Certbot: Plugin autônomo ignora a porta que pedi para ser usada

Criado em 29 ago. 2018 · 3Comentários · Fonte: certbot/certbot

Se você está tendo problemas para usar o Certbot e não tem certeza de que encontrou um bug ou
solicitação de um novo recurso, tente primeiro pedir ajuda em
https://community.letsencrypt.org/. Há uma comunidade muito maior lá de
pessoas familiarizadas com o projeto que poderão responder mais rapidamente às suas
perguntas.

Meu sistema operacional é (incluir versão):

Linux openvpn1.ismyservice.space 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

certbot 0.26.1

Eu instalei o Certbot com (certbot-auto, gerenciador de pacotes do SO, pip, etc):

Ubuntu package maanger

Eu executei este comando e ele produziu esta saída:

sudo certbot certonly --standalone --non-interactive  --preferred-challenge http-01 
   --http-01-port 10000 --agree-tos 
   --email [email protected] --domains realtebo.example.com 
   --pre-hook 'sudo service webmin stop' 
   --post-hook 'sudo service webmin start' 
   --staging --dry-run

 Domain: realtebo.example.com
 Type:   connection
 Detail: Fetching
 http://realtebo.example.com/.well-known/acme-challenge/DbE18Iyfud0xBRtrfvz-ILifSzqV-7GoV5uRAyuNYRw:
 Timeout during connect (likely firewall problem)

O comportamento do Certbot foi diferente do que eu esperava porque:

O firewall é aberto na porta 10000. Quando o certbot termina, ele reinicia o webmin, que está sendo executado na mesma porta. Eu posso me conectar ao webmin de fora usando a porta 10000 sem nenhum problema
Veja o log no ponto a seguir; O certbot está iniciando seu servidor web autônomo na porta 10000, e está tudo bem, mas está usando a porta 80 para o desafio!

Aqui está um log do Certbot mostrando o problema (se disponível):

Os logs são armazenados em `/var/log/letsencrypt` por padrão. Sinta-se à vontade para redigir domínios, e-mail e endereços IP como achar melhor.

2018-08-29 13:56:27,322:DEBUG:certbot.main:certbot version: 0.26.1
2018-08-29 13:56:27,322:DEBUG:certbot.main:Arguments: ['--standalone', '--non-interactive', '--preferred-challenge', 'http-01', '--http-01-port', '10000', '--agree-tos', '--email', '[email protected]', '--domains', 'realtebo.example.com', '--pre-hook', 'sudo service webmin stop', '--post-hook', 'sudo service webmin start', '--staging', '--dry-run']
2018-08-29 13:56:27,323:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-08-29 13:56:27,330:DEBUG:certbot.log:Root logging level set at 20
2018-08-29 13:56:27,331:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-08-29 13:56:27,332:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2018-08-29 13:56:27,540:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f3a5b6006d8>
Prep: True
2018-08-29 13:56:27,540:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f3a5b6006d8> and installer None
2018-08-29 13:56:27,541:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2018-08-29 13:56:27,544:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(terms_of_service=None, uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/6829761', new_authzr_uri=None, body=Registration(contact=(), status=None, terms_of_service_agreed=None, key=None, only_return_existing=None, agreement=None)), 79b142d506837dc821d95200358290de, Meta(creation_host='realtebo.example.com', creation_dt=datetime.datetime(2018, 8, 29, 11, 29, 47, tzinfo=<UTC>)))>
2018-08-29 13:56:27,545:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2018-08-29 13:56:27,547:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
2018-08-29 13:56:27,847:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 724
2018-08-29 13:56:27,848:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 724
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 29 Aug 2018 11:56:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 29 Aug 2018 11:56:27 GMT
Connection: keep-alive

{
  "drsHm9_JSMQ": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
2018-08-29 13:56:27,849:INFO:certbot.hooks:Running pre-hook command: sudo service webmin stop
2018-08-29 13:56:27,957:INFO:certbot.main:Obtaining a new certificate
2018-08-29 13:56:27,999:DEBUG:acme.client:Requesting fresh nonce
2018-08-29 13:56:28,000:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order.
2018-08-29 13:56:28,261:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-order HTTP/1.1" 405 0
2018-08-29 13:56:28,262:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 103
Allow: POST
Replay-Nonce: WnqBHl9ZAJ8NdQnttV0FJQHxefu-O3op92NR8uFoMtg
Expires: Wed, 29 Aug 2018 11:56:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 29 Aug 2018 11:56:28 GMT
Connection: keep-alive


