Let's Encrypt error generating certificates

ng3 · October 17, 2018, 3:46pm

Well your ns records are

Domain nameservers:
   ns1.hostnet.nl
   ns2.hostnetbv.com
   ns3.hostnetbv.nl

So adding records in digital ocean I don’t think will make any difference. I assume the top photo is taken from hostnet?

I found this comment in the Let’s Encrypt discourse saying that if certbot receives an IPV4 and IPV6 record it will use the IPV6 one. It may be worth trying removing the IPV6 record temporarily.

bramvdpluijm1 · October 18, 2018, 3:43pm

I waited a day to try it again, but I’m still getting this error:

non-zero return code
fatal: [188.166.74.85]: FAILED! => {“changed”: false, “cmd”: [“./renew-certs.py”], “delta”: “0:00:03.924118”, “end”: “2018-10-18 15:41:34.969121”, “rc”: 1, “start”: “2018-10-18 15:41:31.045003”, “stderr”: “”, “stderr_lines”: , “stdout”: “Generating certificate for huisblusser.nl\nError while generating certificate for huisblusser.nl\nTraceback (most recent call last):\n File "/usr/local/letsencrypt/acme_tiny.py", line 198, in \n main(sys.argv[1:])\n File "/usr/local/letsencrypt/acme_tiny.py", line 194, in main\n signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)\n File "/usr/local/letsencrypt/acme_tiny.py", line 149, in get_crt\n domain, challenge_status))\nValueError: huisblusser.nl challenge did not pass: {u’status’: u’invalid’, u’validationRecord’: [{u’url’: u’http://huisblusser.nl/.well-known/acme-challenge/vbU-ncuUumk1a3Cx5g55xE8LjJTfduJxE9GkFzH7WQA’, u’hostname’: u’huisblusser.nl’, u’addressUsed’: u’2a02:2268:ffff:ffff::4’, u’port’: u’80’, u’addressesResolved’: [u’188.166.74.85’, u’2a02:2268:ffff:ffff::4’]}], u’uri’: u’https://acme-v01.api.letsencrypt.org/acme/challenge/MzQd6T9cZjsxCOI-BWUFqmPP9KHKfcBUtPCcjSwn2Iw/8409504770’, u’token’: u’vbU-ncuUumk1a3Cx5g55xE8LjJTfduJxE9GkFzH7WQA’, u’error’: {u’status’: 403, u’type’: u’urn:acme:error:unauthorized’, u’detail’: u’Invalid response from http://huisblusser.nl/.well-known/acme-challenge/vbU-ncuUumk1a3Cx5g55xE8LjJTfduJxE9GkFzH7WQA: "\\n\\n404 Not Found\\n\\n
Not Found
\\n<p"‘}, u’type’: u’http-01’}”, “stdout_lines”: [“Generating certificate for huisblusser.nl”, “Error while generating certificate for huisblusser.nl”, “Traceback (most recent call last):”, " File "/usr/local/letsencrypt/acme_tiny.py", line 198, in “, " main(sys.argv[1:])”, " File "/usr/local/letsencrypt/acme_tiny.py", line 194, in main", " signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)“, " File "/usr/local/letsencrypt/acme_tiny.py", line 149, in get_crt”, " domain, challenge_status))", “ValueError: huisblusser.nl challenge did not pass: {u’status’: u’invalid’, u’validationRecord’: [{u’url’: u’http://huisblusser.nl/.well-known/acme-challenge/vbU-ncuUumk1a3Cx5g55xE8LjJTfduJxE9GkFzH7WQA’, u’hostname’: u’huisblusser.nl’, u’addressUsed’: u’2a02:2268:ffff:ffff::4’, u’port’: u’80’, u’addressesResolved’: [u’188.166.74.85’, u’2a02:2268:ffff:ffff::4’]}], u’uri’: u’https://acme-v01.api.letsencrypt.org/acme/challenge/MzQd6T9cZjsxCOI-BWUFqmPP9KHKfcBUtPCcjSwn2Iw/8409504770’, u’token’: u’vbU-ncuUumk1a3Cx5g55xE8LjJTfduJxE9GkFzH7WQA’, u’error’: {u’status’: 403, u’type’: u’urn:acme:error:unauthorized’, u’detail’: u’Invalid response from http://huisblusser.nl/.well-known/acme-challenge/vbU-ncuUumk1a3Cx5g55xE8LjJTfduJxE9GkFzH7WQA: "\\n\\n404 Not Found\\n\\n
Not Found
\\n<p"‘}, u’type’: u’http-01’}”]}

Still no clue what it can be.

ben · October 18, 2018, 5:12pm

fullyint · October 18, 2018, 8:01pm

@bramvdpluijm1

I agree. Maybe remove the IPV6 from your DNS, or figure out why your hosting provider is intercepting IPV6 traffic (at least that’s what I assume based on screenshots below). That would prevent Let’s Encrypt from validating.

huisblusser.nl from IPV6:

huisblusser.nl from IPV4:

# IPV6 acme challenge gives 404
curl -6 -s -o /dev/null -w "response %{http_code} from %{remote_ip}" http://huisblusser.nl/.well-known/acme-challenge/vbU-ncuUumk1a3Cx5g55xE8LjJTfduJxE9GkFzH7WQA
response 404 from 2a02:2268:ffff:ffff::4%   

# IPV4 acme challenge gives 200 
$ curl -4 -s -o /dev/null -w "response %{http_code} from %{remote_ip}" http://huisblusser.nl/.well-known/acme-challenge/vbU-ncuUumk1a3Cx5g55xE8LjJTfduJxE9GkFzH7WQA
response 200 from 188.166.74.85%

# IPV6 server: Apache
$ curl -6sI http://huisblusser.nl | grep Server
Server: Apache

# IPV4 server: nginx
curl -4sI http://huisblusser.nl | grep Server
Server: nginx

Note: I think Trellis should work fine with serving IPV6 traffic, but there isn’t yet as much security for IPV6

bramvdpluijm1 · October 19, 2018, 7:29am

Thanks for your answers guys! I will contact the domain guy with the information you provided. Wouldn’t have found this myself! Thanks!

bramvdpluijm1 · October 19, 2018, 7:32am

So, to be sure. The steps I have to take are removing the AAAA record from the dns settings in hostnet?

So, the second line in the picture under this?

bramvdpluijm1 · October 19, 2018, 9:09am

Thanks for your help guys! The AAAA record was the problem.

I have a working site with ssl enabled!

maylene · March 4, 2019, 10:26pm

This was my problem! Thanks for confirming I had to disable CloudFlare before provisioning.