M. Hakim's picture

Hi all, 

I have some problem when generating ssl for my virtual machine (VM) behind proxmox. 

 

Proxmox server (public ip) - vm (local ip)

 

on VM I run nextcloud server using default port (80 & 443), but I use different port on Proxmox server to transfer traffic to my nextcloud vm. I use port 8989 to forward the 80 port.

 

I got this error when generating ssl on nextcloud server :

2021-12-02 12:33:58,515:DEBUG:certbot.error_handler:Calling registered functions
2021-12-02 12:33:58,515:INFO:certbot.auth_handler:Cleaning up challenges
2021-12-02 12:33:58,516:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 76, in run
    address, self.http_01_resources)
  File "/usr/lib/python3/dist-packages/acme/standalone.py", line 189, in __init__
    BaseDualNetworkedServers.__init__(self, HTTP01Server, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/acme/standalone.py", line 108, in __init__
    raise socket.error("Could not bind to IPv4 or IPv6.")
OSError: Could not bind to IPv4 or IPv6.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1119, in run
    certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 139, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 234, in perform
    return [self._try_perform_single(achall) for achall in achalls]
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 234, in <listcomp>
    return [self._try_perform_single(achall) for achall in achalls]
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 241, in _try_perform_single
    _handle_perform_error(error)
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 239, in _try_perform_single
    return self._perform_single(achall)
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 245, in _perform_single
    servers, response = self._perform_http_01(achall)
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 254, in _perform_http_01
    servers = self.servers.run(port, challenges.HTTP01, listenaddr=addr)
  File "/usr/lib/python3/dist-packages/certbot/plugins/standalone.py", line 78, in run
    raise errors.StandaloneBindError(error, port)
certbot.errors.StandaloneBindError: Problem binding to port 80: Could not bind to IPv4 or IPv6.
root@san ~#
 

Forum: 
Jeremy Davis's picture

Unfortunately, it appears that the forums might have eaten your post?! :(

Regardless, the subject notes that you are having issues with certbot.

Assuming that this is you, then it seems like you previously tried to use our built-in tool but that failed. I'm guessing that you then tried switching to certbot.

Personally, I have never used certbot, so I can't really help with that at all. Although judging from your error message, something is listening on port 80, so certbot can't bind to it. Perhaps that was also an issue with your usage of our built-in tool too?!

So to help me help you, it would be useful to know which appliance and version you are using. You can get the Turnkey info like this:

turnkey-version

It might also be useful to check the Debian info. Do that like this:

lsb_release -a

It might also be useful to know where/how you are running your appliance (e.g. self hosted VM, self hosted LXC container, AWS server, etc).

Regardless, our built-in Let's Encryption tool should "just work"! Perhaps it's worth just clearing everything up and re-installing it from scratch and cross your fingers?!

apt purge -y dehydrated
rm -rf /etc/dehydrated
apt install --reinstall -y dehydrated confconsole

Then reboot your server and double check that your web server is working as it should (i.e. browse to the IP of your server in your web browser). Assuming that's all good, then in your terminal, run confconsole:

confconsole

And re-configure the domain etc.

If that still fails, please post the output you posted in your previous post.

M. Hakim's picture

Hi Jeremy Davis,

thanks for finding me in this thread. i'm so happy with this forum, especially for ur help.

 

these are the result of my sistem :

root@san ~# turnkey-version
turnkey-nextcloud-16.1-buster-amd64
 

root@san ~# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 10 (buster)
Release:        10
Codename:       buster

after re-installing the dehydrated, i still got this error when trying to get certificate :