2018-08-29 13:56:28,262:DEBUG:acme.client:Storing nonce: WnqBHl9ZAJ8NdQnttV0FJQHxefu-O3op92NR8uFoMtg
2018-08-29 13:56:28,263:DEBUG:acme.client:JWS payload:
b'{\n  "status": "pending",\n  "resource": "new-order",\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "realtebo.example.com"\n    }\n  ]\n}'
2018-08-29 13:56:28,266:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJub25jZSI6ICJXbnFCSGw5WkFKOE5kUW50dFYwRkpRSHhlZnUtTzNvcDkyTlI4dUZvTXRnIiwgImFsZyI6ICJSUzI1NiIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzY4Mjk3NjEiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIn0",
  "signature": "O_HrIU4h2mWDEOZJdvBdZLKBEkVSd2b3gj08iSImg6NSbu8N79ff75nksKnqeCr_vb1vPx-RPgsAU3B3P7gxilOV3kuGMHiA0kRIq36BiZeAm5Y4gQWGXAh263CBm5EZpGpUn5yx_MVLoy4mioZ-Tf8MLMYflKwTvtRre3xLjlZuXDlf1chGebgw9yXD_fJWsdzVR1jwv_JOtBAlTnHGHmfntlWPNuJqFCusdfSF9Itu2ttQBDbSLbi72yxqb1S9ZLD1XoQw_pkSI0VDRdhdcjamAfsomfueJ_kJvFV6rrS0OUUzXpPCprnyRFKljrHrco9Kn6VpxtK7qNK50E0BlQ",
  "payload": "ewogICJzdGF0dXMiOiAicGVuZGluZyIsCiAgInJlc291cmNlIjogIm5ldy1vcmRlciIsCiAgImlkZW50aWZpZXJzIjogWwogICAgewogICAgICAidHlwZSI6ICJkbnMiLAogICAgICAidmFsdWUiOiAidnBubWlya28uaXNteXNlcnZpY2Uuc3BhY2UiCiAgICB9CiAgXQp9"
}
2018-08-29 13:56:28,606:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 398
2018-08-29 13:56:28,607:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 398
Boulder-Requester: 6829761
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/6829761/6638025
Replay-Nonce: b-xmrBO3u6xWnQ3X-pjscz3-5UW-tY-cIy-rHHRFCjw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 29 Aug 2018 11:56:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 29 Aug 2018 11:56:28 GMT
Connection: keep-alive

