1

Topic: Unable to get a successful cerbot SSL cert

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Linux/BSD distribution name and version: Debian 9.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): mariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro?: No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

When I run with host.my.domain replaced as appropriate ...
certbot certonly --webroot --agree-tos --email postmaster@my.domain -d host.my.domain -w /var/www/html/

I get ...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for host.my.domain
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. host.my.domain (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://host.my.domain/.well-known/acme- … -DoZqdd-Q: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES:
- The following errors were reported by the server:

   Domain: host.my.domain
   Type:   unauthorized
   Detail: Invalid response from
   http://host.my.domain/.well-known/acme- … -DoZqdd-Q:
   "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

I have checked and rechecked and validated that the firewall has port 80 open and is going to the right machine.

here is the contents of the log file referred to.

2018-11-15 13:38:16,847:DEBUG:certbot.main:Root logging level set at 20
2018-11-15 13:38:16,848:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-11-15 13:38:16,849:DEBUG:certbot.main:certbot version: 0.10.2
2018-11-15 13:38:16,849:DEBUG:certbot.main:Arguments: ['--webroot', '--agree-tos', '--email', 'postmaster@my.domain', '-d', 'host.my.domain', '-w', '/var/www/html/']
2018-11-15 13:38:16,850:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2018-11-15 13:38:16,850:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2018-11-15 13:38:16,851:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7ff4b024bc90>
Prep: True
2018-11-15 13:38:16,851:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7ff4b024bc90> and installer None
2018-11-15 13:38:16,856:DEBUG:certbot.main:Picked account: <Account(7ad62847678bde2e194d52fd5e1d8931)>
2018-11-15 13:38:16,857:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2018-11-15 13:38:16,862:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2018-11-15 13:38:17,162:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2018-11-15 13:38:17,163:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
Replay-Nonce: J0YZiA7tad3TPrKHvdEpi1KrkUPbioKOv0SjTduEcUA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 15 Nov 2018 13:38:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 15 Nov 2018 13:38:17 GMT
Connection: keep-alive

{
  "8rhQ8v4_eRw": "https://community.letsencrypt.org/t/add … tory/33417",
  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "terms-of-service": "https://letsencrypt.org/documents/LE-SA … 5-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
2018-11-15 13:38:17,164:INFO:certbot.main:Obtaining a new certificate
2018-11-15 13:38:17,164:DEBUG:root:Requesting fresh nonce
2018-11-15 13:38:17,164:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
2018-11-15 13:38:17,537:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "HEAD /acme/new-authz HTTP/1.1" 405 0
2018-11-15 13:38:17,538:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Replay-Nonce: 1hRSI394vXW3nn09BKNLn0_3y0usCNxp1b9O4CuQPm4
Expires: Thu, 15 Nov 2018 13:38:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 15 Nov 2018 13:38:17 GMT
Connection: keep-alive


