Letsencrypt Error

Hello Everyone,

I have a big problem with the letsencrypt certificate.

I installed the letsencrypt app from the app center, and it actually worked very fine and my website was totally secured and I could install the E-Mail on iPhone with no problems.
Now I got a certificate failure in the iPhone and get the non-secure website failure again.
when I try to reinstall the account on the iPhone I get a failure says the certificate are expired on the 30.11.

I executed the corn job manually to renew the certificate and I got the following error

Mi 8. Dez 15:17:20 CET 2021
Refreshing certificate for following domains:
owa.dattel.de
Parsing account key…
Parsing CSR…
Found domains: owa.dattel.de
Getting directory…
Directory found!
Registering account…
Already registered!
Creating new order…
Order created!
Verifying owa.dattel.de
Traceback (most recent call last):
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 197, in
main(sys.argv[1:])
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 193, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 149, in get_crt
raise ValueError(“Challenge did not pass for {0}: {1}”.format(domain, authorization))
ValueError: Challenge did not pass for owa.dattel.de: {u’status’: u’invalid’, u’challenges’: [{u’status’: u’invalid’, u’validationRecord’: [{u’url’: u’http://owa.dattel.de/.well-known/acme-challenge/iACHuUtDYJFDBJk12KgDB1ShCKaSlSq6s6oYVMTOFLI’, u’hostname’: u’owa.dattel.de’, u’addressUsed’: u’81.27.115.44’, u’port’: u’80’, u’addressesResolved’: [u’81.27.115.44’]}], u’url’: u’https://acme-v02.api.letsencrypt.org/acme/chall-v3/56609409560/EOfKyA’, u’token’: u’iACHuUtDYJFDBJk12KgDB1ShCKaSlSq6s6oYVMTOFLI’, u’error’: {u’status’: 400, u’type’: u’urn:ietf:params:acme:error:connection’, u’detail’: u’Fetching http://owa.dattel.de/.well-known/acme-challenge/iACHuUtDYJFDBJk12KgDB1ShCKaSlSq6s6oYVMTOFLI: Timeout during connect (likely firewall problem)’}, u’validated’: u’2021-12-08T14:17:26Z’, u’type’: u’http-01’}], u’identifier’: {u’type’: u’dns’, u’value’: u’owa.dattel.de’}, u’expires’: u’2021-12-15T14:17:24Z’}
Setting letsencrypt/status
Module: kopano-cfg
run-parts: executing /etc/univention/letsencrypt/post-refresh.d//apache2
run-parts: executing /etc/univention/letsencrypt/post-refresh.d//dovecot
run-parts: executing /etc/univention/letsencrypt/post-refresh.d//postfix

Can anybody help?
uninstalling the app doesn’t really work
Regards
Michael

Did you check your public DNS? Maybe your IP changed and the change was not reflected in the DNS. Also, in case you have a firewall forwarding the traffic to your server, that might be a place where things go wrong.

I think your “text” record is missing.
you have it set to validate owndership via a text record check at:

http://owa.dattel.de/.well-known/acme-challenge/iACHuUtDYJFDBJk12KgDB1ShCKaSlSq6s6oYVMTOFLI

but that is not accessible… I think

Hi Riess,

I checked the Public DNs and it’s working just fine

root@owa:~# host -t A owa.dattel.de
owa.dattel.de has address 81.27..
root@owa:~#

The Firewall is working fine and everything was working till the 30th of Nov.

Hi Talleyrand,

Thank you for the answer.

actually it should be https and not http. any Idea where I can correct that.

here what I get when I change it to https://

image

and here what I get when I check the certificate.

image

The challenge from letsencrypt tries to find that file at http, see log u’validationRecord’: [{u’url’: u’http://owa.dattel.de/.well-known/acme-challenge/iACHuUtDYJFDBJk12KgDB1ShCKaSlSq6s6oYVMTOFLI’

Yes true, I don’t know how to correct that or see where it been configured.
Any ideas

Don’t try to change that. The challenge is done on http (port 80) so that it will always work, even if your certificates are not set up at all or are not working, like now. If the file is served as https, we at least already know that it is present and that DNS from the internet side are working. The thing to find out now is where in the path from letsencrypt to your server, the traffic is stopped. Like mentioned before the firewall is still a place to check (again), especially the traffic on port 80. And of course the traffic on port 80 to the server itself inside your network.

I used the following link to check my DNS

I opened the port 80 on firewall and it worked but I still have the problem that the Certificate is not valid

Great. I have checked the url as well and it shows up correct. Now please try to renew the certificate again.

I did renew the certificate by running the cron job manually and it’s working.

Thank you.

Hurray for our side…
another win :wink: