot.error_handler:Calling registered functions
2019-06-25 12:37:22,029:INFO:certbot.auth_handler:Cleaning up challenges
2019-06-25 12:37:22,029:DEBUG:certbot.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/LtkYsWbDIJWycW_hAi_fXnSub3wrm8C2YnZUXoN2jKA
2019-06-25 12:37:22,030:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2019-06-25 12:37:22,030:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.34.2', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1379, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1262, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 120, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 406, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 349, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 385, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 154, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.

Another widely used environment variable we’re missing is NO_PROXY/no_proxy.

It is not specifically related to your issue. At least it should be set to 127.0.0.1,localhost /cc @stephdl – and who’s working on Apache cockpit dashboard :wink:

1 Like

2 posts were split to a new topic: Let’s Encrypt certs from private network