Forum

letsencrypt - polling timed out

Luis Mendes
17 August 2018, 23:15
I'm trying to renew the certificate, for the first time, but something seems not to be working fine.

>./letsencrypt renew
Renewing certificate for mysite.pt.
Generating RSA key.
Generating Certificate Signing Request (CSR).
Ordering certificate.
Getting authorization challenge for mysite.pt.
- Creating reponse for authorization challenge.
- Requesting authorization for host.
- Polling authorization status......
- Polling timed out.
Renewing certificate for mysite.pt.
Generating RSA key.
Generating Certificate Signing Request (CSR).
Ordering certificate.
Getting authorization challenge for mysite.pt.
- Creating reponse for authorization challenge.
- Requesting authorization for host.
- Polling authorization status......
- Polling timed out.



>cat /root/.letsencrypt/letsencrypt.conf 
# Account settings
#
ACCOUNT_RSA_KEY_SIZE = 2048
ACCOUNT_EMAIL_ADDRESS = my@gmail.com

# Hiawatha settings
#
HIAWATHA_CONFIG_DIR = /usr/local/etc/hiawatha
HIAWATHA_CERT_DIR = {HIAWATHA_CONFIG_DIR}/tls
HIAWATHA_RESTART_COMMAND = /usr/local/etc/rc.d/hiawatha restart

# Certificate settings
#
CERTIFICATE_RSA_KEY_SIZE = 2048

# Renewal settings
#
RENEWAL_EXPIRE_THRESHOLD = 17 # number of days
RENEWAL_REUSE_KEY = false
RENEWAL_SCRIPT_DIR = scripts

# Let's Encrypt API settings
#
LE_CA_HOSTNAME = acme-v02.api.letsencrypt.org # Production
#LE_CA_HOSTNAME = acme-staging-v02.api.letsencrypt.org # Testing
LE_ISSUERS = Let's Encrypt Authority X3 \
Let's Encrypt Authority X4


Also tried with RENEWAL_REUSE_KEY = true

Could it be something in the firewall? It's strange because `request` worked fine.
Any ideas?
Hugo Leisink
21 August 2018, 21:48
The 'Getting authorization challenge for mysite.pt.' is where the Let's Encrypt server tries to connect to your website. Is it accessible? It could also be a temporary Let's Encrypt issue. Happens also to me once in a while. Try again in an hour.
Luis Mendes
22 August 2018, 19:57
The site is accessible.
Here's the last part of the debug log, maybe it can shadow a hint about what is not right.

GET /acme/authz/GXa0yULusIeOOmz9yVrXBos2NvUBmxyxf6vAW2P_ONg
Server response: array(3) {
["status"] => int(200)
["headers"] => array(10) {
["server"] => string(5) "nginx"
["content-type"] => string(16) "application/json"
["content-length"] => string(4) "1939"
["x-frame-options"] => string(4) "DENY"
["strict-transport-security"] => string(14) "max-age=604800"
["expires"] => string(29) "Wed, 22 Aug 2018 17:44:28 GMT"
["cache-control"] => string(29) "max-age=0, no-cache, no-store"
["pragma"] => string(8) "no-cache"
["date"] => string(29) "Wed, 22 Aug 2018 17:44:28 GMT"
["connection"] => string(5) "close"
}
["body"] => string(1939) "{
"identifier": {
"type": "dns",
"value": "mysite.pt"
},
"status": "invalid",
"expires": "2018-08-29T17:44:14Z",
"challenges": [
{
"type": "tls-sni-01",
"status": "invalid",
"url": "https://acme-v02.api.letsencrypt.org/acme/challenge/GXa0yULusIeOOmz9yVrXBos2NvUBmxyxf6vAW2P_ONg/6689620606",
"token": "PADZOoAVTI0Lq_rt2tZf_pzvYcAa7n7-o9U9xUIskkY"
},
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://mysite.pt/.well-known/acme-challenge/a7j_h7YwVbSmb_Mbe16QHv4I1JWCFqtSLHjgsHn4wYs: \"\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n\u003ctitle\u003e404 - Not Found\u003c/title\u003e\n\u003cmeta name=\"viewport\" content=\"width=device-width, initial-scale=1\"\"",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/challenge/GXa0yULusIeOOmz9yVrXBos2NvUBmxyxf6vAW2P_ONg/6689620607",
"token": "a7j_h7YwVbSmb_Mbe16QHv4I1JWCFqtSLHjgsHn4wYs",
"validationRecord": [
{
"url": "http://mysite.pt/.well-known/acme-challenge/a7j_h7YwVbSmb_Mbe16QHv4I1JWCFqtSLHjgsHn4wYs",
"hostname": "mysite.pt",
"port": "80",
"addressesResolved": [
"80.211.146.83"
],
"addressUsed": "80.211.146.83"
}
]
},
{
"type": "dns-01",
"status": "invalid",
"url": "https://acme-v02.api.letsencrypt.org/acme/challenge/GXa0yULusIeOOmz9yVrXBos2NvUBmxyxf6vAW2P_ONg/6689620608",
"token": "2_CQVQ3yzxE4sU1lrAld2R3i9bdzlBa8qB6jKLC8rvA"
},
{
"type": "tls-alpn-01",
"status": "invalid",
"url": "https://acme-v02.api.letsencrypt.org/acme/challenge/GXa0yULusIeOOmz9yVrXBos2NvUBmxyxf6vAW2P_ONg/6689620609",
"token": "fJ12bLA8Zf2gZTySHCqy7V8RLsC7AL0xWIqkOX1ayJA"
}
]
}"
}
Hugo Leisink
24 August 2018, 00:46
For some reason, the challenge file was not written. Is your server directly connected to the internet? Or is there a reverse proxy in between?
Luis Mendes
24 August 2018, 01:46
There's a reverse proxy in between, another Hiawatha instance working in the host.
Hugo Leisink
28 August 2018, 09:36
You should do the letsencrypt stuff at that reverse proxy. That's the server the Let's Encrypt server will be connecting to. And that's the server the certificate must be installed on.
This topic has been closed.