Let's Encrypt Error: Gave up waiting for valiation

Has Let's Encrypt worked previously on this server? If so, this could be a transient outage of the Let's Encrypt service.

Make sure that there's no outgoing firewall blocking access from your system to Let's Encrypt, and that there's no firewall that could block incoming port 80 traffic from the rest of the internet.

Can the website you're trying to renew be reached from the rest of the internet?

I have the same issue. Let's Encrypt was working perfectly before the recently Webmin and Virtualmin updates.

this problem also happens on apache

can we please get this fixed or get the intergration changed to work directly with certbot instead, as that works fine... i have to manually start renewing domains, as they are beginning to expire cause of this error.

@Kintato you where partly correct... i was looking for errors in the vhost file, and didn't find any... but i though lets try something, cause it looked none standart. so i ran disable-feature --web --ssl --logrotate --domain delete the vhost file from /etc/apache2/site-avaliable and then ran enable-feature --web --ssl --logrotate --domain and then went to the interface and pressed renew.... that worked... i gotta test it on the other domains that also gave me the error.

I have the same problem! Worked before, after upgrade still fails.

I get still the error "ValueError: Gave up waiting for valiation" on only one of my vhosts despite curl is working - curl -i http://mydomain.com/.well-known/acme-challenge/test and also browser access to http://mydomain.com/.well-known/acme-challenge/test and to the challenge file is also working. This is weird.

Apache Accesslog points to the wrong challenge file which does not exist: 10.200.1.1 - - [06/Jul/2017:13:57:29 +0200] "GET /.well-known/acme-challenge/NbL8p17oJo1mT6UJ6aQYb-4W5-dFdq8UzytMXXezUOI HTTP/1.1" 200 87 "-" "Python-urllib/2.7" 10.200.1.1 - - [06/Jul/2017:13:57:30 +0200] "GET /.well-known/acme-challenge/6LYmmK9jiQOTmJ2aasd1FTO1uzDLfb5ixZfuabU7bkI HTTP/1.1" 200 87 "-" "Python-urllib/2.7"

On every request wrong files get created and will not delete afterwards. They pile up.

Thanks for help!

Do you see new entries in the Apache log for this domain each time you attempt a Let's Encrypt cert request?

If not, double-check your DNS and registrar settings - the issue may be that your domain can't be resolved.

Yes I get the entries in the access log. These are new ones from today from the auto renewal: 10.200.1.1 - - [07/Jul/2017:11:37:04 +0200] "GET /.well-known/acme-challenge/NbL8p17oJo1mT6UJ6aQYb-4W5-dFdq8UzytMXXezUOI HTTP/1.1" 200 87 "-" "Python-urllib/2.7" 10.200.1.1 - - [07/Jul/2017:11:37:06 +0200] "GET /.well-known/acme-challenge/6LYmmK9jiQOTmJ2aasd1FTO1uzDLfb5ixZfuabU7bkI HTTP/1.1" 200 87 "-" "Python-urllib/2.7"

However, the challenge file does not exist but there are 108 files now in the acme-challenge folder piling up since my last post. As I said, i can access them with curl and with the browser over http. Also the site is working (still with the old certs, but they are going to be invalid in some time)

curl -i http://mydomain.at/.well-known/acme-challenge/pFwTPanpIQR40NAzcckAe6Ug5l... HTTP/1.1 200 OK Date: Fri, 07 Jul 2017 09:44:40 GMT Server: Apache/2.4.6 Last-Modified: Fri, 07 Jul 2017 09:32:11 GMT ETag: "57-553b6e85e5aa6" Accept-Ranges: bytes Content-Length: 87

Normally those challenge files are created only for a very short time and then deleted once the Let's Encrypt service has fetched them. The old ones are useless, and can be safely removed.

You might want to check if the file referenced in the logs ever comes into existence (even for a short time) during the cert request process, by continually running ls on that directory.

Also can't issue new certificates after the 5.99 update, while it always used to work

And the apache access log:

Wanted to add that I CAN issue renewals for existing domains. I just can't seem to issue Certificates for new domains!

Try applying this patch, and see if it helps : https://github.com/webmin/webmin/commit/8ae8d9a436e93de4eea1e3d7648062f6...

