Certificate provision

Help with Setup/Upgrade
1

Strange certificate provision error it points to DNS but DNS are all there. Done maybe 2-3 fresh installations. Is a web root correct? Can it be due to MAC address? Running on vm under unraid. Can ping all subdomains from outside. Letsencrypt shows not able to get response.

Log:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Performing the following challenges: http-01 challenge for autoconfig.oaze.lt http-01 challenge for autodiscover.oaze.lt http-01 challenge for mta-sts.oaze.lt http-01 challenge for oaze.lt http-01 challenge for www.oaze.lt Using the webroot path /home/user-data/ssl/lets_encrypt/webroot for all unmatched domains. Waiting for verification… Cleaning up challenges Failed authorization procedure. mta-sts.oaze.lt (http-01): urn:ietf:params:acme:error:dns :: DNS problem: query timed out looking up A for mta-sts.oaze.lt; no valid AAAA records found for mta-sts.oaze.lt, autodiscover.oaze.lt (http-01): urn:ietf:params:acme:error:dns :: DNS problem: query timed out looking up A for autodiscover.oaze.lt; DNS problem: query timed out looking up AAAA for autodiscover.oaze.lt, autoconfig.oaze.lt (http-01): urn:ietf:params:acme:error:dns :: DNS problem: query timed out looking up A for autoconfig.oaze.lt; DNS problem: query timed out looking up AAAA for autoconfig.oaze.lt IMPORTANT NOTES: - The following errors were reported by the server: Domain: mta-sts.oaze.lt Type: None Detail: DNS problem: query timed out looking up A for mta-sts.oaze.lt; no valid AAAA records found for mta-sts.oaze.lt Domain: autodiscover.oaze.lt Type: None Detail: DNS problem: query timed out looking up A for autodiscover.oaze.lt; DNS problem: query timed out looking up AAAA for autodiscover.oaze.lt Domain: autoconfig.oaze.lt Type: None Detail: DNS problem: query timed out looking up A for autoconfig.oaze.lt; DNS problem: query timed out looking up AAAA for autoconfig.oaze.lt

2

mind boggled but i can access https://mta-sts.oaze.lt/.well-known/mta-sts.txt can it be because it redirects to https as its Http challenge and in case its gets self signed i a way it will make a mess.
how i can tell mail in a box to use http without braking anything?
root@box:~/mailinabox/management# certbot certonly --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): box.oaze.lt mta-sts.box.oaze.lt oaze.lt autoconfig.oaze.lt autodiscover.oaze.lt mta-sts.oaze.lt
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for autoconfig.oaze.lt
http-01 challenge for autodiscover.oaze.lt
http-01 challenge for box.oaze.lt
http-01 challenge for mta-sts.box.oaze.lt
http-01 challenge for mta-sts.oaze.lt
http-01 challenge for oaze.lt
Input the webroot for autoconfig.oaze.lt: (Enter ‘c’ to cancel): /home/user-data/www/autoconfig.oaze.lt

Select the webroot for autodiscover.oaze.lt:

1: Enter a new webroot
2: /home/user-data/www/autoconfig.oaze.lt

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Input the webroot for autodiscover.oaze.lt: (Enter ‘c’ to cancel): /home/user-data/www/autodiscover.oaze.lt

Select the webroot for box.oaze.lt:

1: Enter a new webroot
2: /home/user-data/www/autodiscover.oaze.lt
3: /home/user-data/www/autoconfig.oaze.lt

Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 1
Input the webroot for box.oaze.lt: (Enter ‘c’ to cancel): /home/user-data/www/box.oaze.lt

Select the webroot for mta-sts.box.oaze.lt:

1: Enter a new webroot
2: /home/user-data/www/box.oaze.lt
3: /home/user-data/www/autodiscover.oaze.lt
4: /home/user-data/www/autoconfig.oaze.lt

Select the appropriate number [1-4] then [enter] (press ‘c’ to cancel): 1
Input the webroot for mta-sts.box.oaze.lt: (Enter ‘c’ to cancel): /home/user-data/www/mta-sts.box.oaze.lt

Select the webroot for mta-sts.oaze.lt:

1: Enter a new webroot
2: /home/user-data/www/mta-sts.box.oaze.lt
3: /home/user-data/www/box.oaze.lt
4: /home/user-data/www/autodiscover.oaze.lt
5: /home/user-data/www/autoconfig.oaze.lt

Select the appropriate number [1-5] then [enter] (press ‘c’ to cancel): 1
Input the webroot for mta-sts.oaze.lt: (Enter ‘c’ to cancel): /home/user-data/www/mta-sts.oaze.lt

Select the webroot for oaze.lt:

1: Enter a new webroot
2: /home/user-data/www/mta-sts.oaze.lt
3: /home/user-data/www/mta-sts.box.oaze.lt
4: /home/user-data/www/box.oaze.lt
5: /home/user-data/www/autodiscover.oaze.lt
6: /home/user-data/www/autoconfig.oaze.lt

Select the appropriate number [1-6] then [enter] (press ‘c’ to cancel): 1
Input the webroot for oaze.lt: (Enter ‘c’ to cancel): /home/user-data/www/oaze.lt
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mta-sts.oaze.lt (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mta-sts.oaze.lt/.well-known/acme-challenge/WqiTmfFfSEdTpaSaTvmJnP9rpI5yIC3YLlqTCkm0z9Y: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mta-sts.oaze.lt
    Type: connection
    Detail: Fetching
    http://mta-sts.oaze.lt/.well-known/acme-challenge/WqiTmfFfSEdTpaSaTvmJnP9rpI5yIC3YLlqTCkm0z9Y:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

3

right thought ill post the solution in my case.
all this was firewall issue. On assus router. had HTTP port forwarded as service believe the reason was behind it. After putting server for short time DMZ all worked like it should. now port forwarded 80 manually and all works like a charm

4

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.