Similar to Let’s Encrypt Error, I am getting a handful of Let’s Encrypt errors when configuring a remote server. In my case, however, I’m using a root domain (example.com) instead of a subdomain.
Where it began
Originally, I created a droplet at DigitalOcean using a floating IP (10.10.10.20 in the example below) pointing to my droplet (10.10.10.10). When I ran the production playbook, I got the following error:
“Could not access the challenge file for the hosts/domains: 10.10.10.20”
TASK [letsencrypt : Notify of challenge failures] ******************************
failed: [10.10.10.20] => (item={'_ansible_no_log': False, 'item': {'value': {u'repo_subtree_path': u'site', u'multisite': {u'enabled': False, u'subdomains': False}, u'env': {u'wp_home': u'https://example.com', u'db_name': u'example-com', u'wp_siteurl': u'https://example.com/wp', u'db_user': u'example_com'}, u'cache': {u'duration': u'1s', u'enabled': False}, u'repo': u'git@github.com:example/example.com.git', u'ssl': {u'enabled': True, u'provider': u'letsencrypt'}, u'local_path': u'../site', u'branch': u'master', u'site_hosts': [u'10.10.10.20']}, 'key': u'example.com'}, u'changed': False, 'failed': True, u'rc': 1, 'invocation': {'module_name': u'test_challenges', u'module_args': {u'path': u'.well-known/acme-challenge', u'hosts': [u'10.10.10.20'], u'file': u'ping.txt'}}, u'failed_hosts': [u'10.10.10.20']}) => {"failed": true, "item": {"_ansible_no_log": false, "changed": false, "failed": true, "failed_hosts": ["10.10.10.20"], "invocation": {"module_args": {"file": "ping.txt", "hosts": ["10.10.10.20"], "path": ".well-known/acme-challenge"}, "module_name": "test_challenges"}, "item": {"key": "example.com", "value": {"branch": "master", "cache": {"duration": "1s", "enabled": false}, "env": {"db_name": "example-com", "db_user": "example_com", "wp_home": "https://example.com", "wp_siteurl": "https://example.com/wp"}, "local_path": "../site", "multisite": {"enabled": false, "subdomains": false}, "repo": "git@github.com:example/example.com.git", "repo_subtree_path": "site", "site_hosts": ["10.10.10.20"], "ssl": {"enabled": true, "provider": "letsencrypt"}}}, "rc": 1}, "msg": "Could not access the challenge file for the hosts/domains: 10.10.10.20. Let's Encrypt requires every domain/host be publicly accessible. Make sure that a valid DNS record exists for 10.10.10.20 and that they point to this server's IP. If you don't want these domains in your SSL certificate, then remove them from `site_hosts`. See https://roots.io/trellis/docs/ssl for more details.\n"}
I thought it was likely due to having the floating IP in the site_hosts var. After that, I swapped out the floating ip for the host’s direct ip (10.10.10.10), and subsequently got an “Already registered!” error:
“Error creating new authz :: Issuance for IP addresses not supported”
TASK [letsencrypt : Generate the initial certificate] **************************
fatal: [10.10.10.10]: FAILED! => {"changed": false, "cmd": ["./renew-certs.py"], "delta": "0:00:01.185172", "end": "2016-03-28 01:45:07.012716", "failed": true, "rc": 1, "start": "2016-03-28 01:45:05.827544", "stderr": "", "stdout": "Generating certificate for grantnorwood.com\nError while generating certificate for grantnorwood.com\nParsing account key...\nParsing CSR...\nRegistering account...\nAlready registered!\nVerifying 10.10.10.20...\nTraceback (most recent call last):\n File \"/usr/local/letsencrypt/acme_tiny.py\", line 198, in <module>\n main(sys.argv[1:])\n File \"/usr/local/letsencrypt/acme_tiny.py\", line 194, in main\n signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)\n File \"/usr/local/letsencrypt/acme_tiny.py\", line 104, in get_crt\n raise ValueError(\"Error requesting challenges: {0} {1}\".format(code, result))\nValueError: Error requesting challenges: 400 {\"type\":\"urn:acme:error:malformed\",\"detail\":\"Error creating new authz :: Issuance for IP addresses not supported\",\"status\":400}", "stdout_lines": ["Generating certificate for grantnorwood.com", "Error while generating certificate for