{
  "status": "pending",
  "expires": "2018-09-05T11:56:28.394993245Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "realtebo.example.com"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/6829761/6638025"
}
2018-08-29 13:56:28,607:DEBUG:acme.client:Storing nonce: b-xmrBO3u6xWnQ3X-pjscz3-5UW-tY-cIy-rHHRFCjw
2018-08-29 13:56:28,608:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE.
2018-08-29 13:56:28,852:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE HTTP/1.1" 200 939
2018-08-29 13:56:28,853:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 939
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 29 Aug 2018 11:56:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 29 Aug 2018 11:56:28 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "realtebo.example.com"
  },
  "status": "pending",
  "expires": "2018-09-05T11:56:28Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854448",
      "token": "r_EGiMDAA18pVLDSiEqPUIQe57RTnH79YxN65ybsLHg"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854449",
      "token": "qDoGsuxMNdrihAuIbetnBFTSqz6uSyTYX-Jm_JW3xKc"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854450",
      "token": "nJANiwx4dXcJ5lnw-fVjdHyv7ZWop9GYf20pM7zl2ow"
    }
  ]
}
2018-08-29 13:56:28,854:INFO:certbot.auth_handler:Performing the following challenges:
2018-08-29 13:56:28,854:INFO:certbot.auth_handler:http-01 challenge for realtebo.example.com
2018-08-29 13:56:28,855:DEBUG:acme.standalone:Successfully bound to :10000 using IPv6
2018-08-29 13:56:28,855:DEBUG:acme.standalone:Certbot wasn't able to bind to :10000 using IPv4, this is often expected due to the dual stack nature of IPv6 socket implementations.
2018-08-29 13:56:28,859:INFO:certbot.auth_handler:Waiting for verification...
2018-08-29 13:56:28,859:DEBUG:acme.client:JWS payload:
b'{\n  "resource": "challenge",\n  "type": "http-01",\n  "keyAuthorization": "nJANiwx4dXcJ5lnw-fVjdHyv7ZWop9GYf20pM7zl2ow.RbQZDrhcRU5z3T8Ak72neNkXe8hh9D5yKNV-PomuANo"\n}'
2018-08-29 13:56:28,861:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854450:
{
  "protected": "eyJub25jZSI6ICJiLXhtckJPM3U2eFduUTNYLXBqc2N6My01VVctdFktY0l5LXJISFJGQ2p3IiwgImFsZyI6ICJSUzI1NiIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzY4Mjk3NjEiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGxlbmdlL0Iyc0kwSkFCbWd6VllFWURkOUNGbEZRTjNwWHRIaVBnMWtXYTFjZThnU0UvMTY0ODU0NDUwIn0",
  "signature": "db4xpVwufNdIrQ0jScXiOz4QZyHbtYvUAWiH91JSd4yhdjLHNyF80KQR71a9xkZy2F_dGfZWrPiJym7R9soQrMcSwlC6d2e-1nshJNrb7iLju2CfHBiDPK4LwD6epICxH-cgT4ANafTHEWJIUmnxUVLzfa9uZ1inUboMaZw6G9jCA_P7KKsPVaX76BF-laDi882knktzdOHe1o74bMdumgTwrfhHrFK2S6GP-ZHufdghShV71X7NhK0tJjpoDR09B8NTysCgkNg787i7rIfYbftrY_QESLjQxSsYHG6k3vqBeGWaJ-KBJkCvgU2jb8b8jJB43G9IUsXDQYDnkG9lcg",
  "payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiLAogICJrZXlBdXRob3JpemF0aW9uIjogIm5KQU5pd3g0ZFhjSjVsbnctZlZqZEh5djdaV29wOUdZZjIwcE03emwyb3cuUmJRWkRyaGNSVTV6M1Q4QWs3Mm5lTmtYZThoaDlENXlLTlYtUG9tdUFObyIKfQ"
}
2018-08-29 13:56:29,151:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854450 HTTP/1.1" 200 230
2018-08-29 13:56:29,151:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 230
Boulder-Requester: 6829761
Link: <https://acme-staging-v02.api.letsencrypt.org/acme/authz/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854450
Replay-Nonce: NNtlhuo7zvSfZnilaDdPb-CF7pWHLmSB-Dk6qloCttM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 29 Aug 2018 11:56:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 29 Aug 2018 11:56:29 GMT
Connection: keep-alive

