Error while renewing let's encrypt certificate

Invader Zim

Verified User
Joined
Sep 4, 2004
Messages
188
3 domains out of 12 running on 1 particular server are experiencing errors during certificate renewal.

Code:
/usr/local/directadmin/scripts/letsencrypt.sh request domain.tld
Requesting new certificate order...
Processing authorization for ftp.domain.tld...
Challenge is valid.
Processing authorization for mail.domain.tld...
Challenge is valid.
Processing authorization for pop.domain.tld...
Challenge is valid.
Processing authorization for smtp.domain.tld...
Challenge is valid.
Processing authorization for domain.tld...
Waiting for domain verification...
Trying again...
1..2..3..4..5..
Challenge status: invalid. Challenge error: "type": "http-01",  "status": "invalid",  "error": {    "type": "urn:ietf:params:acme:error:connection",    "detail": "Fetching https://domain.tld/.well-known/acme-challenge/8eztp5ZiPNMS3SVm9o9Sf1PmhDAxE1lhj65f4Ckk_c8: Timeout during connect (likely firewall problem)",    "status": 400  . Exiting...

There is no firewall blocking access to ports 25, 80, 110, 143, 587 or 443. DNS points to this server. The acme challenge is written. nginx is running as reverse proxy. Removing nginx reverse proxy does not help. Unsetting the option "Force SSL with https redirect" in domain adminstration makes no difference either.

Code:
# pwd
/var/www/html/.well-known/acme-challenge
# ls -lsa
total 4
0 drwxr-xr-x. 2 webapps webapps 57 May  7 13:03 .
0 drwxr-xr-x. 3 webapps webapps 45 Dec 17 12:38 ..
4 -rw-r--r--  1 webapps webapps 88 May  7 13:03 jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs
[root@packparcel acme-challenge]# cat jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs
jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs.MwDgf5ju8-epkPrRfghpxVRxO_Z00uOCIY_2txtExR0

The request shows up as 301 in the log file:
Code:
domains/domain.tld.log:66.133.109.36 - - [07/May/2019:13:03:34 +0200] "GET /.well-known/acme-challenge/jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs HTTP/1.1" 301 584 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
domains/domain.tld.log:66.133.109.36 - - [07/May/2019:13:03:55 +0200] "GET /.well-known/acme-challenge/jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs HTTP/1.1" 301 584 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

Note: obviously domain.tld isn't the actual domain.
 
Hello,

Can it be so that you use custom rewrite rules (to redirect requests) added into custom HTTPd.conf either for Apache or NGINX?
 
This is not the case. No customization has been done to any config file.
 
Hiding domains are not helpful at all.

If for any reason you can not publish your real domain names, you should better either search the forums for similar threads, or open a ticket with directadmin support.
 
Your apache logs show return code 301... that's a redirect, not what LetsEncrypt is expecting.

Try debugging with this:
https://help.directadmin.com/item.php?id=646

Your site might have an .htaccess file that's stealing the /.well-known/acme-challenge path, and redirecting it somewhere.
We're not able to see where without knowing the real domain name, but that might help you track it down.

John
 
Thnx for the reply.

I did check for a redirect in an .htaccess. There wasn't one on any one of the sites. And unchecking "Force SSL with https redirect" also didn't have the desired effect. I will try the debugging tomorrow.
 
It seems I didn't deactive "Force SSL with https redirect" after all. The problem has been resolved now.
 
have the same problem

The site which enabled "Force SSL with https redirect" option in DA will error on letsencrypr renewal with error
Code:
Error: http://www.domains.com/.well-known/acme-challenge/letsencrypt_xxxxxx is not reachable. Aborting the script.
Because this option added redirect to httpd.conf and it work before .well-known alias then the request to .well-known redirected to https
Code:
SetEnvIf X-Forwarded-Proto "https" HTTPS=on

Have to disable "Force SSL with https redirect" option in DA and manually add redirect code in .htaccess of the domain
This will not effect ./well-known alias in httpd config
Code:
RewriteEngine on
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
 
I experienced the same inability to reissue letsencrypt when "Force SSL with https redirect" is on. I added the below snippet (found on stackoverflow)
to custombuild/custom/ap2/conf/extra/httpd-includes.conf:
<IfModule mod_rewrite.c>
# prevent vhost rewrites from killing the alias
RewriteEngine On
RewriteOptions InheritDownBefore
RewriteCond %{REQUEST_URI} ^/\.well\-known
RewriteRule . - [L,PT]
</IfModule>

This will cover all vhosts as I enable "Force SSL with https redirect" by default for all.
FYI I was getting "Unable to update challenge :: authorization must be pending" when trying to renew letsencrypt
 
Last edited:
Inherit instructions do not work with LiteSpeed and OpenLiteSpeed at all.... as it seems to me.

It least they did not work for us yesterday with LiteSpeed.
 
i have problem too.
for example:
Requesting new certificate order...
Processing https://acme-v02.api.letsencrypt.org/acme/authz-v3/4688424943...
Processing authorization for ftp.webblogger.ir...
Waiting for domain verification...
Nonce is empty. Exiting. dig output of acme-v02.api.letsencrypt.org:
prod.api.letsencrypt.org.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
172.65.32.248
Full nonce request output:
 
i have problem too.
for example:
Requesting new certificate order...
Processing https://acme-v02.api.letsencrypt.org/acme/authz-v3/4688424943...
Processing authorization for ftp.webblogger.ir...
Waiting for domain verification...
Nonce is empty. Exiting. dig output of acme-v02.api.letsencrypt.org:
prod.api.letsencrypt.org.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
172.65.32.248
Full nonce request output:
Gave you some info in your main post.
 
I experienced the same inability to reissue letsencrypt when "Force SSL with https redirect" is on. I added the below snippet (found on stackoverflow)
to custombuild/custom/ap2/conf/extra/httpd-includes.conf:
<IfModule mod_rewrite.c>
# prevent vhost rewrites from killing the alias
RewriteEngine On
RewriteOptions InheritDownBefore
RewriteCond %{REQUEST_URI} ^/\.well\-known
RewriteRule . - [L,PT]
</IfModule>

This will cover all vhosts as I enable "Force SSL with https redirect" by default for all.
FYI I was getting "Unable to update challenge :: authorization must be pending" when trying to renew letsencrypt


We had the same problem, this fixed it for us.
(fpm / nginx setup).
 
If I understand correctly, the "Force SSL" option will break Let's Encrypt request/renewal? I have a customer who has problems requesting a new certificate but will this also fail with a renewal? That's a dangerous option.

I was wrong. My /.well-known Alias was missing and that caused the problem. Having "Force SSL" enabled is not a problem for requesting SSL certificates.
 
Last edited:
Back
Top