[Solved] Problems with LetsEncrypt

installed app few month´s ago and but had already received errors back.
Wanted now the get them fixed and re-installed the app completely.

The errors remain :frowning:

No config dialog appeared where the domain names could fill in.
Tested if univention setup script could fix the problem but no luck.

root@ucs # /usr/share/univention-letsencrypt/setup-letsencrypt

WARNING: UCR variable letsencrypt/domains does not match domains in CSR.
Removing domain.csr…
Creating domain.csr…
Multi domain mode
run-parts: executing /etc/univention/letsencrypt/setup.d//apache2
run-parts: executing /etc/univention/letsencrypt/setup.d//dovecot
run-parts: executing /etc/univention/letsencrypt/setup.d//postfix
Setting mail/postfix/ssl/key
Setting mail/postfix/ssl/certificate
Setting mail/postfix/ssl/cafile
Multifile: /etc/postfix/main.cf
So 6. Okt 17:59:43 CEST 2019
Refreshing certificate for following domains:
cloud.mydomain.com mail.mydomain.com sensors.mydomain.com web.mydomain.com webmail.mydomain.com
Parsing account key…
Parsing CSR…
Found domains: cloud.mydomain.com, web.mydomain.com, webmail.mydomain.com, mail.mydomain.com, sensors.mydomain.com
Getting directory…
Directory found!
Registering account…
Already registered!
Creating new order…
Order created!
Verifying mail.mydomain.com
Traceback (most recent call last):
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 197, in
main(sys.argv[1:])
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 193, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 149, in get_crt
raise ValueError(“Challenge did not pass for {0}: {1}”.format(domain, authorization))
ValueError: Challenge did not pass for mail.mydomain.com: {u’status’: u’invalid’, u’challenges’: [{u’status’: u’invalid’, u’validationRecord’: [{u’url’: u’http://mail.mydomain.com/.well-known/acme-challenge/K829_B7UsOy4nPCmbEn4xaFzsryjkaw77IxxXeV6KXg’, u’hostname’: u’mail.mydomain.com’, u’addressUsed’: u’2a01:238:20a:202:1068::’, u’port’: u’80’, u’addressesResolved’: [u’81.169.145.68’, u’2a01:238:20a:202:1068::’]}], u’url’: u’https://acme-v02.api.letsencrypt.org/acme/chall-v3/660252305/v5FzXQ’, u’token’: u’K829_B7UsOy4nPCmbEn4xaFzsryjkaw77IxxXeV6KXg’, u’error’: {u’status’: 403, u’type’: u’urn:ietf:params:acme:error:unauthorized’, u’detail’: u’Invalid response from http://mail.mydomain.com/.well-known/acme-challenge/K829_B7UsOy4nPCmbEn4xaFzsryjkaw77IxxXeV6KXg [2a01:238:20a:202:1068::]: “\n\n404 Not Found\n\n

Not Found

\n<p”’}, u’type’: u’http-01’}, {u’status’: u’invalid’, u’url’: u’https://acme-v02.api.letsencrypt.org/acme/chall-v3/660252305/NQUnuw’, u’token’: u’K829_B7UsOy4nPCmbEn4xaFzsryjkaw77IxxXeV6KXg’, u’type’: u’dns-01’}, {u’status’: u’invalid’, u’url’: u’https://acme-v02.api.letsencrypt.org/acme/chall-v3/660252305/myUraQ’, u’token’: u’K829_B7UsOy4nPCmbEn4xaFzsryjkaw77IxxXeV6KXg’, u’type’: u’tls-alpn-01’}], u’identifier’: {u’type’: u’dns’, u’value’: u’mail.mydomain.com’}, u’expires’: u’2019-10-13T15:58:49Z’}
Setting letsencrypt/status

Isn´t it possible to reset the config of letsencrypt to start again ?

The issue seems to be that the tell-tale authorisation file in the web-server document root for mail.mydomain.com returns a 404 not found error. Is “mail.domain.com” correct? should it rather be “mydomain.com” ?

’http://mail.mydomain.com/.well-known/acme-challenge/K829_B7UsOy4nPCmbEn4xaFzsryjkaw77IxxXeV6KXg’

mail.domain.com is correct and is reachable from internal LAN and external i-net.
But it isn´t a website. It´s the mailserver (because of Port 80 in the above error message).

fixed !

LetsEncrypt check during this setup if the website is reachable.
In my case the NAT of the router point to a wrong internal IP/site.
After fixing that issue the procedure went through without errors.