3

I have been trying to get an SSL certificate for a site using LetsEncrypt, "a free, automated, and open certificate authority (CA), run for the public’s benefit". There is an ACME shell script that is meant to make the process of using LetsEncrypts API easier to receive an SSL certificate. One of their methods requires you to enter in your domain name, and the webroot of your application. 

acme.sh --issue -d example.com -w /home/wwwroot/example.com

However, when I try to enter this command, it says that it was unable to verify the domain. I added a --debug flag to the script command, and received this, but am not sure where the problem lies.

[Mon Sep 11 05:05:01 UTC 2017] Using config home:/home/doc4design/.acme.sh
[Mon Sep 11 05:05:01 UTC 2017] DOMAIN_PATH='/home/doc4design/.acme.sh/doc4design.com'
[Mon Sep 11 05:05:01 UTC 2017] Using ACME_DIRECTORY: https://acme-v01.api.letsencrypt.org/directory
[Mon Sep 11 05:05:01 UTC 2017] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Mon Sep 11 05:05:01 UTC 2017] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[Mon Sep 11 05:05:01 UTC 2017] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Mon Sep 11 05:05:01 UTC 2017] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Mon Sep 11 05:05:01 UTC 2017] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Mon Sep 11 05:05:01 UTC 2017] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Mon Sep 11 05:05:01 UTC 2017] Le_NextRenewTime
[Mon Sep 11 05:05:01 UTC 2017] _on_before_issue
[Mon Sep 11 05:05:01 UTC 2017] Le_LocalAddress
[Mon Sep 11 05:05:01 UTC 2017] Check for domain='doc4design.com'
[Mon Sep 11 05:05:02 UTC 2017] _currentRoot='/home/doc4design/webapps/django_2016/doc4_2016'
[Mon Sep 11 05:05:02 UTC 2017] _saved_account_key_hash is not changed, skip register account.
[Mon Sep 11 05:05:02 UTC 2017] Read key length:
[Mon Sep 11 05:05:02 UTC 2017] _createcsr
[Mon Sep 11 05:05:02 UTC 2017] Single domain='doc4design.com'
[Mon Sep 11 05:05:02 UTC 2017] Getting domain auth token for each domain
[Mon Sep 11 05:05:02 UTC 2017] Getting webroot for domain='doc4design.com'
[Mon Sep 11 05:05:02 UTC 2017] _w='/home/doc4design/webapps/django_2016/doc4_2016'
[Mon Sep 11 05:05:02 UTC 2017] _currentRoot='/home/doc4design/webapps/django_2016/doc4_2016'
[Mon Sep 11 05:05:02 UTC 2017] Getting new-authz for domain='doc4design.com'
[Mon Sep 11 05:05:02 UTC 2017] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Mon Sep 11 05:05:02 UTC 2017] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[Mon Sep 11 05:05:02 UTC 2017] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Mon Sep 11 05:05:02 UTC 2017] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Mon Sep 11 05:05:02 UTC 2017] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Mon Sep 11 05:05:02 UTC 2017] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Mon Sep 11 05:05:02 UTC 2017] Try new-authz for the 0 time.
[Mon Sep 11 05:05:02 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Mon Sep 11 05:05:02 UTC 2017] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "doc4design.com"}}'
[Mon Sep 11 05:05:02 UTC 2017] RSA key
[Mon Sep 11 05:05:02 UTC 2017] GET
