Let's Encrypt certificate! - fail

Hi, I am trying to set up a server for the first time.

Hardware: Raspberry Pi 3 at home

YunoHost version: (stable).
I have access to my server : Through SSH and through Mozilla Firefox web browser on LAN

I have an active free domain to learn how things work before I rebuild the server for a small club of external users.

Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

I am trying to build a server to give secure access to plans and documents for a club of users external to my LAN. The server will reside either at my home or later at the club building which has internet access.

I can access the Yunohost server from any device on my LAN.
My Android phone with WIFI OFF - Web browser complains it is not safe and will not give access. I tried to launch Let’s Encrypt certificate!, but it fails.

I am doing something stupid, but I do not know where to start looking to correct it. Please can you provide some guidance?

Many thanks for such a great forum.

force: false
no_checks: false
staging: false
ended_at: 2019-09-21 17:26:39.681618
error: 'Certificate installation for alctjpccgm.tk failed !

Exception: Signing the new certificate failed’
operation: letsencrypt_cert_install

    • domain
    • alctjpccgm.tk
      started_at: 2019-09-21 17:26:11.892542
      success: false


2019-09-21 18:26:11,901: DEBUG - Nginx configuration file for ACME challenge already exists for domain, skipping.
2019-09-21 18:26:11,904: DEBUG - Making sure tmp folders exists…
2019-09-21 18:26:12,155: DEBUG - Could not get public IPv6 : Invalid url https://ip6.yunohost.org (does this site exists?)
2019-09-21 18:26:12,158: DEBUG - Prepare key and certificate signing request (CSR) for alctjpccgm.tk…
2019-09-21 18:26:22,934: DEBUG - Saving to /tmp/acme-challenge-private/alctjpccgm.tk.csr.
2019-09-21 18:26:22,936: DEBUG - Now using ACME Tiny to sign the certificate…
2019-09-21 18:26:22,937: INFO - Parsing account key…
2019-09-21 18:26:22,995: INFO - Parsing CSR…
2019-09-21 18:26:23,030: INFO - Found domains: alctjpccgm.tk
2019-09-21 18:26:23,032: INFO - Getting directory…
2019-09-21 18:26:23,418: INFO - Directory found!
2019-09-21 18:26:23,422: INFO - Registering account…
2019-09-21 18:26:24,321: INFO - Already registered!
2019-09-21 18:26:24,323: INFO - Creating new order…
2019-09-21 18:26:25,317: INFO - Order created!
2019-09-21 18:26:25,606: INFO - Verifying alctjpccgm.tk…
2019-09-21 18:26:39,144: ERROR - Challenge did not pass for alctjpccgm.tk: {u’status’: u’invalid’, u’challenges’: [{u’status’: u’invalid’, u’validationRecord’: [{u’url’: u’http://alctjpccgm.tk/.well-known/acme-challenge/9PMxvrpxtZ4D4LM9rd3Mj0d0vBcV4DD_M6vcxEFUS5M’, u’hostname’: u’alctjpccgm.tk’, u’addressUsed’: u’’, u’port’: u’80’, u’addressesResolved’: [u’’]}], u’url’: u’https://acme-v02.api.letsencrypt.org/acme/chall-v3/443646495/N2PBJw’, u’token’: u’9PMxvrpxtZ4D4LM9rd3Mj0d0vBcV4DD_M6vcxEFUS5M’, u’error’: {u’status’: 400, u’type’: u’urn:ietf:params:acme:error:connection’, u’detail’: u’Fetching http://alctjpccgm.tk/.well-known/acme-challenge/9PMxvrpxtZ4D4LM9rd3Mj0d0vBcV4DD_M6vcxEFUS5M: Timeout during connect (likely firewall problem)’}, u’type’: u’http-01’}, {u’status’: u’invalid’, u’url’: u’https://acme-v02.api.letsencrypt.org/acme/chall-v3/443646495/jjBEvg’, u’token’: u’9PMxvrpxtZ4D4LM9rd3Mj0d0vBcV4DD_M6vcxEFUS5M’, u’type’: u’dns-01’}, {u’status’: u’invalid’, u’url’: u’https://acme-v02.api.letsencrypt.org/acme/chall-v3/443646495/82nXTw’, u’token’: u’9PMxvrpxtZ4D4LM9rd3Mj0d0vBcV4DD_M6vcxEFUS5M’, u’type’: u’tls-alpn-01’}], u’identifier’: {u’type’: u’dns’, u’value’: u’alctjpccgm.tk’}, u’expires’: u’2019-09-28T17:26:25Z’}
2019-09-21 18:26:39,433: WARNING - Debug information:

  • domain ip from DNS
  • domain ip from local DNS
  • public ip of the server

2019-09-21 18:26:39,678: WARNING - Debug information:

  • domain ip from DNS
  • domain ip from local DNS
  • public ip of the server

2019-09-21 18:26:39,680: ERROR - Certificate installation for alctjpccgm.tk failed !
Exception: Signing the new certificate failed

Hmmmwell from my side, your domain correctly resolve to an IP (should be double checked if it’s indeed yours) but the IP doesn’t ping nor doesn’t answer http requests … So not sure how your smartphone does access any webpage at all, but my guess would be that you did not configure port forwarding (c.f. https://yunohost.org/isp_box_config ) ?

Yes. As @Aleks says. You need to have port 80 forwarded to your machine from the outside in your router so that Letsencrypt can do the challenge/response. Port 443 ist not enough.

You could do this in your router individually for every port forwarding or you could declare your Raspberry pi as an exposed host and all ports are forwarded through the NAT.

Hi Alex and Mad,

Great advice. I thought I had done this on my router. I will check during my coffee break and try again.
Many thanks

1 Like

Hi Alex and Mad
Here is the routing table
HTTP 80 80 Both
HTTPS 443 443 Both
SSH 22 22 Both
SMTP 25 25 TCP

I will take another look at my DNS entries. I have re-read information on this topic and while the entries were accepted, I am not sure if I made a mistake…
Many thanks again.
I will get back to you with the result

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.