Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 13491 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to get Let's Encrypt cert: ERROR: Challenge is invalid! (returned: invalid)

husme

I'm not able to get a valid Let's Encrypt certificate.
In the Logs I have the following:

2019:02:21-05:07:03 gate letsencrypt[25571]: I Check renewal: renew REF_CaCsrG*******n (domains: ga***********.ch): certificate valid until Jan  1 00:00:01 2038 GMT (temporary certificate)
2019:02:21-05:08:03 gate letsencrypt[25891]: I Renew certificate: handling CSR REF_CaCsrG*******n for domain set [ga***********.ch]
2019:02:21-05:08:04 gate letsencrypt[25891]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain ga***********.ch
2019:02:21-05:08:38 gate letsencrypt[25891]: I Renew certificate: command completed with exit code 256
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: {
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED:   "type": "http-01",
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED:   "status": "invalid",
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED:   "error": {
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED:     "type": "urn:acme:error:connection",
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED:     "detail": "Fetching ga***********.ch/.../-6Wi_R9aEmcMIpOyAZ2-qCNDTRu6_eNiRdAkvLYiD0s: Timeout during connect (likely firewall problem)",
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED:     "status": 400
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED:   },
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED:   "uri": "acme-v01.api.letsencrypt.org/.../12820172239",
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED:   "token": "-6Wi_R9aEmcMIpOyAZ2-qCNDTRu6_eNiRdAkvLYiD0s",
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED:   "validationRecord": [
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED:     {
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED:       "url": "ga***********.ch/.../-6Wi_R9aEmcMIpOyAZ2-qCNDTRu6_eNiRdAkvLYiD0s",
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED:       "hostname": "ga***********.ch",
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED:       "port": "80",
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED:       "addressesResolved": [
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED:         "6*.***.***.**0"
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED:       ],
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED:       "addressUsed": "6*.***.***.**0"
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED:     }
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED:   ]
2019:02:21-05:08:38 gate letsencrypt[25891]: E Renew certificate: COMMAND_FAILED: })
2019:02:21-05:08:39 gate letsencrypt[25891]: I Renew certificate: sending notification WARN-603
2019:02:21-05:08:39 gate letsencrypt[25891]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2019:02:21-05:08:39 gate letsencrypt[25891]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)

My Situation: ISP ---> Router (NAT) --> UTM

On the Router I configured a Port forwarding for Port 80 and 443.
On the UTM Interface I can see (with tcpdump) the incoming Packets from Let's encrypt (IP 66.133.109.36).
But there are retransmissions for these Packets.
It seams the UTM won't answer them.

In my opinion I have chosen the right interface to listen on (The Interface connected to the Router).
The Connection between Router and UTM resides on an VLan and the Interface on the UTM is a Trunk.

Of cause, the UTM Interface has a private IP but in my opinion, this should work because the UTM interface is reachable via FQDN.

I'm at a loss.

btw: I run some SSL-VPN's terminated on the UTM and this works without problem. So the connection from the outside should be ok...

Thanks for your help.



This thread was automatically locked due to age.
  • +1

    Hello,
    did you activate country blocking?
    Is there a DNAT rule for the external IP?
    both could cause problems.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Hi

    Last night (and without even bothering to first read any guides) I spent a little while unsuccessfully trying to set it all up (I'm using the free no-ip service, with a ddns.net address) and I ran into similar problems, with UTM sending me the below e-mails of 'complaint':

    Renewing Let's Encrypt certificate 'LetsEncrypt' has failed.
    Reason for failure: An error occurred while communicating with the Let's Encrypt server.

    This afternoon, I popped onto here to see if others had commented on their experiences and I spotted this thread, with your comment about country blocking being a potential issue. I had completely forgotten that I'd set country blocking for everything other than the EU, so feeling rather foolish, I first tried enabling traffic from the USA and it the certificate arrived a few 10s of seconds later. :)

    Further experiments:

    I then tried re-blocking the USA and instead adding a USA exception for the DNS host acme-v01.api.letsencrypt.org and tried renewing the certificate, which also worked (picture now attached, just in case it helps anybody else).

    I am also using a double NAT scheme and the above experiments were performed with both ports 80 and 443 opened [in the router] towards the UTM, so as a further experiment, I closed port 80 (leaving only 443 open) and after hitting the renew certificate button, it was again successfully renewed. That said, whilst that worked for a renew process, I would expect that you'd need to have port 80 opened to get the initial certificate.

    Anyhow, just a quick note to say that it works, to note my above experiments and also to say a big 'thank you' for the country blocking tip.

    Kind regards,

    Briain

    PS A picture being worth more than 1K words, below shows my country blocking exception (I'd created the other exceptions when noting Cloudflare entries in my logs, so I just added acme-v01.api.letsencrypt.org to my existing list):

  • 0 in reply to dirkkotte

    Thanks for the Hint. Country blocking was the Problem

  • 0 in reply to Briain

    For me acme-v01.api.letsencrypt.org does not work.

    I think let's encrypt uses different IP's, so there should be an other solution for this problem.

  • 0 in reply to husme

    acme-v01.api.letsencrypt.org don't work for me too.

    i ask the sophos presales team today ... currently no solution.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Hi

    Perhaps worth a shot trying to instead just use letsencrypt.org as the DNS host entry (I just tried it - then renewing the cert - and it seems to also be working okay, for me)?

    See the below 'variation' on the 'inserted pop-up' part within the image attached to my first post:

    Looking at the two entries within the UTM's 'Network Definitions' section shows the above variant also resolving an IP address...

    Bri

  • 0 in reply to Briain

    Arr, after rolling back to a previous backup and trying - many times, yesterday morning - to freshly request a LE certificate (with absolutely no success), I looked at the LE log files and in there there was the appropriate message, ending was a link to an LE page stating that you can only refresh a certificate 5 times over a (rolling) 5 day period, so basically, by doing all that testing, I'd simply been biffed off the server for abusing their system; oops, sorry LE folks!

    Anyhow, in a few (4) days time, I will try to obtain a fresh certificate (not a refresh, but starting from scratch), but this time with country blocking enabled, with it set to block traffic from the USA and with the two exceptions (discussed above) to let USA traffic from just these domains through, just to see if it works (it worked for a certificate refresh, but I haven't yet tested it for creating the initial certificate) and, of course, I will update this thread.

    All the best,

    Briain

  • +1 in reply to dirkkotte

    Hi

    Just a quick note to confirm that when trying to create a new L.E. certificate, the acme-v01.api.letsencrypt.org USA exception did not work for me, either (I had to change the USA country block from 'from' to 'off'). As noted above, once I had received the new certificate (and with the acme-v01.api.letsencrypt.org exception in place) I could again change the USA setting back to blcok 'from' and successfully renew the certificate; it was only necessary to disable the USA country block for the initial certificate creation process.

    Kind regards,

    Briain

  • 0 in reply to Briain

    Hi,

    many thanks for this info.

    Dirk


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Unfiltered HTML