Let's Encrypt error generating certificates

mysite.nl is not the actual url of the website. I replaced it.

The URL matches what is entered in wordpress_sites.yml

The error you received indicates that Let’s Encrypt can’t access your site at the domain you’ve told it your site is on.

Is mysite.nl (or its real URL) accessible? Has DNS recently changed and not yet propagated?

It’s definitely a DNS issue. When I run ping mysite.nl on my server where I’m trying to install the website it says: PING mysite.nl (127.0.1.1) 56(84) bytes of data. the 127.0.1.1 indicates that it’s localhost right?

When I run PING www.mysite.nl it actually returns the correct ip: PING mysite.nl (188.166.74.85) 56(84) bytes of data.

If I ping mysite.nl on my local computer it does return 188.166.74.85.

Does this mean that the DNS changes still have to propagate on the server?

This is normal. Your server refers to itself using local terms. What matters is how your computer, and other computers on the internet (like Let’s Encrypt’s servers), refer to it.

When I run PING www.mysite.nl it actually returns the correct ip: PING mysite.nl (188.166.74.85) 56(84) bytes of data.

This is great, but I thought you said the www record was not usable on this site because it pointed somewhere else? If it points to your server’s correct IP then there’s no need to remove the redirect in wordpress_sites.yml as I suggested here.

If I ping mysite.nl on my local computer it does return 188.166.74.85 .

How recently did you change the DNS record here? The TTL on that DNS record is 14290, or 238 minutes, or around 4 hours. If you updated your DNS less than 4 hours ago then it’s normal for the records not to be working yet.

DNS can take up to 2 days to propagate fully.

This is great, but I thought you said the www record was not usable on this site because it pointed somewhere else? If it points to your server’s correct IP then there’s no need to remove the redirect in wordpress_sites.yml as I suggested here.

Yeah I noticed that. It points to the right spot actually. My mistake. I restored the the www redirect in wordpress_sites.yml again.

Allright, I’ll wait a bit then and hope for the best! Thanks for your quick response @MWDelaney

I had to turn off CloudFlare’s orange cloud to do my initial provision. Possibly because it masks the IP address which may be confusing LetsEncrypt?

1 Like

Does any of you know if it’s possible to generate the ssl certificates later? So I can continue the installation of trellis now?

I think probably with

 ssl:
 enabled: false

Did you try turning the orange cloud to grey and provisioning?

I’m not using cloudflare unfortunately.

So just disabling ssl for now and later on switch it on and re-provision the server? @ng3

Oh, sorry @bramvdpluijm1, I didn’t realise you weren’t the OP. You might not even use CloudFlare…

If your priority is to get the site up then that’s what I would do.

However it’s probably important to figure out what’s going on with your DNS as well… Do you have access to the DNS records?

I’ve been spending a lot of hours on trying to get SSL working, but I think I’m just gonna get the site up and running without at first. The guy that’s in charge of the DNS says it’s all fine.
He sent me a few pictures because I was sceptic at first.

Maybe you can see something that looks off? Let me know. These are the domain name settings.

In my DigitalOcean droplet I have the following setup:

Any thoughts on this?

Well your ns records are

Domain nameservers:
   ns1.hostnet.nl
   ns2.hostnetbv.com
   ns3.hostnetbv.nl

So adding records in digital ocean I don’t think will make any difference. I assume the top photo is taken from hostnet?

I found this comment in the Let’s Encrypt discourse saying that if certbot receives an IPV4 and IPV6 record it will use the IPV6 one. It may be worth trying removing the IPV6 record temporarily.

1 Like

I waited a day to try it again, but I’m still getting this error:

non-zero return code
fatal: [188.166.74.85]: FAILED! => {“changed”: false, “cmd”: [“./renew-certs.py”], “delta”: “0:00:03.924118”, “end”: “2018-10-18 15:41:34.969121”, “rc”: 1, “start”: “2018-10-18 15:41:31.045003”, “stderr”: “”, “stderr_lines”: , “stdout”: “Generating certificate for huisblusser.nl\nError while generating certificate for huisblusser.nl\nTraceback (most recent call last):\n File "/usr/local/letsencrypt/acme_tiny.py", line 198, in \n main(sys.argv[1:])\n File "/usr/local/letsencrypt/acme_tiny.py", line 194, in main\n signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)\n File "/usr/local/letsencrypt/acme_tiny.py", line 149, in get_crt\n domain, challenge_status))\nValueError: huisblusser.nl challenge did not pass: {u’status’: u’invalid’, u’validationRecord’: [{u’url’: u’http://huisblusser.nl/.well-known/acme-challenge/vbU-ncuUumk1a3Cx5g55xE8LjJTfduJxE9GkFzH7WQA’, u’hostname’: u’huisblusser.nl’, u’addressUsed’: u’2a02:2268:ffff:ffff::4’, u’port’: u’80’, u’addressesResolved’: [u’188.166.74.85’, u’2a02:2268:ffff:ffff::4’]}], u’uri’: u’https://acme-v01.api.letsencrypt.org/acme/challenge/MzQd6T9cZjsxCOI-BWUFqmPP9KHKfcBUtPCcjSwn2Iw/8409504770’, u’token’: u’vbU-ncuUumk1a3Cx5g55xE8LjJTfduJxE9GkFzH7WQA’, u’error’: {u’status’: 403, u’type’: u’urn:acme:error:unauthorized’, u’detail’: u’Invalid response from http://huisblusser.nl/.well-known/acme-challenge/vbU-ncuUumk1a3Cx5g55xE8LjJTfduJxE9GkFzH7WQA: "\\n\\n404 Not Found\\n\\n

