Port 80 and 443 are open and a zapto.org domain is pointing to the ip-address…
I get an error when I try to request a cert:
How can I debug it?
Hi
You need to put in ALL the LetsEncrypt names you need in one box…
Using the old interface:
You can always add or remove domains for LetsEncrypt.
DNS must be correct and point to NethServer.
Hope that helps…
Look at the most recent Let’s Encrypt log in /var/log/letsencrypt.
Not necessarily–you can use individual certs for each virtual host, for example.
2 Likes
Maybe this is a useful debuginfo:
Domain: xxx.zapto.org
Type: connection
Detail: Fetching http://xxx.zapto.org/.well-known/acme-challenge/xxxxxxxxxxxxxxx.............: Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2020-04-08 06:56:46,244:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.
2020-04-08 06:56:46,245:DEBUG:certbot._internal.error_handler:Calling registered functions
2020-04-08 06:56:46,245:INFO:certbot._internal.auth_handler:Cleaning up challenges
2020-04-08 06:56:46,245:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxx..........
2020-04-08 06:56:46,245:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2020-04-08 06:56:46,246:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 9, in <module>
load_entry_point('certbot==1.3.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1347, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1233, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 410, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 344, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 391, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.
I’ve found something about this error at letsencrypt community. It was a problem with ipv6 and ipv4 address. The person with the problem stopped the ipv6 address resolution at his dns provider and it works.
Is it possible to use the CLI instead the GUI with a force option for IPV4?
Hi
You could also set your Router/Firewall to NOT accept IPv6 from the Internet…
(Only if NethServer is NOT your Firewall).
My 2 cents
Andy
1 Like
OK, here’s your problem: the Let’s Encrypt servers weren’t able to connect to your server. There are many possible reasons for this:
- If your Neth box is behind a firewall, make sure port 80 is open to the Neth box from the whole Internet.
- Make sure your ISP isn’t blocking port 80
- Make sure your DNS records (A/CNAME) are actually pointing to the right IP address (somewhere in that log, it should indicate the IP address it tried to connect to)
- Since Neth still doesn’t do IPv6, make sure you don’t have any AAAA records for this domain name
No, there is no force option for IPv4. If you have IPv6 DNS (i.e., AAAA) records, Let’s Encrypt will attempt to connect using IPv6. If your server doesn’t respond over IPv6 (which Neth doesn’t), the correct solution is to remove those DNS records. If you don’t have AAAA records for that FQDN, Let’s Encrypt won’t attempt to use IPv6.
This would cause exactly the problem that’s happening, if there are still published DNS records pointing to IPv6 addresses.
1 Like
Since I’m considered a DNS crack, I often forget that others aren’t…
Unless forced to, I don’t use IPv6 at all, even disabling it as far as possible.
My 2 cents
Andy
Thank you for your answers… The Lets Encrypt cert workded for abt 3 months. A a few days befor the expiration date I tried to renew and got the problem. I did not change anything on the dyndns record xxx.zapto.org, also not on the edge router/firewall…
Is there a way to check if a IPV6 DNS record exists for my dyndns domain?
dig yourdomain.com aaaa
But once again, the log file should show the IP address to which Let’s Encrypt is trying to connect.