[Mon Sep 11 05:05:02 UTC 2017] url='https://acme-v01.api.letsencrypt.org/directory'
[Mon Sep 11 05:05:02 UTC 2017] timeout
[Mon Sep 11 05:05:02 UTC 2017] _CURL='curl -L --silent --dump-header /home/doc4design/.acme.sh/http.header '
[Mon Sep 11 05:05:02 UTC 2017] ret='0'
[Mon Sep 11 05:05:02 UTC 2017] POST
[Mon Sep 11 05:05:02 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Mon Sep 11 05:05:02 UTC 2017] _CURL='curl -L --silent --dump-header /home/doc4design/.acme.sh/http.header '
[Mon Sep 11 05:05:03 UTC 2017] _ret='0'
[Mon Sep 11 05:05:03 UTC 2017] code='201'
[Mon Sep 11 05:05:03 UTC 2017] The new-authz request is ok.
[Mon Sep 11 05:05:03 UTC 2017] entry='"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/7hHtQgJ6i3H5IplHkU8zq-2n6TVLuUuhN5K9M71nZ8I/1959333012","token":"jSwY3$
[Mon Sep 11 05:05:03 UTC 2017] token='jSwY3zdodjpOfh1m6iz1SWNZFFSKnfqdkzj8Cc6Dl2c'
[Mon Sep 11 05:05:03 UTC 2017] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/7hHtQgJ6i3H5IplHkU8zq-2n6TVLuUuhN5K9M71nZ8I/1959333012'
[Mon Sep 11 05:05:03 UTC 2017] keyauthorization='jSwY3zdodjpOfh1m6iz1SWNZFFSKnfqdkzj8Cc6Dl2c.KZ04ehApOrSMwkeVbG2UT-klFpwOPf_pDEdqVcHf4XM'
[Mon Sep 11 05:05:03 UTC 2017] dvlist='doc4design.com#jSwY3zdodjpOfh1m6iz1SWNZFFSKnfqdkzj8Cc6Dl2c.KZ04ehApOrSMwkeVbG2UT-klFpwOPf_pDEdqVcHf4XM#https://acme-v01.api.letsencrypt.org/acme/challenge/7hHtQgJ6i$
[Mon Sep 11 05:05:03 UTC 2017] vlist='doc4design.com#jSwY3zdodjpOfh1m6iz1SWNZFFSKnfqdkzj8Cc6Dl2c.KZ04ehApOrSMwkeVbG2UT-klFpwOPf_pDEdqVcHf4XM#https://acme-v01.api.letsencrypt.org/acme/challenge/7hHtQgJ6i3$
[Mon Sep 11 05:05:03 UTC 2017] ok, let's start to verify
[Mon Sep 11 05:05:03 UTC 2017] Verifying:doc4design.com
[Mon Sep 11 05:05:03 UTC 2017] d='doc4design.com'
[Mon Sep 11 05:05:03 UTC 2017] keyauthorization='jSwY3zdodjpOfh1m6iz1SWNZFFSKnfqdkzj8Cc6Dl2c.KZ04ehApOrSMwkeVbG2UT-klFpwOPf_pDEdqVcHf4XM'
[Mon Sep 11 05:05:03 UTC 2017] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/7hHtQgJ6i3H5IplHkU8zq-2n6TVLuUuhN5K9M71nZ8I/1959333012'
[Mon Sep 11 05:05:03 UTC 2017] _currentRoot='/home/doc4design/webapps/django_2016/doc4_2016'
[Mon Sep 11 05:05:02 UTC 2017] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Mon Sep 11 05:05:02 UTC 2017] Try new-authz for the 0 time.
[Mon Sep 11 05:05:02 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Mon Sep 11 05:05:02 UTC 2017] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "doc4design.com"}}'
[Mon Sep 11 05:05:02 UTC 2017] RSA key
[Mon Sep 11 05:05:02 UTC 2017] GET
[Mon Sep 11 05:05:02 UTC 2017] url='https://acme-v01.api.letsencrypt.org/directory'
[Mon Sep 11 05:05:02 UTC 2017] timeout
[Mon Sep 11 05:05:02 UTC 2017] _CURL='curl -L --silent --dump-header /home/doc4design/.acme.sh/http.header '
[Mon Sep 11 05:05:02 UTC 2017] ret='0'
[Mon Sep 11 05:05:02 UTC 2017] POST
[Mon Sep 11 05:05:02 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Mon Sep 11 05:05:02 UTC 2017] _CURL='curl -L --silent --dump-header /home/doc4design/.acme.sh/http.header '
[Mon Sep 11 05:05:03 UTC 2017] _ret='0'
[Mon Sep 11 05:05:03 UTC 2017] code='201'
[Mon Sep 11 05:05:03 UTC 2017] The new-authz request is ok.
[Mon Sep 11 05:05:03 UTC 2017] entry='"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/7hHtQgJ6i3H5IplHkU8zq-2n6TVLuUuhN5K9M71nZ8I/1959333012","token":"jSwY3$