grantnorwood.com", "Parsing account key...", "Parsing CSR...", "Registering account...", "Already registered!", "Verifying 10.10.10.20...", "Traceback (most recent call last):", " File \"/usr/local/letsencrypt/acme_tiny.py\", line 198, in <module>", " main(sys.argv[1:])", " File \"/usr/local/letsencrypt/acme_tiny.py\", line 194, in main", " signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)", " File \"/usr/local/letsencrypt/acme_tiny.py\", line 104, in get_crt", " raise ValueError(\"Error requesting challenges: {0} {1}\".format(code, result))", "ValueError: Error requesting challenges: 400 {\"type\":\"urn:acme:error:malformed\",\"detail\":\"Error creating new authz :: Issuance for IP addresses not supported\",\"status\":400}"], "warnings": []}
After that, I used my root example.com
domain name in site_hosts (as opposed to using an ip address), which leades to my recent error:
“Could not access the challenge file for the hosts/domains: example.com”
TASK [letsencrypt : Notify of challenge failures] ******************************
failed: [example.com] => (item={'_ansible_no_log': False, 'item': {'value': {u'repo_subtree_path': u'site', u'multisite': {u'enabled': False, u'subdomains': False}, u'env': {u'wp_home': u'https://example.com', u'db_name': u'example-com', u'wp_siteurl': u'https://example.com/wp', u'db_user': u'example_com_user'}, u'cache': {u'duration': u'1s', u'enabled': False}, u'repo': u'git@github.com:example/example.com.git', u'ssl': {u'enabled': True, u'provider': u'letsencrypt'}, u'local_path': u'../site', u'branch': u'master', u'site_hosts': [u'example.com'], u'www_redirect': False}, 'key': u'example.com'}, u'changed': False, 'failed': True, u'rc': 1, 'invocation': {'module_name': u'test_challenges', u'module_args': {u'path': u'.well-known/acme-challenge', u'hosts': [u'example.com'], u'file': u'ping.txt'}}, u'failed_hosts': [u'example.com']}) => {"failed": true, "item": {"_ansible_no_log": false, "changed": false, "failed": true, "failed_hosts": ["example.com"], "invocation": {"module_args": {"file": "ping.txt", "hosts": ["example.com"], "path": ".well-known/acme-challenge"}, "module_name": "test_challenges"}, "item": {"key": "example.com", "value": {"branch": "master", "cache": {"duration": "1s", "enabled": false}, "env": {"db_name": "example-com", "db_user": "example_com_user", "wp_home": "https://example.com", "wp_siteurl": "https://example.com/wp"}, "local_path": "../site", "multisite": {"enabled": false, "subdomains": false}, "repo": "git@github.com:example/example.com.git", "repo_subtree_path": "site", "site_hosts": ["example.com"], "ssl": {"enabled": true, "provider": "letsencrypt"}, "www_redirect": false}}, "rc": 1}, "msg": "Could not access the challenge file for the hosts/domains: example.com. Let's Encrypt requires every domain/host be publicly accessible. Make sure that a valid DNS record exists for example.com and that they point to this server's IP. If you don't want these domains in your SSL certificate, then remove them from `site_hosts`. See https://roots.io/trellis/docs/ssl for more details.\n"}
I am able to re-configure using self-signed
with no errors, but trying to configure with letsencrypt
results in some sort of error each time I run the playbook, mostly including “Already registered!”
Also tried revoking the cert using letsencrypt revoke --cert-path example-cert.pem
, which asked me for my email address as the passphrase, but then rejected it.
Do you think my issue is that my certificate for my example.com domain is already registered (perhaps incorrectly), and I need to successfully revoke it? Or maybe my configuration is simply wrong? I’m not quite sure when to use IP addresses or domain names in site_hosts, as I have several environments that are single-server, but also several in a load-balanced & clustered environment.
Let me know if you’d like me to test anything in particular, happy to help in case I’m not the only one encountering this. I’ve only been using Trellis for about 6 months, but the entire roots.io stack is truly fantastic, Scott!
gkn