Invader Zim
Verified User
- Joined
- Sep 4, 2004
- Messages
- 188
3 domains out of 12 running on 1 particular server are experiencing errors during certificate renewal.
There is no firewall blocking access to ports 25, 80, 110, 143, 587 or 443. DNS points to this server. The acme challenge is written. nginx is running as reverse proxy. Removing nginx reverse proxy does not help. Unsetting the option "Force SSL with https redirect" in domain adminstration makes no difference either.
The request shows up as 301 in the log file:
Note: obviously domain.tld isn't the actual domain.
Code:
/usr/local/directadmin/scripts/letsencrypt.sh request domain.tld
Requesting new certificate order...
Processing authorization for ftp.domain.tld...
Challenge is valid.
Processing authorization for mail.domain.tld...
Challenge is valid.
Processing authorization for pop.domain.tld...
Challenge is valid.
Processing authorization for smtp.domain.tld...
Challenge is valid.
Processing authorization for domain.tld...
Waiting for domain verification...
Trying again...
1..2..3..4..5..
Challenge status: invalid. Challenge error: "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:connection", "detail": "Fetching https://domain.tld/.well-known/acme-challenge/8eztp5ZiPNMS3SVm9o9Sf1PmhDAxE1lhj65f4Ckk_c8: Timeout during connect (likely firewall problem)", "status": 400 . Exiting...
There is no firewall blocking access to ports 25, 80, 110, 143, 587 or 443. DNS points to this server. The acme challenge is written. nginx is running as reverse proxy. Removing nginx reverse proxy does not help. Unsetting the option "Force SSL with https redirect" in domain adminstration makes no difference either.
Code:
# pwd
/var/www/html/.well-known/acme-challenge
# ls -lsa
total 4
0 drwxr-xr-x. 2 webapps webapps 57 May 7 13:03 .
0 drwxr-xr-x. 3 webapps webapps 45 Dec 17 12:38 ..
4 -rw-r--r-- 1 webapps webapps 88 May 7 13:03 jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs
[root@packparcel acme-challenge]# cat jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs
jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs.MwDgf5ju8-epkPrRfghpxVRxO_Z00uOCIY_2txtExR0
The request shows up as 301 in the log file:
Code:
domains/domain.tld.log:66.133.109.36 - - [07/May/2019:13:03:34 +0200] "GET /.well-known/acme-challenge/jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs HTTP/1.1" 301 584 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
domains/domain.tld.log:66.133.109.36 - - [07/May/2019:13:03:55 +0200] "GET /.well-known/acme-challenge/jAa7s7ihe4lYQVY5xvAoiLowN8nTNkDPzI_3mo-pCQs HTTP/1.1" 301 584 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
Note: obviously domain.tld isn't the actual domain.