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854450",
  "token": "nJANiwx4dXcJ5lnw-fVjdHyv7ZWop9GYf20pM7zl2ow"
}
2018-08-29 13:56:29,152:DEBUG:acme.client:Storing nonce: NNtlhuo7zvSfZnilaDdPb-CF7pWHLmSB-Dk6qloCttM
2018-08-29 13:56:32,155:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE.
2018-08-29 13:56:32,387:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE HTTP/1.1" 200 939
2018-08-29 13:56:32,388:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 939
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 29 Aug 2018 11:56:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 29 Aug 2018 11:56:32 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "realtebo.example.com"
  },
  "status": "pending",
  "expires": "2018-09-05T11:56:28Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854448",
      "token": "r_EGiMDAA18pVLDSiEqPUIQe57RTnH79YxN65ybsLHg"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854449",
      "token": "qDoGsuxMNdrihAuIbetnBFTSqz6uSyTYX-Jm_JW3xKc"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854450",
      "token": "nJANiwx4dXcJ5lnw-fVjdHyv7ZWop9GYf20pM7zl2ow"
    }
  ]
}
2018-08-29 13:56:35,392:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE.
2018-08-29 13:56:35,666:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE HTTP/1.1" 200 939
2018-08-29 13:56:35,666:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 939
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 29 Aug 2018 11:56:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 29 Aug 2018 11:56:35 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "realtebo.example.com"
  },
  "status": "pending",
  "expires": "2018-09-05T11:56:28Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854448",
      "token": "r_EGiMDAA18pVLDSiEqPUIQe57RTnH79YxN65ybsLHg"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854449",
      "token": "qDoGsuxMNdrihAuIbetnBFTSqz6uSyTYX-Jm_JW3xKc"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854450",
      "token": "nJANiwx4dXcJ5lnw-fVjdHyv7ZWop9GYf20pM7zl2ow"
    }
  ]
}
2018-08-29 13:56:38,671:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE.
2018-08-29 13:56:39,216:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE HTTP/1.1" 200 939
2018-08-29 13:56:39,217:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 939
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 29 Aug 2018 11:56:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 29 Aug 2018 11:56:39 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "realtebo.example.com"
  },
  "status": "pending",
  "expires": "2018-09-05T11:56:28Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854448",
      "token": "r_EGiMDAA18pVLDSiEqPUIQe57RTnH79YxN65ybsLHg"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854449",
      "token": "qDoGsuxMNdrihAuIbetnBFTSqz6uSyTYX-Jm_JW3xKc"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854450",
      "token": "nJANiwx4dXcJ5lnw-fVjdHyv7ZWop9GYf20pM7zl2ow"
    }
  ]
}
2018-08-29 13:56:42,222:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE.
2018-08-29 13:56:42,462:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE HTTP/1.1" 200 1600
2018-08-29 13:56:42,463:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1600
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 29 Aug 2018 11:56:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 29 Aug 2018 11:56:42 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "realtebo.example.com"
  },
  "status": "invalid",
  "expires": "2018-09-05T11:56:28Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854448",
      "token": "r_EGiMDAA18pVLDSiEqPUIQe57RTnH79YxN65ybsLHg"
    },
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854449",
      "token": "qDoGsuxMNdrihAuIbetnBFTSqz6uSyTYX-Jm_JW3xKc"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching http://realtebo.example.com/.well-known/acme-challenge/nJANiwx4dXcJ5lnw-fVjdHyv7ZWop9GYf20pM7zl2ow: Timeout during connect (likely firewall problem)",
        "status": 400
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/B2sI0JABmgzVYEYDd9CFlFQN3pXtHiPg1kWa1ce8gSE/164854450",
      "token": "nJANiwx4dXcJ5lnw-fVjdHyv7ZWop9GYf20pM7zl2ow",
      "validationRecord": [
        {
          "url": "http://realtebo.example.com/.well-known/acme-challenge/nJANiwx4dXcJ5lnw-fVjdHyv7ZWop9GYf20pM7zl2ow",
          "hostname": "realtebo.example.com",
          "port": "80",
          "addressesResolved": [
            "79.19.63.157"
          ],
          "addressUsed": "79.19.63.157"
        }
      ]
    }
  ]
}
2018-08-29 13:56:42,464:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: realtebo.example.com
Type:   connection
Detail: Fetching http://realtebo.example.com/.well-known/acme-challenge/nJANiwx4dXcJ5lnw-fVjdHyv7ZWop9GYf20pM7zl2ow: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2018-08-29 13:56:42,464:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. realtebo.example.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://realtebo.example.com/.well-known/acme-challenge/nJANiwx4dXcJ5lnw-fVjdHyv7ZWop9GYf20pM7zl2ow: Timeout during connect (likely firewall problem)

2018-08-29 13:56:42,464:DEBUG:certbot.error_handler:Calling registered functions
2018-08-29 13:56:42,464:INFO:certbot.auth_handler:Cleaning up challenges
2018-08-29 13:56:42,465:DEBUG:certbot.plugins.standalone:Stopping server at :::10000...
2018-08-29 13:56:42,887:INFO:certbot.hooks:Running post-hook command: sudo service webmin start
2018-08-29 13:56:45,631:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.26.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1254, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 120, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 391, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 334, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 370, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. realtebo.example.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://realtebo.example.com/.well-known/acme-challenge/nJANiwx4dXcJ5lnw-fVjdHyv7ZWop9GYf20pM7zl2ow: Timeout during connect (likely firewall problem)

Aqui está o bloco de servidor nginx relevante ou o virtualhost Apache para o domínio que estou configurando:

não tenho nada para escrever aqui

Fonte

realtebo

Todos 3 comentários

Este é um comportamento bem conhecido e documentado. Não é um bug. Eu fecho.

realtebo em 29 ago. 2018

Olá @realtebo! Obrigado por relatar :)

Let's Encrypt, pelo protocolo ACME , deve realizar a validação na porta 80 para o desafio HTTP. --http-01-port não pode alterar em qual porta o LE espera fazer a validação. Como Brad menciona aqui :

Todos esses sinalizadores permitem que você controle quais portas o Certbot escuta para plugins como autônomos. Isso é útil se você estiver roteando todo o tráfego da porta 80 para a porta 8080, por exemplo.

Vou fechar este problema por enquanto, mas sinta-se à vontade para me pedir para reabrir ou criar um novo se você encontrar algo errado com o Certbot!