1

Topic: certbot challenge failed

When I execute # certbot certonly --webroot --dry-run -w /var/www/html -d mail.$MYDOMAIN.com, I get this error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Simulating a certificate request for mail.$MYDOMAIN.com
Performing the following challenges:
http-01 challenge for mail.$MYDOMAIN.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain mail.$MYDOMAIN.com
http-01 challenge for mail.$MYDOMAIN.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mail.$MYDOMAIN.com
   Type:   connection
   Detail: Fetching
   https://mail.$MYDOMAIN.com/.well-known/acme-challenge/OieODzucm_cj8KW2hYBYoOZaUvh1fDjpgrGarDvgtb4:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

This happens on a fresh installation of Debian 10 where all I have done other than installing iRedmail was adding a non-root user.

I installed iRedmail 1.3.2 from the downloaded installer and I selected Nginx as a server, removed RoundCube, added Sogo, and chose Postgres as the database during the installation process.



/var/log/nginx/access.log looks like this:

52.58.118.98 - - [16/Mar/2021:18:47:09 +0100] "GET /.well-known/acme-challenge/OieODzucm_cj8KW2hYBYoOZaUvh1fDjpgrGarDvgtb4 HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
18.224.20.83 - - [16/Mar/2021:18:47:09 +0100] "GET /.well-known/acme-challenge/OieODzucm_cj8KW2hYBYoOZaUvh1fDjpgrGarDvgtb4 HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [16/Mar/2021:18:47:09 +0100] "GET /.well-known/acme-challenge/OieODzucm_cj8KW2hYBYoOZaUvh1fDjpgrGarDvgtb4 HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.211.60.134 - - [16/Mar/2021:18:47:09 +0100] "GET /.well-known/acme-challenge/OieODzucm_cj8KW2hYBYoOZaUvh1fDjpgrGarDvgtb4 HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

I don't think I would be seeing that if the firewall was the problem or if the DNS records had not been propagated.

Any ideas how to fix this?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: certbot challenge failed

iredmail1341 wrote:

   Timeout during connect (likely firewall problem)

It means Let's Encrypt server can not connect to your server. Please make sure port 80/443 are open in firewalls.

3 (edited by iredmail1341 2021-03-21 08:37:37)

Re: certbot challenge failed

Thank you for your reply!

I do not understand how that can be the problem. Like I wrote I can see the letsencrypt server's requests in the nginx access log.

I can also access the Sogo page with my browser if I accept the default (untrusted) certificate.

And when I put a test file in /var/www/html/.well-known/acme-challenge and try to access it through my browser on http://mail.$MYDOMAIN.com/.well-known/acme-challenge/test.html, it is redirected to https and displayed without a hitch.

4

Re: certbot challenge failed

The problem is Let's Encrypt server can not access it. is there some firewall rules which block the request from Let's Encrypt server?

5

Re: certbot challenge failed

I have not edited the firewall rules.

I also tried flushing the firewall and the problem persisted.