Forum
letsencrypt - polling timed out
Luis Mendes
17 August 2018, 23:15
I'm trying to renew the certificate, for the first time, but something seems not to be working fine.
Also tried with RENEWAL_REUSE_KEY = true
Could it be something in the firewall? It's strange because `request` worked fine.
Any ideas?
>./letsencrypt renew
Renewing certificate for mysite.pt.
Generating RSA key.
Generating Certificate Signing Request (CSR).
Ordering certificate.
Getting authorization challenge for mysite.pt.
- Creating reponse for authorization challenge.
- Requesting authorization for host.
- Polling authorization status......
- Polling timed out.
Renewing certificate for mysite.pt.
Generating RSA key.
Generating Certificate Signing Request (CSR).
Ordering certificate.
Getting authorization challenge for mysite.pt.
- Creating reponse for authorization challenge.
- Requesting authorization for host.
- Polling authorization status......
- Polling timed out.
>cat /root/.letsencrypt/letsencrypt.conf
# Account settings
#
ACCOUNT_RSA_KEY_SIZE = 2048
ACCOUNT_EMAIL_ADDRESS = my@gmail.com
# Hiawatha settings
#
HIAWATHA_CONFIG_DIR = /usr/local/etc/hiawatha
HIAWATHA_CERT_DIR = {HIAWATHA_CONFIG_DIR}/tls
HIAWATHA_RESTART_COMMAND = /usr/local/etc/rc.d/hiawatha restart
# Certificate settings
#
CERTIFICATE_RSA_KEY_SIZE = 2048
# Renewal settings
#
RENEWAL_EXPIRE_THRESHOLD = 17 # number of days
RENEWAL_REUSE_KEY = false
RENEWAL_SCRIPT_DIR = scripts
# Let's Encrypt API settings
#
LE_CA_HOSTNAME = acme-v02.api.letsencrypt.org # Production
#LE_CA_HOSTNAME = acme-staging-v02.api.letsencrypt.org # Testing
LE_ISSUERS = Let's Encrypt Authority X3 \
Let's Encrypt Authority X4
Also tried with RENEWAL_REUSE_KEY = true
Could it be something in the firewall? It's strange because `request` worked fine.
Any ideas?
Hugo Leisink
21 August 2018, 21:48
The 'Getting authorization challenge for mysite.pt.' is where the Let's Encrypt server tries to connect to your website. Is it accessible? It could also be a temporary Let's Encrypt issue. Happens also to me once in a while. Try again in an hour.
Luis Mendes
22 August 2018, 19:57
The site is accessible.
Here's the last part of the debug log, maybe it can shadow a hint about what is not right.
Here's the last part of the debug log, maybe it can shadow a hint about what is not right.
GET /acme/authz/GXa0yULusIeOOmz9yVrXBos2NvUBmxyxf6vAW2P_ONg
Server response: array(3) {
["status"] => int(200)
["headers"] => array(10) {
["server"] => string(5) "nginx"
["content-type"] => string(16) "application/json"
["content-length"] => string(4) "1939"
["x-frame-options"] => string(4) "DENY"
["strict-transport-security"] => string(14) "max-age=604800"
["expires"] => string(29) "Wed, 22 Aug 2018 17:44:28 GMT"
["cache-control"] => string(29) "max-age=0, no-cache, no-store"
["pragma"] => string(8) "no-cache"
["date"] => string(29) "Wed, 22 Aug 2018 17:44:28 GMT"
["connection"] => string(5) "close"
}
["body"] => string(1939) "{
"identifier": {
"type": "dns",
"value": "mysite.pt"
},
"status": "invalid",
"expires": "2018-08-29T17:44:14Z",
"challenges": [
{
"type": "tls-sni-01",
"status": "invalid",
"url": "https://acme-v02.api.letsencrypt.org/acme/challenge/GXa0yULusIeOOmz9yVrXBos2NvUBmxyxf6vAW2P_ONg/6689620606",
"token": "PADZOoAVTI0Lq_rt2tZf_pzvYcAa7n7-o9U9xUIskkY"
},
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://mysite.pt/.well-known/acme-challenge/a7j_h7YwVbSmb_Mbe16QHv4I1JWCFqtSLHjgsHn4wYs: \"\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n\u003ctitle\u003e404 - Not Found\u003c/title\u003e\n\u003cmeta name=\"viewport\" content=\"width=device-width, initial-scale=1\"\"",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/challenge/GXa0yULusIeOOmz9yVrXBos2NvUBmxyxf6vAW2P_ONg/6689620607",
"token": "a7j_h7YwVbSmb_Mbe16QHv4I1JWCFqtSLHjgsHn4wYs",
"validationRecord": [
{
"url": "http://mysite.pt/.well-known/acme-challenge/a7j_h7YwVbSmb_Mbe16QHv4I1JWCFqtSLHjgsHn4wYs",
"hostname": "mysite.pt",
"port": "80",
"addressesResolved": [
"80.211.146.83"
],
"addressUsed": "80.211.146.83"
}
]
},
{
"type": "dns-01",
"status": "invalid",
"url": "https://acme-v02.api.letsencrypt.org/acme/challenge/GXa0yULusIeOOmz9yVrXBos2NvUBmxyxf6vAW2P_ONg/6689620608",
"token": "2_CQVQ3yzxE4sU1lrAld2R3i9bdzlBa8qB6jKLC8rvA"
},
{
"type": "tls-alpn-01",
"status": "invalid",
"url": "https://acme-v02.api.letsencrypt.org/acme/challenge/GXa0yULusIeOOmz9yVrXBos2NvUBmxyxf6vAW2P_ONg/6689620609",
"token": "fJ12bLA8Zf2gZTySHCqy7V8RLsC7AL0xWIqkOX1ayJA"
}
]
}"
}
Hugo Leisink
24 August 2018, 00:46
For some reason, the challenge file was not written. Is your server directly connected to the internet? Or is there a reverse proxy in between?
Luis Mendes
24 August 2018, 01:46
There's a reverse proxy in between, another Hiawatha instance working in the host.
Hugo Leisink
28 August 2018, 09:36
You should do the letsencrypt stuff at that reverse proxy. That's the server the Let's Encrypt server will be connecting to. And that's the server the certificate must be installed on.
This topic has been closed.
Copyright © by Hugo Leisink. All rights reserved.
Built upon the Banshee PHP framework.
Built upon the Banshee PHP framework.