[Mon Sep 11 05:05:03 UTC 2017] token='jSwY3zdodjpOfh1m6iz1SWNZFFSKnfqdkzj8Cc6Dl2c'
[Mon Sep 11 05:05:03 UTC 2017] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/7hHtQgJ6i3H5IplHkU8zq-2n6TVLuUuhN5K9M71nZ8I/1959333012'
[Mon Sep 11 05:05:03 UTC 2017] keyauthorization='jSwY3zdodjpOfh1m6iz1SWNZFFSKnfqdkzj8Cc6Dl2c.KZ04ehApOrSMwkeVbG2UT-klFpwOPf_pDEdqVcHf4XM'
[Mon Sep 11 05:05:03 UTC 2017] dvlist='doc4design.com#jSwY3zdodjpOfh1m6iz1SWNZFFSKnfqdkzj8Cc6Dl2c.KZ04ehApOrSMwkeVbG2UT-klFpwOPf_pDEdqVcHf4XM#https://acme-v01.api.letsencrypt.org/acme/challenge/7hHtQgJ6i$
[Mon Sep 11 05:05:03 UTC 2017] vlist='doc4design.com#jSwY3zdodjpOfh1m6iz1SWNZFFSKnfqdkzj8Cc6Dl2c.KZ04ehApOrSMwkeVbG2UT-klFpwOPf_pDEdqVcHf4XM#https://acme-v01.api.letsencrypt.org/acme/challenge/7hHtQgJ6i3$
[Mon Sep 11 05:05:03 UTC 2017] ok, let's start to verify
[Mon Sep 11 05:05:03 UTC 2017] Verifying:doc4design.com
[Mon Sep 11 05:05:03 UTC 2017] d='doc4design.com'
[Mon Sep 11 05:05:03 UTC 2017] keyauthorization='jSwY3zdodjpOfh1m6iz1SWNZFFSKnfqdkzj8Cc6Dl2c.KZ04ehApOrSMwkeVbG2UT-klFpwOPf_pDEdqVcHf4XM'
[Mon Sep 11 05:05:03 UTC 2017] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/7hHtQgJ6i3H5IplHkU8zq-2n6TVLuUuhN5K9M71nZ8I/1959333012'
[Mon Sep 11 05:05:03 UTC 2017] _currentRoot='/home/doc4design/webapps/django_2016/doc4_2016'
[Mon Sep 11 05:05:03 UTC 2017] wellknown_path='/home/doc4design/webapps/django_2016/doc4_2016/.well-known/acme-challenge'
[Mon Sep 11 05:05:03 UTC 2017] writing token:jSwY3zdodjpOfh1m6iz1SWNZFFSKnfqdkzj8Cc6Dl2c to /home/doc4design/webapps/django_2016/doc4_2016/.well-known/acme-challenge/jSwY3zdodjpOfh1m6iz1SWNZFFSKnfqdkzj8C$
[Mon Sep 11 05:05:03 UTC 2017] Changing owner/group of .well-known to doc4design:doc4design
[Mon Sep 11 05:05:03 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/7hHtQgJ6i3H5IplHkU8zq-2n6TVLuUuhN5K9M71nZ8I/1959333012'
[Mon Sep 11 05:05:03 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "jSwY3zdodjpOfh1m6iz1SWNZFFSKnfqdkzj8Cc6Dl2c.KZ04ehApOrSMwkeVbG2UT-klFpwOPf_pDEdqVcHf4XM"}'
[Mon Sep 11 05:05:03 UTC 2017] POST
[Mon Sep 11 05:05:03 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/7hHtQgJ6i3H5IplHkU8zq-2n6TVLuUuhN5K9M71nZ8I/1959333012'
[Mon Sep 11 05:05:03 UTC 2017] _CURL='curl -L --silent --dump-header /home/doc4design/.acme.sh/http.header '
[Mon Sep 11 05:05:03 UTC 2017] _ret='0'
[Mon Sep 11 05:05:03 UTC 2017] code='202'
[Mon Sep 11 05:05:03 UTC 2017] sleep 2 secs to verify
[Mon Sep 11 05:05:05 UTC 2017] checking
[Mon Sep 11 05:05:05 UTC 2017] GET
[Mon Sep 11 05:05:05 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/7hHtQgJ6i3H5IplHkU8zq-2n6TVLuUuhN5K9M71nZ8I/1959333012'
[Mon Sep 11 05:05:05 UTC 2017] timeout
[Mon Sep 11 05:05:05 UTC 2017] _CURL='curl -L --silent --dump-header /home/doc4design/.acme.sh/http.header '
[Mon Sep 11 05:05:06 UTC 2017] ret='0'
[Mon Sep 11 05:05:06 UTC 2017] doc4design.com:Verify error:Invalid response from http://doc4design.com/.well-known/acme-challenge/jSwY3zdodjpOfh1m6iz1SWNZFFSKnfqdkzj8Cc6Dl2c:
[Mon Sep 11 05:05:06 UTC 2017] pid
[Mon Sep 11 05:05:06 UTC 2017] No need to restore nginx, skip.