 File "/usr/lib/python3/dist-packages/certbot/main.py", line 1119, in run
    certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. san.jaklingkoindonesia.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://san.jaklingkoindonesia.com/.well-known/acme-challenge/SuAcKwd2psdk5XiOQghRBGGJJ0t5qMZwosgb4jAr6-E: Connection refused
2021-12-02 22:50:04,108:DEBUG:certbot.main:certbot version: 0.31.0
2021-12-02 22:50:04,109:DEBUG:certbot.main:Arguments: ['-q']
2021-12-02 22:50:04,109:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-12-02 22:50:04,114:DEBUG:certbot.log:Root logging level set at 30
2021-12-02 22:50:04,114:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-12-02 22:50:04,115:DEBUG:certbot.renewal:no renewal failures
2021-12-03 04:17:17,848:DEBUG:certbot.main:certbot version: 0.31.0
2021-12-03 04:17:17,848:DEBUG:certbot.main:Arguments: ['-q']
2021-12-03 04:17:17,848:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-12-03 04:17:17,853:DEBUG:certbot.log:Root logging level set at 30
2021-12-03 04:17:17,853:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-12-03 04:17:17,854:DEBUG:certbot.renewal:no renewal failures
2021-12-03 21:48:06,082:DEBUG:certbot.main:certbot version: 0.31.0
2021-12-03 21:48:06,082:DEBUG:certbot.main:Arguments: ['-q']
2021-12-03 21:48:06,083:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-12-03 21:48:06,091:DEBUG:certbot.log:Root logging level set at 30
2021-12-03 21:48:06,091:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-12-03 21:48:06,092:DEBUG:certbot.renewal:no renewal failures
2021-12-04 07:26:30,843:DEBUG:certbot.main:certbot version: 0.31.0
2021-12-04 07:26:30,844:DEBUG:certbot.main:Arguments: ['-q']
2021-12-04 07:26:30,844:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-12-04 07:26:30,854:DEBUG:certbot.log:Root logging level set at 30
2021-12-04 07:26:30,854:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-12-04 07:26:30,855:DEBUG:certbot.renewal:no renewal failures

 

M. Hakim's picture

hi Jeremy Davis,

I still can't get the ssl, the log said like this :

