Error while renewing let's encrypt certificate

Invader Zim

Verified User
Joined
Sep 4, 2004
Messages
157
3 domains out of 12 running on 1 particular server are experiencing errors during certificate renewal.

Code:
/usr/local/directadmin/scripts/letsencrypt.sh request domain.tld
Requesting new certificate order...
Processing authorization for ftp.domain.tld...
Challenge is valid.
Processing authorization for mail.domain.tld...
Challenge is valid.
Processing authorization for pop.domain.tld...
Challenge is valid.
Processing authorization for smtp.domain.tld...
Challenge is valid.
Processing authorization for domain.tld...
Waiting for domain verification...
Trying again...
1..2..3..4..5..
Challenge status: invalid. Challenge error: "type": "http-01",  "status": "invalid",  "error": {    "type": "urn:ietf:params:acme:error:connection",    "detail": "Fetching https://domain.tld/.well-known/acme-challenge/8eztp5ZiPNMS3SVm9o9Sf1PmhDAxE1lhj65f4Ckk_c8: Timeout during connect (likely firewall problem)",    "status": 400  . Exiting...
There is no firewall blocking access to ports 25, 80, 110, 143, 587 or 443. DNS points to this server. The acme challenge is written. nginx is running as reverse proxy. Removing nginx reverse proxy does not help. Unsetting the option "Force SSL with https redirect" in domain adminstration makes no difference either.

Code:
# pwd
/var/www/html/.well-known/acme-challenge
# ls -lsa
total 4
0 drwxr-xr-x. 2 webapps webapps 57 May  7 13:03 .
0 drwxr-xr-x. 3 webapps webapps 45 Dec 17 12:38 ..
4 -rw-r--r--  1 webapps webapps 88 May  7 13:03 jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs
[root@packparcel acme-challenge]# cat jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs
jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs.MwDgf5ju8-epkPrRfghpxVRxO_Z00uOCIY_2txtExR0
The request shows up as 301 in the log file:
Code:
domains/domain.tld.log:66.133.109.36 - - [07/May/2019:13:03:34 +0200] "GET /.well-known/acme-challenge/jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs HTTP/1.1" 301 584 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
domains/domain.tld.log:66.133.109.36 - - [07/May/2019:13:03:55 +0200] "GET /.well-known/acme-challenge/jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs HTTP/1.1" 301 584 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
Note: obviously domain.tld isn't the actual domain.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
Hello,

Can it be so that you use custom rewrite rules (to redirect requests) added into custom HTTPd.conf either for Apache or NGINX?
 

Invader Zim

Verified User
Joined
Sep 4, 2004
Messages
157
This is not the case. No customization has been done to any config file.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
Hiding domains are not helpful at all.

If for any reason you can not publish your real domain names, you should better either search the forums for similar threads, or open a ticket with directadmin support.
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
9,049
Your apache logs show return code 301... that's a redirect, not what LetsEncrypt is expecting.

Try debugging with this:
https://help.directadmin.com/item.php?id=646

Your site might have an .htaccess file that's stealing the /.well-known/acme-challenge path, and redirecting it somewhere.
We're not able to see where without knowing the real domain name, but that might help you track it down.

John
 

Invader Zim

Verified User
Joined
Sep 4, 2004
Messages
157
Thnx for the reply.

I did check for a redirect in an .htaccess. There wasn't one on any one of the sites. And unchecking "Force SSL with https redirect" also didn't have the desired effect. I will try the debugging tomorrow.
 

Invader Zim

Verified User
Joined
Sep 4, 2004
Messages
157
It seems I didn't deactive "Force SSL with https redirect" after all. The problem has been resolved now.
 

kke

Verified User
Joined
Apr 4, 2006
Messages
205
Location
Thailand
have the same problem

The site which enabled "Force SSL with https redirect" option in DA will error on letsencrypr renewal with error
Code:
Error: http://www.domains.com/.well-known/acme-challenge/letsencrypt_xxxxxx is not reachable. Aborting the script.
Because this option added redirect to httpd.conf and it work before .well-known alias then the request to .well-known redirected to https
Code:
SetEnvIf X-Forwarded-Proto "https" HTTPS=on
Have to disable "Force SSL with https redirect" option in DA and manually add redirect code in .htaccess of the domain
This will not effect ./well-known alias in httpd config
Code:
RewriteEngine on
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
 

wesco

New member
Joined
Aug 10, 2019
Messages
2
I experienced the same inability to reissue letsencrypt when "Force SSL with https redirect" is on. I added the below snippet (found on stackoverflow)
to custombuild/custom/ap2/conf/extra/httpd-includes.conf:
<IfModule mod_rewrite.c>
# prevent vhost rewrites from killing the alias
RewriteEngine On
RewriteOptions InheritDownBefore
RewriteCond %{REQUEST_URI} ^/\.well\-known
RewriteRule . - [L,PT]
</IfModule>

This will cover all vhosts as I enable "Force SSL with https redirect" by default for all.
FYI I was getting "Unable to update challenge :: authorization must be pending" when trying to renew letsencrypt
 
Last edited:

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
Inherit instructions do not work with LiteSpeed and OpenLiteSpeed at all.... as it seems to me.

It least they did not work for us yesterday with LiteSpeed.
 

bahman.neekooee

Verified User
Joined
Dec 14, 2019
Messages
7
i have problem too.
for example:
Requesting new certificate order...
Processing https://acme-v02.api.letsencrypt.org/acme/authz-v3/4688424943...
Processing authorization for ftp.webblogger.ir...
Waiting for domain verification...
Nonce is empty. Exiting. dig output of acme-v02.api.letsencrypt.org:
prod.api.letsencrypt.org.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
172.65.32.248
Full nonce request output:
 

bdacus01

Verified User
Joined
Jul 22, 2017
Messages
1,304
Location
Murfreesboro
i have problem too.
for example:
Requesting new certificate order...
Processing https://acme-v02.api.letsencrypt.org/acme/authz-v3/4688424943...
Processing authorization for ftp.webblogger.ir...
Waiting for domain verification...
Nonce is empty. Exiting. dig output of acme-v02.api.letsencrypt.org:
prod.api.letsencrypt.org.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
172.65.32.248
Full nonce request output:
Gave you some info in your main post.
 

jeffer

Verified User
Joined
Jul 23, 2017
Messages
10
I experienced the same inability to reissue letsencrypt when "Force SSL with https redirect" is on. I added the below snippet (found on stackoverflow)
to custombuild/custom/ap2/conf/extra/httpd-includes.conf:
<IfModule mod_rewrite.c>
# prevent vhost rewrites from killing the alias
RewriteEngine On
RewriteOptions InheritDownBefore
RewriteCond %{REQUEST_URI} ^/\.well\-known
RewriteRule . - [L,PT]
</IfModule>

This will cover all vhosts as I enable "Force SSL with https redirect" by default for all.
FYI I was getting "Unable to update challenge :: authorization must be pending" when trying to renew letsencrypt

We had the same problem, this fixed it for us.
(fpm / nginx setup).
 

Freddy

Verified User
Joined
Apr 14, 2016
Messages
48
If I understand correctly, the "Force SSL" option will break Let's Encrypt request/renewal? I have a customer who has problems requesting a new certificate but will this also fail with a renewal? That's a dangerous option.

I was wrong. My /.well-known Alias was missing and that caused the problem. Having "Force SSL" enabled is not a problem for requesting SSL certificates.
 
Last edited:
Top