[Mon Sep 11 05:05:06 UTC 2017] _clearupdns
[Mon Sep 11 05:05:06 UTC 2017] skip dns.
[Mon Sep 11 05:05:06 UTC 2017] _on_issue_err
[Mon Sep 11 05:05:06 UTC 2017] Please check log file for more details: /home/doc4design/.acme.sh/acme.sh.log
[Mon Sep 11 05:05:06 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/7hHtQgJ6i3H5IplHkU8zq-2n6TVLuUuhN5K9M71nZ8I/1959333012'
[Mon Sep 11 05:05:06 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "jSwY3zdodjpOfh1m6iz1SWNZFFSKnfqdkzj8Cc6Dl2c.KZ04ehApOrSMwkeVbG2UT-klFpwOPf_pDEdqVcHf4XM"}'
[Mon Sep 11 05:05:06 UTC 2017] POST
[Mon Sep 11 05:05:06 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/7hHtQgJ6i3H5IplHkU8zq-2n6TVLuUuhN5K9M71nZ8I/1959333012'
[Mon Sep 11 05:05:06 UTC 2017] _CURL='curl -L --silent --dump-header /home/doc4design/.acme.sh/http.header '
[Mon Sep 11 05:05:06 UTC 2017] _ret='0'
[Mon Sep 11 05:05:03 UTC 2017] Changing owner/group of .well-known to doc4design:doc4design
[Mon Sep 11 05:05:03 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/7hHtQgJ6i3H5IplHkU8zq-2n6TVLuUuhN5K9M71nZ8I/1959333012'
[Mon Sep 11 05:05:03 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "jSwY3zdodjpOfh1m6iz1SWNZFFSKnfqdkzj8Cc6Dl2c.KZ04ehApOrSMwkeVbG2UT-klFpwOPf_pDEdqVcHf4XM"}'
[Mon Sep 11 05:05:03 UTC 2017] POST
[Mon Sep 11 05:05:03 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/7hHtQgJ6i3H5IplHkU8zq-2n6TVLuUuhN5K9M71nZ8I/1959333012'
[Mon Sep 11 05:05:03 UTC 2017] _CURL='curl -L --silent --dump-header /home/doc4design/.acme.sh/http.header '
[Mon Sep 11 05:05:03 UTC 2017] _ret='0'
[Mon Sep 11 05:05:03 UTC 2017] code='202'
[Mon Sep 11 05:05:03 UTC 2017] sleep 2 secs to verify
[Mon Sep 11 05:05:05 UTC 2017] checking
[Mon Sep 11 05:05:05 UTC 2017] GET
[Mon Sep 11 05:05:05 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/7hHtQgJ6i3H5IplHkU8zq-2n6TVLuUuhN5K9M71nZ8I/1959333012'
[Mon Sep 11 05:05:05 UTC 2017] timeout
[Mon Sep 11 05:05:05 UTC 2017] _CURL='curl -L --silent --dump-header /home/doc4design/.acme.sh/http.header '
[Mon Sep 11 05:05:06 UTC 2017] ret='0'
[Mon Sep 11 05:05:06 UTC 2017] doc4design.com:Verify error:Invalid response from http://doc4design.com/.well-known/acme-challenge/jSwY3zdodjpOfh1m6iz1SWNZFFSKnfqdkzj8Cc6Dl2c:
[Mon Sep 11 05:05:06 UTC 2017] pid
[Mon Sep 11 05:05:06 UTC 2017] No need to restore nginx, skip.
[Mon Sep 11 05:05:06 UTC 2017] _clearupdns
[Mon Sep 11 05:05:06 UTC 2017] skip dns.
[Mon Sep 11 05:05:06 UTC 2017] _on_issue_err
[Mon Sep 11 05:05:06 UTC 2017] Please check log file for more details: /home/doc4design/.acme.sh/acme.sh.log
[Mon Sep 11 05:05:06 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/7hHtQgJ6i3H5IplHkU8zq-2n6TVLuUuhN5K9M71nZ8I/1959333012'
[Mon Sep 11 05:05:06 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "jSwY3zdodjpOfh1m6iz1SWNZFFSKnfqdkzj8Cc6Dl2c.KZ04ehApOrSMwkeVbG2UT-klFpwOPf_pDEdqVcHf4XM"}'
[Mon Sep 11 05:05:06 UTC 2017] POST
[Mon Sep 11 05:05:06 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/7hHtQgJ6i3H5IplHkU8zq-2n6TVLuUuhN5K9M71nZ8I/1959333012'
[Mon Sep 11 05:05:06 UTC 2017] _CURL='curl -L --silent --dump-header /home/doc4design/.acme.sh/http.header '
[Mon Sep 11 05:05:06 UTC 2017] _ret='0'
[Mon Sep 11 05:05:06 UTC 2017] code='400'

