Another Let's Encrypt Error

Submitted by hescominsoon on Wed, 05/03/2017 - 19:37 Pro Licensee

I have to set the renewal to manual on all domains because virt now tries to incessantly renew them. Parsing CSR... Registering account... Already registered! Verifying www.troubadourjohn.com... Traceback (most recent call last):   File "/usr/libexec/webmin/webmin/acme_tiny.py", line 203, in     main(sys.argv[1)   File "/usr/libexec/webmin/webmin/acme_tiny.py", line 199, in main     signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)   File "/usr/libexec/webmin/webmin/acme_tiny.py", line 109, in get_crt     raise ValueError("Error requesting challenges: {0} {1}".format(code, result)) ValueError: Error requesting challenges: 429 {   "type": "urn:acme:error:rateLimited",   "detail": "Error creating new authz :: Too many invalid authorizations recently.",   "status": 429 }

Status: 
Active

Comments

Submitted by JamieCameron on Wed, 05/03/2017 - 22:25

Does manual renewal succeed for these domains though?

Submitted by hescominsoon on Thu, 05/04/2017 - 21:31 Pro Licensee

no it does not....it also kicks the automated renewals again leading to the errors i posted.

Submitted by JamieCameron on Fri, 05/05/2017 - 11:46

Do you get any different error message when you try a manual renewal (after waiting a few hours) ?

My guess is that there's an underlying error which is preventing Let's Encrypt from working, but after this has been tried and failed a few times it then causes further attempts to be rate-limited.

Submitted by hescominsoon on Mon, 05/08/2017 - 07:09 Pro Licensee

trying a manual renewal of the renwal date only does nothing..no errors..the renwal date stays expired.
trying a mnaul certificate request gives me:

Requesting a certificate for troubadourjohn.com, www.troubadourjohn.com from Let's Encrypt .. .. request failed : Failed to request certificate : Parsing account key... Parsing CSR... Registering account... Already registered! Verifying www.troubadourjohn.com... Wrote file to /home/troubadourjohn/public_html/.well-known/acme-challenge/IEgNvwMRdbIslBg5dSm5kIwXN0FKh2GncFs8ljSng4c, but couldn't download http://www.troubadourjohn.com/.well-known/acme-challenge/IEgNvwMRdbIslBg... Traceback (most recent call last): File "/usr/libexec/webmin/webmin/acme_tiny.py", line 203, in main(sys.argv[1:]) File "/usr/libexec/webmin/webmin/acme_tiny.py", line 199, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca) File "/usr/libexec/webmin/webmin/acme_tiny.py", line 154, in get_crt domain, challenge_status)) ValueError: www.troubadourjohn.com challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'url': u'http://www.troubadourjohn.com/.well-known/acme-challenge/IEgNvwMRdbIslBg...', u'hostname': u'www.troubadourjohn.com', u'addressUsed': u'199.15.253.2', u'port': u'80', u'addressesResolved': [u'199.15.253.2', u'2604:4100:2:7::14']}, {u'url': u'https://troubadourjohn.com/', u'hostname': u'troubadourjohn.com', u'addressUsed': u'199.15.253.2', u'port': u'443', u'addressesResolved': [u'199.15.253.2', u'2604:4100:2:7::14']}], u'keyAuthorization': u'IEgNvwMRdbIslBg5dSm5kIwXN0FKh2GncFs8ljSng4c.LYB6qTjH1r9315k-vWQMsAWs2Mg_34tH8eUqMbbzYRo', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/w1igDE6YWD7phEmjhg_D...', u'token': u'IEgNvwMRdbIslBg5dSm5kIwXN0FKh2GncFs8ljSng4c', u'error': {u'status': 403, u'type': u'urn:acme:error:unauthorized', u'detail': u'Invalid response from http://www.troubadourjohn.com/.well-known/acme-challenge/IEgNvwMRdbIslBg... "\r\n\r\n<!--[if IE 8]>"'}, u'type': u'http-01'} <- Return to virtual server details

So LE is broken once again. it is getting to be very time intensive to have to continue to micromanage this program...

Submitted by andreychek on Mon, 05/08/2017 - 09:18

The error you're seeing above is indicated that the challenge file was created, but that it didn't pass.

When I try to access the challenge file that was created above, I'm redirected to the main web page of that particular domain.

