Lets encrypt download acme file failed

Ivan_B · March 8, 2021, 12:03pm

i’m getting the error “Wrote file to , but couldn’t download”, but the generated letsencrypt file is in /srv/www/letsencrypt directory, publicly accessible from browser via url http://peregorodki-optom.ru/.well-known/acme-challenge/4F7-qeW9TfDkqEDqxzRiCrVhS7z_kXonEiGBx_lLhHA , and i also can download it using wget and ping ping.txt file. does anybody know what can cause the error?

as i can see, my DNS is ok

full error text:

TASK [letsencrypt : Generate the certificates] ****************************************************************************
System info:
  Ansible 2.10.3; Darwin
  Trellis version (per changelog): "Validate that `letsencrypt_contact_emails` is a list"
---------------------------------------------------
non-zero return code
Error while generating certificate for peregorodki-optom.ru
Traceback (most recent call last):
  File "/usr/local/letsencrypt/acme_tiny.py", line 198, in <module>
main(sys.argv[1:])
  File "/usr/local/letsencrypt/acme_tiny.py", line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir,
log=LOGGER, CA=args.ca, disable_check=args.disable_check,
directory_url=args.directory_url, contact=args.contact)
  File "/usr/local/letsencrypt/acme_tiny.py", line 143, in get_crt
raise ValueError("Wrote file to {0}, but couldn't download {1}:
{2}".format(wellknown_path, wellknown_url, e))
ValueError: Wrote file to
/srv/www/letsencrypt/4F7-qeW9TfDkqEDqxzRiCrVhS7z_kXonEiGBx_lLhHA, but
couldn't download http://peregorodki-optom.ru/.well-known/acme-
challenge/4F7-qeW9TfDkqEDqxzRiCrVhS7z_kXonEiGBx_lLhHA:
fatal: [62.109.9.184]: FAILED! => {"changed": false, "cmd": ["./renew-certs.py"], "delta": "0:00:06.362793", "end": "2021-03-08 11:49:13.978633", "rc": 1, "start": "2021-03-08 11:49:07.615840", "stderr_lines": ["Error while generating certificate for peregorodki-optom.ru", "Traceback (most recent call last):", "  File \"/usr/local/letsencrypt/acme_tiny.py\", line 198, in <module>", "    main(sys.argv[1:])", "  File \"/usr/local/letsencrypt/acme_tiny.py\", line 194, in main", "    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)", "  File \"/usr/local/letsencrypt/acme_tiny.py\", line 143, in get_crt", "    raise ValueError(\"Wrote file to {0}, but couldn't download {1}: {2}\".format(wellknown_path, wellknown_url, e))", "ValueError: Wrote file to /srv/www/letsencrypt/4F7-qeW9TfDkqEDqxzRiCrVhS7z_kXonEiGBx_lLhHA, but couldn't download http://peregorodki-optom.ru/.well-known/acme-challenge/4F7-qeW9TfDkqEDqxzRiCrVhS7z_kXonEiGBx_lLhHA: "], "stdout": "Certificate file /etc/nginx/ssl/letsencrypt/mebel-50.ru-51b7bec-bundled.cert already exists and is younger than 60 days. Not creating a new certificate.\nCertificate file /etc/nginx/ssl/letsencrypt/sigma-peregorodki.ru-b781878-bundled.cert already exists and is younger than 60 days. Not creating a new certificate.\nCertificate file /etc/nginx/ssl/letsencrypt/prostoperegorodki.ru-a3a3068-bundled.cert already exists and is younger than 60 days. Not creating a new certificate.", "stdout_lines": ["Certificate file /etc/nginx/ssl/letsencrypt/mebel-50.ru-51b7bec-bundled.cert already exists and is younger than 60 days. Not creating a new certificate.", "Certificate file /etc/nginx/ssl/letsencrypt/sigma-peregorodki.ru-b781878-bundled.cert already exists and is younger than 60 days. Not creating a new certificate.", "Certificate file /etc/nginx/ssl/letsencrypt/prostoperegorodki.ru-a3a3068-bundled.cert already exists and is younger than 60 days. Not creating a new certificate."]}

wordpress_sites config:

peregorodki-optom.ru:
site_hosts:
- canonical: peregorodki-optom.ru
redirects:
- www.peregorodki-optom.ru
local_path: ../projects/web/peregorodki-optom # path targeting local Bedrock site directory (relative to Ansible root)
repo: <repo>
admin_email: estov69@gmail.com
multisite:
enabled: false
ssl:
enabled: true
provider: self-signed
cache:
enabled: false
env:
db_prefix: sp3w_
cron_backup:
hour: "21" 
weekday: "5"
cron_interval: "*/1"

MWDelaney · March 8, 2021, 6:49pm

Is this URL publicly pointed to your server? If not, you’ll need to point DNS before trying to provision an SSL certificate.

If you want to provision and deploy the site before issuing an SSL certificate, follow these steps:

Change this line in group_vars/production/wordpress_sites.yml to false
Provision your server with trellis provision production
Deploy your site with trellis deploy production
Re-point DNS to your server
Change the line from step 1 back to true and reprovision again with trellis provision production once DNS has finished propagating.

Ivan_B · March 8, 2021, 7:33pm

Thank you! Yes, it was pointing to the server. But now I changed it back to the old server, because I need working site.
I’ve provisioned server and deployed site multiple times, with enabled and disabled ssl option, with letsencrypt and self-signed certificate, but no luck.
My guess is that A records are pointing to dedicated ip address, that is different from the main ip of the server. Can it be the reason of the letsencrypt error ? (site works normally with dedicated ip, everything is fine)

MWDelaney · March 8, 2021, 7:36pm

Yes, DNS must point to the IP of the actual server in order for Let’s Encrypt to issue a certificate successfully.

Ivan_B · March 9, 2021, 7:06am

ip pointed to the actual server, but it’s additional ip of the server i bought to make the site work from another ip than other sites on the server.

strarsis · March 12, 2021, 10:30pm

What kind of forward HTTP proxy are you using? Haproxy? Traefik?

system · April 19, 2021, 12:03pm

This topic was automatically closed after 42 days. New replies are no longer allowed.