root@san ~# cat /var/log/confconsole/letsencrypt.log ERROR: Challenge is invalid! (returned: invalid) (result: { "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:connection", "detail": "Fetching http://san.jaklingkoindonesia.com/.well-known/acme-challenge/qi_EriIaNKc... Connection refused", "status": 400 }, "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/54356939220/xCdKcQ", "token": "qi_EriIaNKcMq6jvjCw9cqqVN2EkOaOojmfkq-oqmow", "validationRecord": [ { "url": "http://san.jaklingkoindonesia.com/.well-known/acme-challenge/qi_EriIaNKc..., "hostname": "san.jaklingkoindonesia.com", "port": "80", "addressesResolved": [ "202.56.163.123" ], "addressUsed": "202.56.163.123" } ], "validated": "2021-12-01T06:37:31Z" }) [2021-12-01 13:37:34] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code. [2021-12-01 13:37:34] dehydrated-wrapper: WARNING: Python is still listening on port 80 [2021-12-01 13:37:34] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files. [2021-12-01 13:37:34] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error. ERROR: BASEDIR does not exist: /var/lib/dehydrated [2021-12-01 13:43:50] dehydrated-wrapper: FATAL: dehydrated failed to register account. [2021-12-01 13:43:50] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files. [2021-12-01 13:43:50] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error. ERROR: BASEDIR does not exist: /var/lib/dehydrated [2021-12-01 13:44:24] dehydrated-wrapper: FATAL: dehydrated failed to register account. [2021-12-01 13:44:24] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files. [2021-12-01 13:44:24] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error. ERROR: BASEDIR does not exist: /var/lib/dehydrated [2021-12-01 14:09:58] dehydrated-wrapper: FATAL: dehydrated failed to register account. [2021-12-01 14:09:58] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files. [2021-12-01 14:09:58] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error. ERROR: BASEDIR does not exist: /var/lib/dehydrated [2021-12-01 14:10:44] dehydrated-wrapper: FATAL: dehydrated failed to register account. [2021-12-01 14:10:44] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files. [2021-12-01 14:10:44] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error. ERROR: WELLKNOWN directory doesn't exist, please create /var/lib/dehydrated/acme-challenges and set appropriate permissions. [2021-12-01 14:14:00] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code. [2021-12-01 14:14:00] dehydrated-wrapper: WARNING: Python is still listening on port 80 [2021-12-01 14:14:00] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files. [2021-12-01 14:14:00] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error. ERROR: Challenge is invalid! (returned: invalid) (result: { "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:connection", "detail": "Fetching http://san.jaklingkoindonesia.com/.well-known/acme-challenge/dEejXVGeU6X... Connection refused", "status": 400 }, "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/54618405410/sBq82Q", "token": "dEejXVGeU6XL8eseMEVV-K7JuC134UjcPZYrIphMWaw", "validationRecord": [ { "url": "http://san.jaklingkoindonesia.com/.well-known/acme-challenge/dEejXVGeU6X..., "hostname": "san.jaklingkoindonesia.com", "port": "80", "addressesResolved": [ "202.56.163.123" ], "addressUsed": "202.56.163.123" } ], "validated": "2021-12-02T02:02:24Z" }) [2021-12-02 09:02:27] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code. [2021-12-02 09:02:27] dehydrated-wrapper: WARNING: Python is still listening on port 80 [2021-12-02 09:02:27] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files. [2021-12-02 09:02:27] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error. ERROR: Challenge is invalid! (returned: invalid) (result: { "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:connection", "detail": "Fetching http://san.jaklingkoindonesia.com/.well-known/acme-challenge/SHiYB0gdrqL... Connection refused", "status": 400 }, "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/54672217660/fyQXWA", "token": "SHiYB0gdrqLNPBA4ZW6UnfxIVNk7vgDl07Q_2KWR5IU", "validationRecord": [ { "url": "http://san.jaklingkoindonesia.com/.well-known/acme-challenge/SHiYB0gdrqL..., "hostname": "san.jaklingkoindonesia.com", "port": "80", "addressesResolved": [ "202.56.163.123" ], "addressUsed": "202.56.163.123" } ], "validated": "2021-12-02T05:34:19Z" }) [2021-12-02 12:34:21] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code. [2021-12-02 12:34:21] dehydrated-wrapper: WARNING: Python is still listening on port 80 [2021-12-02 12:34:21] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files. [2021-12-02 12:34:21] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error. [2021-12-04 07:30:50] dehydrated-wrapper: WARNING: /etc/dehydrated/confconsole.config not found; copying default from /usr/share/confconsole/letsencrypt/dehydrated-confconsole.config [2021-12-04 07:30:50] dehydrated-wrapper: WARNING: /etc/dehydrated/confconsole.hook.sh not found; copying default from /usr/share/confconsole/letsencrypt/dehydrated-confconsole.hook.sh ERROR: Challenge is invalid! (returned: invalid) (result: { "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:connection", "detail": "Fetching http://san.jaklingkoindonesia.com/.well-known/acme-challenge/yRJSZWpwYJ_... Connection refused", "status": 400 }, "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/55211518650/WyAUTw", "token": "yRJSZWpwYJ_baXNEhx6owFuO920cnox2VMP8BgE-Gtw", "validationRecord": [ { "url": "http://san.jaklingkoindonesia.com/.well-known/acme-challenge/yRJSZWpwYJ_..., "hostname": "san.jaklingkoindonesia.com", "port": "80", "addressesResolved": [ "202.56.163.123" ], "addressUsed": "202.56.163.123" } ], "validated": "2021-12-04T00:30:57Z" }) [2021-12-04 07:31:00] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code. [2021-12-04 07:31:00] dehydrated-wrapper: WARNING: Python is still listening on port 80 [2021-12-04 07:31:00] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files. [2021-12-04 07:31:00] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error. ERROR: Challenge is invalid! (returned: invalid) (result: { "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:connection", "detail": "Fetching http://san.jaklingkoindonesia.com/.well-known/acme-challenge/hPHFEJExFK2... Connection refused", "status": 400 }, "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/55827752060/AWGkjw", "token": "hPHFEJExFK26frHC77EFfp84-QnzSuWUTZODasC7Brw", "validationRecord": [ { "url": "http://san.jaklingkoindonesia.com/.well-known/acme-challenge/hPHFEJExFK2..., "hostname": "san.jaklingkoindonesia.com", "port": "80", "addressesResolved": [ "202.56.163.123" ], "addressUsed": "202.56.163.123" } ], "validated": "2021-12-06T01:34:42Z" }) [2021-12-06 08:34:45] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code. [2021-12-06 08:34:45] dehydrated-wrapper: WARNING: Python is still listening on port 80 [2021-12-06 08:34:45] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files. [2021-12-06 08:34:46] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error. root@san ~#

