Having issues requesting a Let's Encrypt Certificate

10 posts / 0 new
Last post
#1 Sun, 06/09/2019 - 03:37
drguild

Having issues requesting a Let's Encrypt Certificate

I am in the process of finishing setting up my physical server and a message appeared on my temp vm that it cannot renew the encryption certificate.

Requesting a certificate for cajgo-support.com, community.cajgo-support.com, mail.cajgo-support.com from Let's Encrypt ..
.. request failed : Web-based validation failed : Failed to request certificate :
community.cajgo-support.com challenge did not pass: Invalid response from https://community.cajgo-support.com/.well-known/acme-challenge/J-yey4P3CPH9cJKxo4iVCdfxX1wcEKuFkPNvoeKvYgM [220.244.244.115]: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!-- st"
DNS-based validation failed : Failed to request certificate :
community.cajgo-support.com challenge did not pass: No TXT record found at _acme-challenge.community.cajgo-support.com

My current certificate is this:

Current SSL certificate details
SSL certificate file /home/user/ssl.cert
SSL private key file /home/user/ssl.key
Web server hostname cajgo-support.com Issuer name Let's Encrypt Authority X3
Issuer organization Let's Encrypt, CN = Let's Encrypt Authority X3 Expiry date Jul 9 04:19:01 2019 GMT
Certificate type Signed by CA
Other domain names cajgo-support.com, cajgo-support.sytes.net, community.cajgo-support.com, community.cajgo-support.sytes.net, mail.cajgo-support.com.
Time since last renewal 0.00 months
Last successful renewal 04/10/2019 1:19 PM
Last failed renewal 06/09/2019 1:23 PM
Renewal failed due to Web-based validation failed : Failed to request certificate :
community.cajgo-support.com challenge did not pass: Invalid response from https://community.cajgo-support.com/.well-known/acme-challenge/KVqqoQJRoAsn9ngXCljN4tASw-RdhBjXvpMN-Tcvtd4 [220.244.244.115]: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!-- st"

Since last renewal I backed up the server and imported it into a new webmin install on a vm while I setup my physical server which I am just about to copy the virtual servers back.

As the certificate will expire July 9 a month from now I need to work out how to request a new one for the server and not have it error out.

Sun, 06/09/2019 - 13:29
redrum2

If you delete your current certificate and request a new one manually woudnt that work out ?

Mon, 06/10/2019 - 00:14 (Reply to #2)
drguild

I moved the servers back to the physical server and the certificate for my blog updated fine.

Though I used up tried on my community forum for the week. Even so it's still erroring.

How would I remove the old certificate from the system? Also how do do I do a .well-known folder for letsencrypt as it appears to gone missing or cannot be accessed with the backup and restore?

Requesting a certificate for cajgo-support.com, community.cajgo-support.com, mail.cajgo-support.com from Let's Encrypt ..
.. request failed : Web-based validation failed : Failed to request certificate :
community.cajgo-support.com challenge did not pass: Invalid response from https://community.cajgo-support.com/.well-known/acme-challenge/Kd_0rb91Y86YflzstEmVBriwqtjb9yRml_yY5CMY8iQ [220.244.244.115]: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!-- st"
DNS-based validation failed : Failed to request certificate :
Error requesting challenges: Error creating new authz :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/
Mon, 06/10/2019 - 02:15
drguild

Checking the apache logs I am seeing these types of requests.

66.133.109.36 - - [09/Jun/2019:13:23:26 +0800] "GET /.well-known/acme-challenge/KVqqoQJRoAsn9ngXCljN4tASw-RdhBjXvpMN-Tcvtd4 HTTP/1.1" 301 611 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [09/Jun/2019:13:23:27 +0800] "GET /.well-known/acme-challenge/KVqqoQJRoAsn9ngXCljN4tASw-RdhBjXvpMN-Tcvtd4 HTTP/1.1" 404 7946 "http://community.cajgo-support.com/.well-known/acme-challenge/KVqqoQJRoAsn9ngXCljN4tASw-RdhBjXvpMN-Tcvtd4" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

