No new LetsEncryptCerts

rowihei · August 27, 2022, 10:24am

NethServer Version: 7.9.2009 (final)
Module: Let’s Encrypt

Hello, again,
Let’s Encrypt worked fine for a long time … but:
Since 18.08.2022 every day I got this warning:

/etc/cron.daily/nethserver-letsencrypt-certs:

Challenge failed for domain bma.firma.de
Challenge failed for domain mail.firma.de
Some challenges have failed.

We changed nothing. What is the reason ? How to solved the problem ?

danb35 · August 27, 2022, 10:30am

What’s in the last log file in /var/log/letsencrypt?

rowihei · August 27, 2022, 11:57am

Some additional informations:

there is an A-record since last year (provider site all-inkl.com)
port 80 is reachabel
Firewall : iPFire
The last log file (I changed only the real domain name and public IP):

2022-08-27 08:17:40,575:DEBUG:acme.client:Storing nonce: 0001Ogu6zoyCiD0w_i_0Jg_Ln-lF7im9BMUsWddbalzGCj4
2022-08-27 08:17:40,576:WARNING:certbot._internal.auth_handler:Challenge failed for domain mail.firma.de
2022-08-27 08:17:40,577:INFO:certbot._internal.auth_handler:http-01 challenge for mail.firma.de
2022-08-27 08:17:40,577:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: mail.firma.de
Type: connection
Detail: xxx.xxx.xxx.xxx: Fetching http://mail.firma.de/.well-known/acme-challenge/FVvzGuo6RvMJKbE_U22kcFVBeJI_Quo0-BwLusGnBus: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2022-08-27 08:17:40,578:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.

2022-08-27 08:17:40,578:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-08-27 08:17:40,578:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-08-27 08:17:40,579:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/FVvzGuo6RvMJKbE_U22kcFVBeJI_Quo0-BwLusGnBus
2022-08-27 08:17:40,579:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2022-08-27 08:17:40,580:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 9, in
load_entry_point(‘certbot==1.11.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 15, in main
return internal_main.main(cli_args)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1421, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1294, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 135, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python2.7/site-packages/certbot/_internal/client.py”, line 441, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python2.7/site-packages/certbot/_internal/client.py”, line 374, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python2.7/site-packages/certbot/_internal/client.py”, line 421, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.
2022-08-27 08:17:40,581:ERROR:certbot._internal.log:Some challenges have failed.

danb35 · August 27, 2022, 12:10pm

Apparently not:

Your mail. subdomain is not responding to HTTP requests. Whether that’s a problem with your firewall(s) or something else I couldn’t say, but that’s why it can’t renew your cert. Edit: You can test this yourself using letsdebug.net.

rowihei · August 27, 2022, 12:57pm

You are right … it is the location filter… OFF and all is OK
We opened only for

Germany
Austria
and US (last year we needed fot Let’s Encrypt )
Is Let’s Encrypt now in another state - not US ?
…
Oh, I think I found the reason:
https://letsencrypt.org/2020/02/19/multi-perspective-validation.html

Never ending story …

danb35 · August 27, 2022, 1:43pm

Let’s Encrypt validates from anywhere in the world. Location blocking is a good way to make validation fail.