M. Hakim's picture

i'm affraid there's a firewall issue, so i recheck the apache config, 000-def, nextclod-con, port.conf

 

this is the newest error log:

 

root@san ~# cat /var/log/confconsole/letsencrypt.log
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:connection",
    "detail": "Fetching http://san.jaklingkoindonesia.com/.well-known/acme-challenge/qi_EriIaNKcMq6jvjCw9cqqVN2EkOaOojmfkq-oqmow: Connection refused",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/54356939220/xCdKcQ",
  "token": "qi_EriIaNKcMq6jvjCw9cqqVN2EkOaOojmfkq-oqmow",
  "validationRecord": [
    {
      "url": "http://san.jaklingkoindonesia.com/.well-known/acme-challenge/qi_EriIaNKcMq6jvjCw9cqqVN2EkOaOojmfkq-oqmow",
      "hostname": "san.jaklingkoindonesia.com",
      "port": "80",
      "addressesResolved": [
        "202.56.163.123"
      ],
      "addressUsed": "202.56.163.123"
    }
  ],
  "validated": "2021-12-01T06:37:31Z"
})
[2021-12-01 13:37:34] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2021-12-01 13:37:34] dehydrated-wrapper: WARNING: Python is still listening on port 80
[2021-12-01 13:37:34] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files.
[2021-12-01 13:37:34] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
ERROR: BASEDIR does not exist: /var/lib/dehydrated
[2021-12-01 13:43:50] dehydrated-wrapper: FATAL: dehydrated failed to register account.
[2021-12-01 13:43:50] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files.
[2021-12-01 13:43:50] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
ERROR: BASEDIR does not exist: /var/lib/dehydrated
[2021-12-01 13:44:24] dehydrated-wrapper: FATAL: dehydrated failed to register account.
[2021-12-01 13:44:24] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files.
[2021-12-01 13:44:24] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
ERROR: BASEDIR does not exist: /var/lib/dehydrated
[2021-12-01 14:09:58] dehydrated-wrapper: FATAL: dehydrated failed to register account.
[2021-12-01 14:09:58] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files.
[2021-12-01 14:09:58] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
ERROR: BASEDIR does not exist: /var/lib/dehydrated
[2021-12-01 14:10:44] dehydrated-wrapper: FATAL: dehydrated failed to register account.
[2021-12-01 14:10:44] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files.
[2021-12-01 14:10:44] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
ERROR: WELLKNOWN directory doesn't exist, please create /var/lib/dehydrated/acme-challenges and set appropriate permissions.
[2021-12-01 14:14:00] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2021-12-01 14:14:00] dehydrated-wrapper: WARNING: Python is still listening on port 80
[2021-12-01 14:14:00] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files.
[2021-12-01 14:14:00] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:connection",
    "detail": "Fetching http://san.jaklingkoindonesia.com/.well-known/acme-challenge/dEejXVGeU6XL8eseMEVV-K7JuC134UjcPZYrIphMWaw: Connection refused",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/54618405410/sBq82Q",
  "token": "dEejXVGeU6XL8eseMEVV-K7JuC134UjcPZYrIphMWaw",
  "validationRecord": [
    {
      "url": "http://san.jaklingkoindonesia.com/.well-known/acme-challenge/dEejXVGeU6XL8eseMEVV-K7JuC134UjcPZYrIphMWaw",
      "hostname": "san.jaklingkoindonesia.com",
      "port": "80",
      "addressesResolved": [
        "202.56.163.123"
      ],
      "addressUsed": "202.56.163.123"
    }
  ],
  "validated": "2021-12-02T02:02:24Z"
})
[2021-12-02 09:02:27] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2021-12-02 09:02:27] dehydrated-wrapper: WARNING: Python is still listening on port 80
[2021-12-02 09:02:27] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files.
[2021-12-02 09:02:27] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:connection",
    "detail": "Fetching http://san.jaklingkoindonesia.com/.well-known/acme-challenge/SHiYB0gdrqLNPBA4ZW6UnfxIVNk7vgDl07Q_2KWR5IU: Connection refused",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/54672217660/fyQXWA",
