Let's Encrypt challenge did not pass

mschlee · December 19, 2024, 12:26pm

I’m trying to get a certificate from LE but the process fails: Challenge did not pass
I understood that the LE server tries to access the server on which I installed the LE app after ther certificate has been issued (via port 80). This somehow fails, the system says:

ValueError: Challenge did not pass for xxx.yyy.de: {u'status': u'invalid', u'challenges': [{u'status': u'invalid', u'validationRecord': [{u'url': u'http://xxx.yyy.de/.well-known/acme-challenge/XFgStRJ74aMvBQAH14QtjA7forH-TTU1SkFhluJskWc', u'hostname': u'xxx.yyy.de', u'addressUsed': u'82.xxx.66.0', u'port': u'80', u'addressesResolved': [u'82.xxx.66.0']}], u'url': u'https://acme-v02.api.letsencrypt.org/acme/chall/zzz/447233388375/jFzLgA', u'token': u'XFgStRJ74aMvBQAH14QtjA7forH-TTU1SkFhluJskWc', u'error': {u'status': 400, u'type': u'urn:ietf:params:acme:error:connection', u'detail': u'During secondary validation: 82.xxx.66.0: Fetching http://xxx.yyy.de/.well-known/acme-challenge/XFgStRJ74aMvBQAH14QtjA7forH-TTU1SkFhluJskWc: Timeout during connect (likely firewall problem)'}, u'validated': u'2024-12-19T11:15:38Z', u'type': u'http-01'}], u'identifier': {u'type': u'dns', u'value': u'xxx.yyy.de'}, u'expires': u'2024-12-26T11:15:36Z'}

I then connected my laptop with my phone’s hotspot and tried to access http://xxx.yyy.de/.well-known/acme-challenge/XFgStRJ74aMvBQAH14QtjA7forH-TTU1SkFhluJskWc, which produced a one line text file on my browser. This means to me that the necessary connection between the LE server and my UCS server should be available. So I don’t know why this error occurs.

Any ideas ?

mschlee · December 20, 2024, 10:32am

Ah yes: I tried this on two different servers at different locations …

BenSommer · December 20, 2024, 11:11pm

pls check

curl -v http://xxx.yyy.de/.well-known/acme-challenge/XFgStRJ74aMvBQAH14QtjA7forH-TTU1SkFhluJskWc 
and your apache2 Error Log

Which firewall do  you use in front of your server

mschlee · December 22, 2024, 11:41am

Ben, the curl command seems to work - the Apache access log records a “GET” command. The error log doesn’t show anything (except foreign IPs trying to access the server over port 80 ). The firewall/router is a Draytek 3910.

Ah yes, if I try to run the LE app again the access log records three “GET” commands from three different IPs (then pointing to a new ACME directory. No entries in the error log.

23.178.112.100 - - [22/Dec/2024:12:36:22 +0100] "GET /.well-known/acme-challenge/thW4li2Z0scGn_JqCjXhVYcotFcEmIPDNy4W5RgGN0A HTTP/1.1" 200 312 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
13.59.112.227 - - [22/Dec/2024:12:36:23 +0100] "GET /.well-known/acme-challenge/thW4li2Z0scGn_JqCjXhVYcotFcEmIPDNy4W5RgGN0A HTTP/1.1" 200 312 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
44.244.43.197 - - [22/Dec/2024:12:36:23 +0100] "GET /.well-known/acme-challenge/thW4li2Z0scGn_JqCjXhVYcotFcEmIPDNy4W5RgGN0A HTTP/1.1" 200 312 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
23.178.112.103 - - [22/Dec/2024:12:43:56 +0100] "GET /.well-known/acme-challenge/bvfMfvNEQIS0jTofs5-4i6FFkUz5iMi336-WlHHq8Lw HTTP/1.1" 200 312 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
3.17.23.68 - - [22/Dec/2024:12:43:56 +0100] "GET /.well-known/acme-challenge/bvfMfvNEQIS0jTofs5-4i6FFkUz5iMi336-WlHHq8Lw HTTP/1.1" 200 312 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
54.186.249.114 - - [22/Dec/2024:12:43:56 +0100] "GET /.well-known/acme-challenge/bvfMfvNEQIS0jTofs5-4i6FFkUz5iMi336-WlHHq8Lw HTTP/1.1" 200 312 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

mschlee · December 22, 2024, 6:31pm

Found the culprit. It was me: I blocked everything except certain countries to access the firewall. After I allowed the access for port 80 and the particular server I found 5 different “GET” commands in the access log and I received the certificates. Now I’m able to run LE certificates with Dovecot and Postfix and can use my iOS 18 devices again.
Thanks for your contribution.

BenSommer · December 25, 2024, 10:12am

Nice, sometimes a little hint helps to fix a problem

mschlee · December 27, 2024, 5:04pm

Sometimes it even helps to explain the very problem. In this case your question about the firewall brought me on the right track - thanks again.