2018-11-15 13:38:17,538:DEBUG:acme.client:Storing nonce: 1hRSI394vXW3nn09BKNLn0_3y0usCNxp1b9O4CuQPm4
2018-11-15 13:38:17,538:DEBUG:acme.client:JWS payload:
{
  "identifier": {
    "type": "dns",
    "value": "host.my.domain"
  },
  "resource": "new-authz"
}
2018-11-15 13:38:17,542:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
  "header": {
    "alg": "RS256",
    "jwk": {
      "e": "AQAB",
      "kty": "RSA",
      "n": "tbx9vBaosojBBybkaU7sTcdqgnEKfqwcvoCnaFqrOYFev9smgFfbe7dtIv_RsmbbZNTahVfFRsciV4VdZ5cC8vMyUKbJYcCLsStuh-RPM3AQctluFTuaHE7mOFVpnQn1AZzpzXUzVZnKYzut0xbe5xu9KvsqqGcJGvNIQbrYPywA9ikstCsrNDzWhKn-NY4FfPLt$
    }
  },
  "protected": "eyJub25jZSI6ICIxaFJTSTM5NHZYVzNubjA5QktOTG4wXzN5MHVzQ054cDFiOU80Q3VRUG00In0",
  "payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAibWFpbDQucGNobXQubmV0IgogIH0sIAogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiCn0",
  "signature": "lwrcg7Au_c7iyPRR60OojXb4XYZH50P-C6N09iypFME96apYS58frjrxBi0ojbnG_BSWE5fZfQ718R-2WbotAQaB3GTccxgJXCZHhFOYDExW5yRlyUmOxY5QpMnI_FfInlKJ-8Wxw_t6hdzB6dzRXS7oNxMJbZ9e4hDSySeguUNHNFK9m0oKuYAjCzIiAu95$
}
2018-11-15 13:38:17,796:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 994
2018-11-15 13:38:17,797:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 994
Boulder-Requester: 45775963
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-v01.api.letsencrypt.org/ac … wUd3yb6Pn0
Replay-Nonce: QfodM7kMESuliTSIABTNtNmxXtUpoInnYmS9EE1ZSDQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 15 Nov 2018 13:38:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 15 Nov 2018 13:38:17 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "host.my.domain"
  },
  "status": "pending",
  "expires": "2018-11-22T13:38:17Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/ac … 9316544547",
      "token": "FYUfDzhwar1YzHKyASwGDPsRtHnSLqE05Y2p32kCUR0"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/ac … 9316544548",
      "token": "Af7RVl6qgMhacHjgQ_v2psORRYxG3QulyUzPJPdJiv8"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/ac … 9316544549",
      "token": "8H4D1PoMeneJTPoa4Yh4itxffYsGHbmnbnHFy_LL8k4"
    }
  ],
  "combinations": [
    [
      0
    ],
    [
      1
    ],
    [
      2
    ]
  ]
}
2018-11-15 13:38:17,797:DEBUG:acme.client:Storing nonce: QfodM7kMESuliTSIABTNtNmxXtUpoInnYmS9EE1ZSDQ
2018-11-15 13:38:17,798:DEBUG:acme.challenges:tls-alpn-01 was not recognized, full message: {u'status': u'pending', u'token': u'8H4D1PoMeneJTPoa4Yh4itxffYsGHbmnbnHFy_LL8k4', u'type': u'tls-alpn-01', u'uri': u$
2018-11-15 13:38:17,798:INFO:certbot.auth_handler:Performing the following challenges:
2018-11-15 13:38:17,798:INFO:certbot.auth_handler:http-01 challenge for host.my.domain
2018-11-15 13:38:17,799:INFO:certbot.plugins.webroot:Using the webroot path /var/www/html for all unmatched domains.
2018-11-15 13:38:17,799:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/www/html/.well-known/acme-challenge
2018-11-15 13:38:17,803:DEBUG:certbot.plugins.webroot:Attempting to save validation to /var/www/html/.well-known/acme-challenge/FYUfDzhwar1YzHKyASwGDPsRtHnSLqE05Y2p32kCUR0
2018-11-15 13:38:17,804:INFO:certbot.auth_handler:Waiting for verification...
2018-11-15 13:38:17,804:DEBUG:acme.client:JWS payload:
{
  "keyAuthorization": "FYUfDzhwar1YzHKyASwGDPsRtHnSLqE05Y2p32kCUR0.iZWJoB2e6S0BwOjektqnhox7oxpsVIh850IxkAdFzlw",
  "type": "http-01",
  "resource": "challenge"
}
2018-11-15 13:38:17,808:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/ac … 316544547:
{
  "header": {
    "alg": "RS256",
    "jwk": {
      "e": "AQAB",
      "kty": "RSA",
      "n": "tbx9vBaosojBBybkaU7sTcdqgnEKfqwcvoCnaFqrOYFev9smgFfbe7dtIv_RsmbbZNTahVfFRsciV4VdZ5cC8vMyUKbJYcCLsStuh-RPM3AQctluFTuaHE7mOFVpnQn1AZzpzXUzVZnKYzut0xbe5xu9KvsqqGcJGvNIQbrYPywA9ikstCsrNDzWhKn-NY4FfPLt$
    }
  },
  "protected": "eyJub25jZSI6ICJRZm9kTTdrTUVTdWxpVFNJQUJUTnRObXhYdFVwb0lublltUzlFRTFaU0RRIn0",
  "payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogIkZZVWZEemh3YXIxWXpIS3lBU3dHRFBzUnRIblNMcUUwNVkycDMya0NVUjAuaVpXSm9CMmU2UzBCd09qZWt0cW5ob3g3b3hwc1ZJaDg1MEl4a0FkRnpsdyIsIAogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3$
  "signature": "A2xgV7KvFFHdi2hjuKrOus0tvqizV3I2YkwgQ4PN3CVllJIYiaTdVC6c61Q6HWwm6WAI21ZKoJsl8xoBREnUep8RodLfv6L7F2DkGHIkKBgkK6911CzJtXUmsIGjsD2NFj9GFsUtvtGrg6KSObkvub3tS3hHty9-ttOVKZP15INRer2kbzQFsa2noPWpQtNS$
}
2018-11-15 13:38:18,016:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/challenge/3ttXuazGjDUlHYjBO1vTHxRv0PJaQQlHNwUd3yb6Pn0/9316544547 HTTP/1.1" 202 336
2018-11-15 13:38:18,017:DEBUG:acme.client:Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 336
Boulder-Requester: 45775963
Link: <https://acme-v01.api.letsencrypt.org/ac … wUd3yb6Pn0>;rel="up"
Location: https://acme-v01.api.letsencrypt.org/ac … 9316544547
Replay-Nonce: MXLzs5IyIkjFg7MG2Z1wDlVsB5MeJ-j_TADCXbA0QQ4
Expires: Thu, 15 Nov 2018 13:38:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 15 Nov 2018 13:38:18 GMT
Connection: keep-alive