  "token": "SHiYB0gdrqLNPBA4ZW6UnfxIVNk7vgDl07Q_2KWR5IU",
  "validationRecord": [
    {
      "url": "http://san.jaklingkoindonesia.com/.well-known/acme-challenge/SHiYB0gdrqLNPBA4ZW6UnfxIVNk7vgDl07Q_2KWR5IU",
      "hostname": "san.jaklingkoindonesia.com",
      "port": "80",
      "addressesResolved": [
        "202.56.163.123"
      ],
      "addressUsed": "202.56.163.123"
    }
  ],
  "validated": "2021-12-02T05:34:19Z"
})
[2021-12-02 12:34:21] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2021-12-02 12:34:21] dehydrated-wrapper: WARNING: Python is still listening on port 80
[2021-12-02 12:34:21] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files.
[2021-12-02 12:34:21] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
[2021-12-04 07:30:50] dehydrated-wrapper: WARNING: /etc/dehydrated/confconsole.config not found; copying default from /usr/share/confconsole/letsencrypt/dehydrated-confconsole.config
[2021-12-04 07:30:50] dehydrated-wrapper: WARNING: /etc/dehydrated/confconsole.hook.sh not found; copying default from /usr/share/confconsole/letsencrypt/dehydrated-confconsole.hook.sh
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:connection",
    "detail": "Fetching http://san.jaklingkoindonesia.com/.well-known/acme-challenge/yRJSZWpwYJ_baXNEhx6owFuO920cnox2VMP8BgE-Gtw: Connection refused",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/55211518650/WyAUTw",
  "token": "yRJSZWpwYJ_baXNEhx6owFuO920cnox2VMP8BgE-Gtw",
  "validationRecord": [
    {
      "url": "http://san.jaklingkoindonesia.com/.well-known/acme-challenge/yRJSZWpwYJ_baXNEhx6owFuO920cnox2VMP8BgE-Gtw",
      "hostname": "san.jaklingkoindonesia.com",
      "port": "80",
      "addressesResolved": [
        "202.56.163.123"
      ],
      "addressUsed": "202.56.163.123"
    }
  ],
  "validated": "2021-12-04T00:30:57Z"
})
[2021-12-04 07:31:00] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2021-12-04 07:31:00] dehydrated-wrapper: WARNING: Python is still listening on port 80
[2021-12-04 07:31:00] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files.
[2021-12-04 07:31:00] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:connection",
    "detail": "Fetching http://san.jaklingkoindonesia.com/.well-known/acme-challenge/hPHFEJExFK26frHC77EFfp84-QnzSuWUTZODasC7Brw: Connection refused",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/55827752060/AWGkjw",
  "token": "hPHFEJExFK26frHC77EFfp84-QnzSuWUTZODasC7Brw",
  "validationRecord": [
    {
      "url": "http://san.jaklingkoindonesia.com/.well-known/acme-challenge/hPHFEJExFK26frHC77EFfp84-QnzSuWUTZODasC7Brw",
      "hostname": "san.jaklingkoindonesia.com",
      "port": "80",
      "addressesResolved": [
        "202.56.163.123"
      ],
      "addressUsed": "202.56.163.123"
    }
  ],
  "validated": "2021-12-06T01:34:42Z"
})
[2021-12-06 08:34:45] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2021-12-06 08:34:45] dehydrated-wrapper: WARNING: Python is still listening on port 80
[2021-12-06 08:34:45] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files.
[2021-12-06 08:34:46] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:connection",
    "detail": "Fetching http://san.jaklingkoindonesia.com/.well-known/acme-challenge/Dh55G3BMvGgsA6HGz8GI3k3Jd_nUft1i6JIUCcvDa3I: Connection refused",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/55829744060/JuB7bg",
  "token": "Dh55G3BMvGgsA6HGz8GI3k3Jd_nUft1i6JIUCcvDa3I",
  "validationRecord": [
    {
      "url": "http://san.jaklingkoindonesia.com/.well-known/acme-challenge/Dh55G3BMvGgsA6HGz8GI3k3Jd_nUft1i6JIUCcvDa3I",
      "hostname": "san.jaklingkoindonesia.com",
      "port": "80",
      "addressesResolved": [
        "202.56.163.123"
      ],
      "addressUsed": "202.56.163.123"
    }
  ],
  "validated": "2021-12-06T01:43:26Z"
})
[2021-12-06 08:43:29] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2021-12-06 08:43:29] dehydrated-wrapper: WARNING: Python is still listening on port 80
