Error while renewing let's encrypt certificate

Invader Zim

Verified User
Joined
Sep 4, 2004
Messages
155
3 domains out of 12 running on 1 particular server are experiencing errors during certificate renewal.

Code:
/usr/local/directadmin/scripts/letsencrypt.sh request domain.tld
Requesting new certificate order...
Processing authorization for ftp.domain.tld...
Challenge is valid.
Processing authorization for mail.domain.tld...
Challenge is valid.
Processing authorization for pop.domain.tld...
Challenge is valid.
Processing authorization for smtp.domain.tld...
Challenge is valid.
Processing authorization for domain.tld...
Waiting for domain verification...
Trying again...
1..2..3..4..5..
Challenge status: invalid. Challenge error: "type": "http-01",  "status": "invalid",  "error": {    "type": "urn:ietf:params:acme:error:connection",    "detail": "Fetching https://domain.tld/.well-known/acme-challenge/8eztp5ZiPNMS3SVm9o9Sf1PmhDAxE1lhj65f4Ckk_c8: Timeout during connect (likely firewall problem)",    "status": 400  . Exiting...
There is no firewall blocking access to ports 25, 80, 110, 143, 587 or 443. DNS points to this server. The acme challenge is written. nginx is running as reverse proxy. Removing nginx reverse proxy does not help. Unsetting the option "Force SSL with https redirect" in domain adminstration makes no difference either.

Code:
# pwd
/var/www/html/.well-known/acme-challenge
# ls -lsa
total 4
0 drwxr-xr-x. 2 webapps webapps 57 May  7 13:03 .
0 drwxr-xr-x. 3 webapps webapps 45 Dec 17 12:38 ..
4 -rw-r--r--  1 webapps webapps 88 May  7 13:03 jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs
[root@packparcel acme-challenge]# cat jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs
jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs.MwDgf5ju8-epkPrRfghpxVRxO_Z00uOCIY_2txtExR0
The request shows up as 301 in the log file:
Code:
domains/domain.tld.log:66.133.109.36 - - [07/May/2019:13:03:34 +0200] "GET /.well-known/acme-challenge/jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs HTTP/1.1" 301 584 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
domains/domain.tld.log:66.133.109.36 - - [07/May/2019:13:03:55 +0200] "GET /.well-known/acme-challenge/jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs HTTP/1.1" 301 584 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
Note: obviously domain.tld isn't the actual domain.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,173
Location
GMT +7.00
Hello,

Can it be so that you use custom rewrite rules (to redirect requests) added into custom HTTPd.conf either for Apache or NGINX?
 

Invader Zim

Verified User
Joined
Sep 4, 2004
Messages
155
This is not the case. No customization has been done to any config file.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,173
Location
GMT +7.00
Hiding domains are not helpful at all.

If for any reason you can not publish your real domain names, you should better either search the forums for similar threads, or open a ticket with directadmin support.
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,991
Your apache logs show return code 301... that's a redirect, not what LetsEncrypt is expecting.

Try debugging with this:
https://help.directadmin.com/item.php?id=646

Your site might have an .htaccess file that's stealing the /.well-known/acme-challenge path, and redirecting it somewhere.
We're not able to see where without knowing the real domain name, but that might help you track it down.

John
 

Invader Zim

Verified User
Joined
Sep 4, 2004
Messages
155
Thnx for the reply.

I did check for a redirect in an .htaccess. There wasn't one on any one of the sites. And unchecking "Force SSL with https redirect" also didn't have the desired effect. I will try the debugging tomorrow.
 

Invader Zim

Verified User
Joined
Sep 4, 2004
Messages
155
It seems I didn't deactive "Force SSL with https redirect" after all. The problem has been resolved now.
 

kke

Verified User
Joined
Apr 4, 2006
Messages
202
Location
Thailand
have the same problem

The site which enabled "Force SSL with https redirect" option in DA will error on letsencrypr renewal with error
Code:
Error: http://www.domains.com/.well-known/acme-challenge/letsencrypt_xxxxxx is not reachable. Aborting the script.
Because this option added redirect to httpd.conf and it work before .well-known alias then the request to .well-known redirected to https
Code:
SetEnvIf X-Forwarded-Proto "https" HTTPS=on
Have to disable "Force SSL with https redirect" option in DA and manually add redirect code in .htaccess of the domain
This will not effect ./well-known alias in httpd config
Code:
RewriteEngine on
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
 
Top