{
  "type": "http-01",
  "status": "pending",
  "uri": "https://acme-v01.api.letsencrypt.org/ac … 9316544547",
  "token": "FYUfDzhwar1YzHKyASwGDPsRtHnSLqE05Y2p32kCUR0",
  "keyAuthorization": "FYUfDzhwar1YzHKyASwGDPsRtHnSLqE05Y2p32kCUR0.iZWJoB2e6S0BwOjektqnhox7oxpsVIh850IxkAdFzlw"
}
2018-11-15 13:38:18,017:DEBUG:acme.client:Storing nonce: MXLzs5IyIkjFg7MG2Z1wDlVsB5MeJ-j_TADCXbA0QQ4
2018-11-15 13:38:21,019:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/ac … Ud3yb6Pn0.
2018-11-15 13:38:21,252:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /acme/authz/3ttXuazGjDUlHYjBO1vTHxRv0PJaQQlHNwUd3yb6Pn0 HTTP/1.1" 200 2139
2018-11-15 13:38:21,253:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Replay-Nonce: gN42yetHuJ5EnuTWRMnFAXWrUbI4c_ymJzwV3XMZ14M
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Content-Length: 2139
Expires: Thu, 15 Nov 2018 13:38:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 15 Nov 2018 13:38:21 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "host.my.domain"
  },
  "status": "invalid",
  "expires": "2018-11-22T13:38:17Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:unauthorized",
        "detail": "Invalid response from http://host.my.domain/.well-known/acme- … 2p32kCUR0: \"\u003c!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\"\u003e\\n\$
        "status": 403
      },
      "uri": "https://acme-v01.api.letsencrypt.org/ac … 9316544547",
      "token": "FYUfDzhwar1YzHKyASwGDPsRtHnSLqE05Y2p32kCUR0",
      "validationRecord": [
        {
          "url": "http://host.my.domain/.well-known/acme- … Y2p32kCUR0",
          "hostname": "host.my.domain",
          "port": "80",
          "addressesResolved": [
            "81.174.162.68"
          ],
          "addressUsed": "81.174.162.68"
        },
        {
          "url": "https://host.my.domain/.well-known/acme … Y2p32kCUR0",
          "hostname": "host.my.domain",
          "port": "443",
          "addressesResolved": [
            "81.174.162.68"
          ],
          "addressUsed": "81.174.162.68"
        }
      ]
    },
    {
      "type": "dns-01",
      "status": "invalid",
      "uri": "https://acme-v01.api.letsencrypt.org/ac … 9316544548",
      "token": "Af7RVl6qgMhacHjgQ_v2psORRYxG3QulyUzPJPdJiv8"
    },
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "uri": "https://acme-v01.api.letsencrypt.org/ac … 9316544549",
      "token": "8H4D1PoMeneJTPoa4Yh4itxffYsGHbmnbnHFy_LL8k4"
    }
  ],
  "combinations": [
    [
      0
    ],
    [
      1
    ],
    [
      2
    ]
  ]
}
2018-11-15 13:38:21,254:DEBUG:acme.challenges:tls-alpn-01 was not recognized, full message: {u'status': u'invalid', u'token': u'8H4D1PoMeneJTPoa4Yh4itxffYsGHbmnbnHFy_LL8k4', u'type': u'tls-alpn-01', u'uri': u$
2018-11-15 13:38:21,255:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: host.my.domain
Type:   unauthorized
Detail: Invalid response from http://host.my.domain/.well-known/acme- … 2p32kCUR0: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not$

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
2018-11-15 13:38:21,255:INFO:certbot.auth_handler:Cleaning up challenges
2018-11-15 13:38:21,255:DEBUG:certbot.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/FYUfDzhwar1YzHKyASwGDPsRtHnSLqE05Y2p32kCUR0
2018-11-15 13:38:21,256:DEBUG:certbot.plugins.webroot:All challenges cleaned up, removing /var/www/html/.well-known/acme-challenge
2018-11-15 13:38:21,257:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 626, in obtain_cert
    action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 107, in _auth_from_available
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 291, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 262, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 77, in get_authorizations
    self._respond(resp, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 134, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 198, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. host.my.domain (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://host.my.domain/.well-know$

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Unable to get a successful cerbot SSL cert

Try to create this file manually, then visit it with web browser.
it's possible that your Nginx configuraion has some improper configuration.

3 (edited by chc-pr 2018-11-16 19:42:46)

Re: Unable to get a successful cerbot SSL cert

ZhangHuangbin wrote:

Try to create this file manually, then visit it with web browser.
it's possible that your Nginx configuraion has some improper configuration.

Sorry Zhang, it turned out to be a NAT problem after all. I set the NAT and the associated Port Rules, but failed to enable part of the rules. Your post made me go back and look at it again more carefully. Thanks. A simple case of the obvious being missed (again no doubt).