Could someone who is familiar with LetsEncrypt shed some light on why LetsEncrypt can't verify my site, and issue me an SSL certificate ?

TJB
  • 3,706
  • 9
  • 51
  • 102

3 Answers3

3

The problem is stated on this line:

[Mon Sep 11 05:05:06 UTC 2017] doc4design.com:Verify error:Invalid response from http://doc4design.com/.well-known/acme-challenge/jSwY3zdodjpOfh1m6iz1SWNZFFSKnfqdkzj8Cc6Dl2c:

The issue is that for whatever reason, external traffic cannot access the file at http://doc4design.com/.well-known/acme-challenge/jSwY3zdodjpOfh1m6iz1SWNZFFSKnfqdkzj8Cc6Dl2c, which was presumably placed on the filesystem in /home/wwwroot/example.com/.well-known/acme-challenge/jSwY3zdodjpOfh1m6iz1SWNZFFSKnfqdkzj8Cc6Dl2c.

That file needs to be externally accessible at the given URL.

will_in_wi
  • 2,623
  • 1
  • 16
  • 21
1

I had this on webfaction.

I see you also have a Django install.

In my case, I had to place the LetyEncrypt generated file in the same directory where the STATIC assets are located.

LetsEncrypt utility client for WebFaction hosts

https://github.com/will-in-wi/letsencrypt-webfaction

I have it configured for 2 domains, and last time I checked the LetsEncrypt certificates were renewed automatically.

ionescu77
  • 1,150
  • 10
  • 14
  • Also this is the original [letsencrypt thread at webfaction support](https://community.webfaction.com/questions/20940/lets-encrypt-automatic-renewal): – ionescu77 Sep 12 '17 at 08:38
  • I noticed that it requires you to install, and run Ruby. My application is in Django/Python. Will this affect my project at all ? – TJB Sep 13 '17 at 01:35
  • Hi, in the github README for letsencrypt-webfaction there are 2 options: - system ruby (I used this one) - RBEnv (in case you want to install ruby yourself) Just type `ruby -v` in a terminal window, it needs to be version 2.3.x – ionescu77 Sep 13 '17 at 09:17
  • It should have no impact on your project, but follow the instructions in the README (I also contributed some updates). I use python not ruby, but did not have the time to write my own implementation in python, yet. :) Just curious: How did you deploy django? Using the webfaction control panel? I have 2 different django installations (different python versions), plus some static sites and they don't mix. – ionescu77 Sep 13 '17 at 09:20
  • I am European time, so could not catch your question earlier. – ionescu77 Sep 13 '17 at 12:15
1

you can add --debug 2 to get a more detail debug info: acme.sh --issue -d example.com -w /home/wwwroot/example.com --debug 2

from the log above, I guess it's related to ipv6. your domain has ipv6 AAAA record resolved. Is your website listening at ipv6 ?

neilpang
  • 46
  • 2