[2021-12-06 08:43:29] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files.
[2021-12-06 08:43:29] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
[2021-12-06 08:49:59] dehydrated-wrapper: WARNING: /etc/dehydrated/confconsole.config not found; copying default from /usr/share/confconsole/letsencrypt/dehydrated-confconsole.config
[2021-12-06 08:49:59] dehydrated-wrapper: WARNING: /etc/dehydrated/confconsole.hook.sh not found; copying default from /usr/share/confconsole/letsencrypt/dehydrated-confconsole.hook.sh
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:connection",
    "detail": "Fetching http://san.jaklingkoindonesia.com/.well-known/acme-challenge/9MpRgAjnT0q8AesdA09aGg8h6-DoupUhq-NyQmmKtZk: Connection refused",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/55831091930/USrUhA",
  "token": "9MpRgAjnT0q8AesdA09aGg8h6-DoupUhq-NyQmmKtZk",
  "validationRecord": [
    {
      "url": "http://san.jaklingkoindonesia.com/.well-known/acme-challenge/9MpRgAjnT0q8AesdA09aGg8h6-DoupUhq-NyQmmKtZk",
      "hostname": "san.jaklingkoindonesia.com",
      "port": "80",
      "addressesResolved": [
        "202.56.163.123"
      ],
      "addressUsed": "202.56.163.123"
    }
  ],
  "validated": "2021-12-06T01:50:07Z"
})
[2021-12-06 08:50:10] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2021-12-06 08:50:10] dehydrated-wrapper: WARNING: Python is still listening on port 80
[2021-12-06 08:50:10] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files.
[2021-12-06 08:50:10] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:connection",
    "detail": "Fetching http://san.jaklingkoindonesia.com/.well-known/acme-challenge/QfstVgtsaqnU-PuoAu3XibHGM_zumToDVo2FpUna23s: Connection refused",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/55837473960/xLWfHQ",
  "token": "QfstVgtsaqnU-PuoAu3XibHGM_zumToDVo2FpUna23s",
  "validationRecord": [
    {
      "url": "http://san.jaklingkoindonesia.com/.well-known/acme-challenge/QfstVgtsaqnU-PuoAu3XibHGM_zumToDVo2FpUna23s",
      "hostname": "san.jaklingkoindonesia.com",
      "port": "80",
      "addressesResolved": [
        "202.56.163.123"
      ],
      "addressUsed": "202.56.163.123"
    }
  ],
  "validated": "2021-12-06T02:15:26Z"
})
[2021-12-06 09:15:29] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2021-12-06 09:15:29] dehydrated-wrapper: WARNING: Python is still listening on port 80
[2021-12-06 09:15:29] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files.
[2021-12-06 09:15:29] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:connection",
    "detail": "Fetching http://san.jaklingkoindonesia.com/.well-known/acme-challenge/pM3TgoSv4N9GBLFtL52pwqBegzdV81lmEYVFNMt40oA: Connection refused",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/55838109830/ujasrg",
  "token": "pM3TgoSv4N9GBLFtL52pwqBegzdV81lmEYVFNMt40oA",
  "validationRecord": [
    {
      "url": "http://san.jaklingkoindonesia.com/.well-known/acme-challenge/pM3TgoSv4N9GBLFtL52pwqBegzdV81lmEYVFNMt40oA",
      "hostname": "san.jaklingkoindonesia.com",
      "port": "80",
      "addressesResolved": [
        "202.56.163.123"
      ],
      "addressUsed": "202.56.163.123"
    }
  ],
  "validated": "2021-12-06T02:18:11Z"
})
[2021-12-06 09:18:13] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2021-12-06 09:18:13] dehydrated-wrapper: WARNING: Python is still listening on port 80
[2021-12-06 09:18:13] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files.
[2021-12-06 09:18:13] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
[2021-12-06 09:19:59] dehydrated-wrapper: WARNING: /etc/dehydrated/confconsole.config not found; copying default from /usr/share/confconsole/letsencrypt/dehydrated-confconsole.config
[2021-12-06 09:19:59] dehydrated-wrapper: WARNING: /etc/dehydrated/confconsole.hook.sh not found; copying default from /usr/share/confconsole/letsencrypt/dehydrated-confconsole.hook.sh
  + ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/new-order (Status 429)