I believe that's the issue -- that the challenge file isn't accessible.

Is there perhaps a redirect in a .htaccess file or in Apache that's redirecting away from the challenge file?

The file that's being created would need to be accessible to the public on the web, or Let's Encrypt won't be able to verify the SSL certificate.

Submitted by hescominsoon on Tue, 05/09/2017 - 19:49 Pro Licensee

nothing has changed in the domains this error is coming up in..the latest VM installation update is when this started.

Submitted by hescominsoon on Tue, 05/09/2017 - 19:54 Pro Licensee

aha. Remember the ticket i put in about some of my domains not going ot https inside of wordpress even when i tell wordpress to use https? I was then told to use the website redirect function..which i though was odd..but i did it. That was the issue. You cannot use the http to https redirect function inside for virt because it bombs LE. Looks like Virt has another bug.

Submitted by JamieCameron on Wed, 05/10/2017 - 00:36

This is a tricky one, as there's no way to turn off a redirect for a sub-path like /.well-known .

The next Webmin + Virtualmin releases will support DNS-based Let's Encrypt validation though as a fallback, which should avoid this (assuming Virtualmin hosts your DNS domain).

Submitted by mmoxnes on Wed, 05/10/2017 - 01:54 Pro Licensee

Hi I have the same error but I used the virtualmin redirect feature to force https on my owncloud. is there a way that during renewal you can turn off this redirect automatically, and the after a successful update turn it back on again? reason for asking is that I (at the moment) dont have my server as DNS server for the public.

Submitted by andreychek on Wed, 05/10/2017 - 08:01

mmoxnes, would the DNS option Jamie described above work for you?

Submitted by hescominsoon on Mon, 05/15/2017 - 15:24 Pro Licensee

still unreliable: Requesting a certificate for thepublicspectacle.com, www.thepublicspectacle.com from Let's Encrypt .. .. request failed : Failed to request certificate : Parsing account key... Parsing CSR... Registering account... Already registered! Verifying www.thepublicspectacle.com... Wrote file to /home/thepublicspectacle/public_html/.well-known/acme-challenge/YVq3WEmBf584niWYDRWEGhd29elge05UtAvZu6UfgKc, but couldn't download http://www.thepublicspectacle.com/.well-known/acme-challenge/YVq3WEmBf58... Traceback (most recent call last): File "/usr/libexec/webmin/webmin/acme_tiny.py", line 203, in main(sys.argv[1:]) File "/usr/libexec/webmin/webmin/acme_tiny.py", line 199, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca) File "/usr/libexec/webmin/webmin/acme_tiny.py", line 154, in get_crt domain, challenge_status)) ValueError: www.thepublicspectacle.com challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'addressesResolved': [u'98.138.19.143'], u'url': u'http://www.thepublicspectacle.com/.well-known/acme-challenge/YVq3WEmBf58...', u'hostname': u'www.thepublicspectacle.com', u'addressesTried': [], u'addressUsed': u'98.138.19.143', u'port': u'80'}], u'keyAuthorization': u'YVq3WEmBf584niWYDRWEGhd29elge05UtAvZu6UfgKc.LYB6qTjH1r9315k-vWQMsAWs2Mg_34tH8eUqMbbzYRo', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/dnTncUAs3fFldluDEoxL...', u'token': u'YVq3WEmBf584niWYDRWEGhd29elge05UtAvZu6UfgKc', u'error': {u'status': 403, u'type': u'urn:acme:error:unauthorized', u'detail': u'Invalid response from http://www.thepublicspectacle.com/.well-known/acme-challenge/YVq3WEmBf58... [98.138.19.143]: 400'}, u'type': u'http-01'}

Submitted by hescominsoon on Mon, 05/15/2017 - 15:26 Pro Licensee

I tried manually renewing and doing only a renewal of the expiration..both failed.

Submitted by hescominsoon on Mon, 05/15/2017 - 15:28 Pro Licensee

trying ot use only update renewal results in nothing..the page goes back to the certificate management area for the domain with zero results.

Submitted by hescominsoon on Mon, 05/15/2017 - 15:34 Pro Licensee

ok got it fixed..:)

Submitted by andreychek on Mon, 05/15/2017 - 16:19

Glad to hear it's working now!

Feel free to let us know if you have any additional questions.