Not Found

\\n<p"‘}, u’type’: u’http-01’}”, “stdout_lines”: [“Generating certificate for huisblusser.nl”, “Error while generating certificate for huisblusser.nl”, “Traceback (most recent call last):”, " File "/usr/local/letsencrypt/acme_tiny.py", line 198, in “, " main(sys.argv[1:])”, " File "/usr/local/letsencrypt/acme_tiny.py", line 194, in main", " signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)“, " File "/usr/local/letsencrypt/acme_tiny.py", line 149, in get_crt”, " domain, challenge_status))", “ValueError: huisblusser.nl challenge did not pass: {u’status’: u’invalid’, u’validationRecord’: [{u’url’: u’http://huisblusser.nl/.well-known/acme-challenge/vbU-ncuUumk1a3Cx5g55xE8LjJTfduJxE9GkFzH7WQA’, u’hostname’: u’huisblusser.nl’, u’addressUsed’: u’2a02:2268:ffff:ffff::4’, u’port’: u’80’, u’addressesResolved’: [u’188.166.74.85’, u’2a02:2268:ffff:ffff::4’]}], u’uri’: u’https://acme-v01.api.letsencrypt.org/acme/challenge/MzQd6T9cZjsxCOI-BWUFqmPP9KHKfcBUtPCcjSwn2Iw/8409504770’, u’token’: u’vbU-ncuUumk1a3Cx5g55xE8LjJTfduJxE9GkFzH7WQA’, u’error’: {u’status’: 403, u’type’: u’urn:acme:error:unauthorized’, u’detail’: u’Invalid response from http://huisblusser.nl/.well-known/acme-challenge/vbU-ncuUumk1a3Cx5g55xE8LjJTfduJxE9GkFzH7WQA: "\\n\\n404 Not Found\\n\\n

Not Found

\\n<p"‘}, u’type’: u’http-01’}”]}

Still no clue what it can be.

@bramvdpluijm1

:arrow_up: I agree. Maybe remove the IPV6 from your DNS, or figure out why your hosting provider is intercepting IPV6 traffic (at least that’s what I assume based on screenshots below). That would prevent Let’s Encrypt from validating.


huisblusser.nl from IPV6:


huisblusser.nl from IPV4:


# IPV6 acme challenge gives 404
curl -6 -s -o /dev/null -w "response %{http_code} from %{remote_ip}" http://huisblusser.nl/.well-known/acme-challenge/vbU-ncuUumk1a3Cx5g55xE8LjJTfduJxE9GkFzH7WQA
response 404 from 2a02:2268:ffff:ffff::4%   

# IPV4 acme challenge gives 200 
$ curl -4 -s -o /dev/null -w "response %{http_code} from %{remote_ip}" http://huisblusser.nl/.well-known/acme-challenge/vbU-ncuUumk1a3Cx5g55xE8LjJTfduJxE9GkFzH7WQA
response 200 from 188.166.74.85%

# IPV6 server: Apache
$ curl -6sI http://huisblusser.nl | grep Server
Server: Apache

# IPV4 server: nginx
curl -4sI http://huisblusser.nl | grep Server
Server: nginx

Note: I think Trellis should work fine with serving IPV6 traffic, but there isn’t yet as much security for IPV6

3 Likes

Thanks for your answers guys! I will contact the domain guy with the information you provided. Wouldn’t have found this myself! Thanks!

So, to be sure. The steps I have to take are removing the AAAA record from the dns settings in hostnet?

So, the second line in the picture under this?

Thanks for your help guys! The AAAA record was the problem.

I have a working site with ssl enabled!

2 Likes

This was my problem! Thanks for confirming I had to disable CloudFlare before provisioning.

1 Like