Details:
HTTP/2 429
server: nginx
date: Mon, 06 Dec 2021 02:20:05 GMT
content-type: application/problem+json
content-length: 201
boulder-requester: 302886460
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 01023MpF4U9bhGG5bJYFUWLCeP3ZEAmJO31ucsg58hZqXoI

{
  "type": "urn:ietf:params:acme:error:rateLimited",
  "detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/",
  "status": 429
}

[2021-12-06 09:20:05] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2021-12-06 09:20:05] dehydrated-wrapper: WARNING: Python is still listening on port 80
[2021-12-06 09:20:05] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files.
[2021-12-06 09:20:05] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
  + ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/new-order (Status 429)

Details:
HTTP/2 429
server: nginx
date: Mon, 06 Dec 2021 02:31:02 GMT
content-type: application/problem+json
content-length: 201
boulder-requester: 302886460
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 0001Mcte5rQWY-KfdNodU5yqr5wgPaB-dH_Cw4wFWav9voQ

{
  "type": "urn:ietf:params:acme:error:rateLimited",
  "detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/",
  "status": 429
}

[2021-12-06 09:31:03] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.
[2021-12-06 09:31:03] dehydrated-wrapper: WARNING: Python is still listening on port 80
[2021-12-06 09:31:03] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combined files.
[2021-12-06 09:31:03] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error.
root@san ~#

Jeremy Davis's picture

It looks like you've hit the rate limit. Note this line in your logs:

{
  "type": "urn:ietf:params:acme:error:rateLimited",
  "detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/",
  "status": 429
}

If you want to find out more, look at the page noted in the error message (i.e. https://letsencrypt.org/docs/rate-limits//

AFAIK, you'll need to wait until that expires. How long that is will depend on how long/how many times you kept trying while it was failing. TBH, I haven't read that full doc, so I'm not exactly clear how long it will take to be removed from the blacklist.

In the meantime, first double check your DNS settings. You can check your A record with the Google Dig tool. Put your FQDN in the text space and click the 'A' and it should return an IP address.

Then on your server, check the public IP via curl (there are a number of different services that return public IP addresses; these are just two):

curl icanhazip.com

Or

curl ifconfig.me

If the IP you get from the curl command matches the IP in Google's Dig tool, you're good.

Then be sure to fix your firewall issues.

To double check that everything is working as it should, try contacting your server via the public IP on http. Assuming you have a smart phone with a data connection, the easiest way to ensure that it's working as it should is to disable wifi on your phone and try to access your domain via the web browser (on your phone). You should be able to view your website. If you can't, then something still isn't right.

Once you have that set up ok, then try to get a certificate using the Let's Encrypt staging server. To do that with the confconsole environment, move your "proper" config file and (temporarily) copy in the staging config. Do that like this:

mv /etc/dehydrated/confconsole.config /etc/dehydrated/confconsole.config.orig
cp /usr/share/confconsole/letsencrypt/dehydrated-staging-confconsole.config /etc/dehydrated/confconsole.config

Then use confconsole to try to get a cert. Or you can take a shortcut and directly launch the dehydrated wrapper script that we provide like this:

/usr/lib/confconsole/plugins.d/Lets_Encrypt/dehydrated-wrapper

To get really verbose info, run it in debug mode like this:

DEBUG=y /usr/lib/confconsole/plugins.d/Lets_Encrypt/dehydrated-wrapper

If it doesn't work, don't just keep retrying, check the other things that I've noted again and try to see what you've missed.