Jamie, Thanks for replying.

I had just found the same solution for the problem and was coming back here to report on this, you beat me to it. The same problem was reported in the acme_tiny github: https://github.com/diafygi/acme-tiny/issues/167

I have edited acme_tiny.py and everything is working smoothly again. Basically the webmin update wasn't the problem, me updating openssl to version 1.1 caused an incompatibility with the acme_tiny script.

I hope this solution fixes it for everyone!

You can use the "find" command to find files. In this case, you can use "find /usr -name acme_tiny.py" -- and that should produce something like this:

The next Webmin version should correct this issue.

We are likely going to do a new Webmin release shortly to address this.

I've applied the acme_tiny.py code change and I'm still seeing the timeouts. Any suggestions?

KAtwitch - What's the specific domain (and hostnames) that you are trying to request a cert for?

domain is keith.photography hostname is zoe.thealangroup.net

That's an interesting domain name - it's possible that .photography isn't one of the TLDs that Let's Encrypt recogizes, since it's relatively new?

After reading JamieCameron's suggestion about the .photography domain possibly being a problem, I decided to try using letsencrypt with one of the other virtual servers. Unfortunately, that leads to a different (DNS) error. I've read that disabling https redirects works for most people. I did that days ago, but it doesn't seem to matter. The new error is: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.computertoystore.com

Is computertoystore.com a domain hosted on your Virtualmin system? When I check the NS records, it looks like the DNS hosting is by Google.

A month later I still have the exact same problem, opened a private ticket with the team. They have access to my live systems to investigate. Will post back if something useful emerges.

Cheers!

JamieCameron, I'm using Google to manage DNS (their DNS servers). The computertoystore.com domain is a virtual domain hosted on my virtualmin server. I prefer to use Google as the DNS servers. If that's not possible or I'm doing something wrong, I'd be willing to look at a change. I'm by no means a DNS expert, but I believe I have the records configured to correctly point to the virtualmin box.

In that case, I'd recommend turning off the DNS feature for this domain in Virtualmin - otherwise, Virtualmin will incorrectly think that the domain is local.

I have disabled DNS for the virtual server as recommended by unchecking "DNS Enabled" in the manage virtual server area. The lets encrypt is still failing. It's throwing an 'invalid response' error.

Following is the most recent error: ValueError: www.computertoystore.com challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'addressesResolved': [u'173.10.220.211'], u'url': u'http://www.computertoystore.com/.well-known/acme-challenge/0ogzWT1xDulOH...', u'hostname': u'www.computertoystore.com', u'addressesTried': [], u'addressUsed': u'173.10.220.211', u'port': u'80'}], u'keyAuthorization': u'0ogzWT1xDulOHcIKUIS74H6PNyxzB8LJM55GIpnvypc.usH11WrNVmfwD91d4EIdUoWBoYtxZ_10Pmb9f3sicwQ', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/xlsYkE966sPP_5mBxLas...', u'token': u'0ogzWT1xDulOHcIKUIS74H6PNyxzB8LJM55GIpnvypc', u'error': {u'status': 403, u'type': u'urn:acme:error:unauthorized', u'detail': u'Invalid response from http://www.computertoystore.com/.well-known/acme-challenge/0ogzWT1xDulOH... "\n<ht"'}, u'type': u'http-01'}

Ok, now we are getting somewhere - the real issue is that the test URL http://www.computertoystore.com/.well-known/acme-challenge/0ogzWT1xDulOH... used by Let's Encrypt cannot be downloaded.

Do you have any redirects or .htaccess files setup thay would block it?

I don't have any redirects or edits to an .htaccess file outside of the virtualmin GUI. What's weird is that I was able to get the letsencrypt to work by disabling the site in virtualmin and then re-enabling it. What's even more weird is that when I enable DNS on the site (something we covered above) the letsencrypt validation fails UNLESS I remove the autoconfig.computertoystore.com entry. If I remove the autoconfig line, it works. Correct me if I'm wrong here, but I seem to remember reading that if you are running a mail server on the virtual domain, Virtualmin says you must enable DNS.