Checking lets debug I am getting this: Lets Debug

Test result for community.cajgo-support.com using http-01
HTTPCheck
DEBUG
Requests made to the domain
Request to: community.cajgo-support.com/220.244.244.115, Result: [Address Type=IPv4,Server=Apache/2.4.25,HTTP Status=301,Number of Redirects=1,Final HTTP Status=404], Issue:
Trace:
@0ms: Making a request to http://community.cajgo-support.com/.well-known/acme-challenge/letsdebug-test (using initial IP 220.244.244.115)
@0ms: Dialing 220.244.244.115
@589ms: Server response: HTTP 301 Moved Permanently
@589ms: Received redirect to https://community.cajgo-support.com/.well-known/acme-challenge/letsdebug-test
@589ms: Dialing 220.244.244.115
@1804ms: Server response: HTTP 404 Not Found

HTTPRecords
DEBUG
A and AAAA records found for this domain
community.cajgo-support.com. 0 IN A 220.244.244.115
LetsEncryptStaging
DEBUG
Challenge update failures for community.cajgo-support.com in order https://acme-staging-v02.api.letsencrypt.org/acme/order/5751349/36967531
acme: error code 403 "urn:ietf:params:acme:error:unauthorized": Invalid response from https://community.cajgo-support.com/.well-known/acme-challenge/sf2XK7VrpuPM8Ct2Ytdk7K0E7jzVycbsEfpYcadb_KU [220.244.244.115]: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!-- st"
PublicSuffix
DEBUG
The IANA public suffix is the TLD of the Registered Domain
The TLD for community.cajgo-support.com is: com
StatusIO
DEBUG
The current status.io status for Let's Encrypt
Operational

No idea what the error is if its htaccess or something else as mentioned it was working fine until a month ago and the config has been the same for ages and hasn't really changed apart from a server change and a backup and re-import of the subserver which is erroring and the main server,

Tue, 06/11/2019 - 18:12
Hans

----> Error requesting challenges: Error creating new authz :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/

Could it be you tried a bit too often?! :)

Wed, 06/12/2019 - 02:45 (Reply to #5)
drguild

As you can see from my first post it was doing it before it reached the 50 try limit.

I'll check again next week and see what's what. As its back on the physical server and at the same internal 1.1 ip as it was, my other server worked again when putting it back to the physical config so mby this one might in a week once the tries reset.

I'll keep the post updated but have a feeling I may need some help getting the certificate.

Wed, 06/19/2019 - 04:04
drguild

Still cannot get a certificate as I am seeing this:

Requesting a certificate for cajgo-support.com, community.cajgo-support.com from Let's Encrypt ..
.. request failed : Web-based validation failed : Failed to request certificate :
community.cajgo-support.com challenge did not pass: Invalid response from https://community.cajgo-support.com/.well-known/acme-challenge/DVF07sF9RzwdOxsWvuBnXwcu2Jy2gj11EqlMtw5FOII [220.244.244.115]: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!-- st"
DNS-based validation failed : Failed to request certificate :
community.cajgo-support.com challenge did not pass: No TXT record found at _acme-challenge.community.cajgo-support.com
Thu, 06/20/2019 - 01:57
drguild

I have been doing some more looking.

So to summarize which will help explain this post better. I have a top server and a sub server. cajgo-support.com community.cajgo-support.com

What I am seeing is the challenge files are correctly going into the top server as I can see them in WinSCP under the user root and permissions 777.

But the error is showing that it cannot read from the acme-challenge directory on the community sub server. Certificate sharing is on. This appears to be a bug or a misconfiguration somewhere,

Thu, 06/20/2019 - 02:50
drguild

I was trying to share certificates so I was erroring out about the acme directory in the sub server. In the main certificate I had the sub server domain.

So for now I have unhooked them and managed to update the main certificate but I do want to share certificates for email etc. So how do I create a shared certificate without it complaining about the sub server acme challenge directory.

Update: I have the certificate for main page renewed now the sub shows a invalid certificate.

Thu, 06/20/2019 - 05:52
drguild

Got it working. I created a self signed certificate then I could get a certificate from let's encrypt. I have 2 separate certificates now one for the top one for the community. I will need to look into a shared certificate later which was the issue which I believe I need to redirect the community well-known directory so it uses the main sites one.

Topic locked