Once that works (and you can get a cert from the staging server), then double check that the cert has been applied to your site. Try browsing to it via https. It will still give a security warning, but you can check the certificate itself (within your browser) to be sure that it is a Let's Encrypt cert (and not just the self signed one that your server shipped with).

Once you've confirmed that all works, then you can move your "proper" config back in and try to get a proper cert. Do that like this:

mv /etc/dehydrated/confconsole.config.orig /etc/dehydrated/confconsole.config

Then re-run the dehydrated wrapper script (either via confconsole or directly as noted above). Again if it doesn't work, don't keep retrying it. Check the error message an that should guide you on what went wrong. If you use the dehydrated wrapper script directly and the error says that you need to register, then you can retry running it with the '--register' switch (confconsole automatically does that).

I hope that this helps...

M. Hakim's picture

now. i'm a little bit desprated...

I've reinstall the nextcloud using different subdomain name, the result just the same...

 

M. Hakim's picture

picture not showing, repost :

 

https://ibb.co/F0HPcbc

<img> https://i.ibb.co/F0HPcbc/new.png</img>

Jeremy Davis's picture

The problem is that the Let's Encrypt servers can't connect to your server!

I just tested it and I can't connect either! You need to work out why that isn't working BEFORE trying to get a certificate. Until your server is remotely accessible it will never work!

I'm sure that it's frustrating and it seems like you're feeling a bit stressed by this. But you need to get your firewall and/or routing or whatever it is that is blocking access to your server fixed first.

FWIW, assuming that your public IP is 202.56.163.123, then your A record seems to be ok.

When I try to connect I get "connection refused". That's also what the Let's Encrypt server is reporting in your log!

"detail": "Fetching http://cloud.jaklingkoindonesia.com/.well-know/[...]: Connection refused",

So slow down and stop worrying about the certificate for a moment. Focus on getting your server publicly accessible, then I anticipate getting a certificate will "just work"!

M. Hakim's picture

yes, because i put it on different port.

the nextcloud server is a vm of a proxmox server, and it can be browse using this address :

https://cloud.jaklingkoindonesia.com:8989/

cloud-jli

 

any suggestion?

Jeremy Davis's picture

We do have plans to implement a way to use DNS (ACME DNS-01) at some point in the future, but there is no ETA on that. Currently we only support the HTTP-01 ACME/Let's Encrypt challenge type. HTTP-01 requires vanilla HTTP access via port 80 only (i.e. no HTTPS and not via any alternate ports are supported). Although whilst it can not use a port other than 80 to connect, it will follow redirects. So if you can make http://cloud.jaklingkoindonesia.com redirect to your server, that will work. Please note though, that AFAIK on you server it still needs to be vanilla http. I.e. http://cloud.jaklingkoindonesia.com (plain http on port 80) redirecting to plain http (any port) on your server, should work fine.

FWIW, there is also an HTTPS ACME/Let's Encrypt challenge type (called TLS-ALPN-01 but I know nothing about it and have never used it. I assume that wouldn't be a fix for you anyway as it still requires a default port (https on default port 443).

If you can use DNS, then you could try that. It will need access to the nameservers that provide your domains DNS though. Dehydrated supports it but I have no experience with it, and you would need to use a hook script that interfaces with whoever provides the nameservers for your domain. Certbot might be easier (probably just because it's used more often)? Although as I've noted before, I have no knowledge of that (DNS or certbot) so I won't be any help to you.

I can help you disable our integration though if you want? Disable the add-water server (the ACME challenge mini-server) like this:

systemctl disable --now add-water
# then to ensure it can't even be started accidentally
systemctl mask add-water

Also be sure to remove the cron job:

find /etc/cron.* -type f -name confconsole-dehydrated -exec rm {} +
M. Hakim's picture

Thank you verymuch for your great support, I'll be wait for the implementation of the DNS acme method.

Happy to be part of this community..

Jeremy Davis's picture

You're most welcome for the support. Sorry that we couldn't get it working for yuor current scenario.

Add new comment