Let's Encrypt certificate request gives error after installing 1.0.1

Question

Let's Encrypt certificate request gives error after installing 1.0.1

clousberg opened this issue 6 months ago · 12 comments

Situation

My firewall has a rule to forward external port 80 to internal ip of Home Assistant and port 980.
My NPM has been configured to have the 'HTTP Entrance port' on 980.
DNS has been configured to send request to sub.domain.com to my WAN IP. (yes, in real life sub.domain.com is my real sub-domain)

The last < 1.0 release of NPM worked with the same settings, so nothing changed in here.

I uninstalled the previous NPM and deleted all NPM folders I could find.
After this I installed version 1.0.1.

Problem

"Test Server Reachability" gives "Communication with the API failed, is NPM running correctly?"

"Requesting a new certificate" gives "Internal error", and:

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-10" --agree-tos --authenticator webroot --email "my@email.com" --preferred-challenges "dns,http" --domains "sub.domain.com" 
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

    at ChildProcess.exithandler (node:child_process:422:12)
    at ChildProcess.emit (node:events:517:28)
    at maybeClose (node:internal/child_process:1098:16)
    at ChildProcess._handle.onexit (node:internal/child_process:303:5)

"NPM log" shows:

[1/13/2024] [10:26:01 PM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #10: sub.domain.com
[1/13/2024] [10:26:01 PM] [SSL      ] › ℹ  info      Command: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-10" --agree-tos --authenticator webroot --email "my@email.com" --preferred-challenges "dns,http" --domains "sub.domain.com" 
[1/13/2024] [10:26:17 PM] [Nginx    ] › ⬤  debug     Deleting file: /config/nginx/temp/letsencrypt_10.conf
[1/13/2024] [10:26:17 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[1/13/2024] [10:26:17 PM] [Express  ] › ⚠  warning   Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-10" --agree-tos --authenticator webroot --email "my@email.com" --preferred-challenges "dns,http" --domains "sub.domain.com" 
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

Answer 1 · 2024-01-16T01:15:05.000Z

V1.0.1

Same issue on my side also

After entering shell inside docker container i got the following from letsencrypt.log

docker exec <container name> /bin/bash
cd /tmp/letsencrypt-log
cat letsencrypt.log

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: xxx.xxxxxxx.duckdns.org
  Type:      dns
  Detail:    DNS problem: SERVFAIL looking up CAA for xxxxxxxx.duckdns.org - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Maybe this is related:

Answer 2 · 2024-01-16T08:54:39.000Z

had the same issue, after waiting some minutes NPM was able to create the certificates.

Answer 3 · 2024-01-16T20:21:23.000Z

tried again today to request a certificate at Let's Encrypt, but without success.
Same result as on Sunday.

I don't use Duckdns as I have my own domain.

Answer 4 · 2024-01-16T21:53:39.000Z

Also have a similar issue. Using duckdns.
After waiting for several hours it still does not work to create certificates.

Answer 5 · 2024-01-17T16:25:57.000Z

I overcame the problem this way: on the router, while receiving the certificate, I opened port 80 - 80.

Answer 6 · 2024-01-17T16:29:45.000Z

As far as I know, port 80 should be opened anyway that certbot can be working correctly

Answer 7 · 2024-01-17T16:32:45.000Z

As far as I know, port 80 should be opened anyway that certbot can be working correctly

Previously I managed with ports 8123 - 80, but not this time

Answer 8 · 2024-01-17T16:35:36.000Z

I have to open the ports 80 and 443 on my FritzBox that NPM is working properly. This was before the update the case and from my perspective nothing changed there.

Answer 9 · 2024-01-17T16:40:19.000Z

I have to open the ports 80 and 443 on my FritzBox that NPM is working properly. This was before the update the case and from my perspective nothing changed there.

I thought so too until I started looking for the problem
climbed to https://letsdebug.net/ and found out that he could not access port 80

Answer 10 · 2024-01-17T16:46:07.000Z

Strange tool. For my site dns-01 is working but http-01 not. But I requested these days several new certificates?

Answer 11 · 2024-01-18T20:00:36.000Z

finally solved the issue!

I thought I hadn't changed anything on my router/firewall, but that was not correct.
Just after the last refresh of the certificate in the previous NPM I added some country restrictions to my firewall.....yes, and this blocked the call from Let's Encrypt to my NPM instance......
I missed this information as my logging wasn't showing the block of the call...

So.....NPM 1.0..1 is running as desired again 😃
(and sorry for any confusing)

Answer 12 · 2024-02-11T01:59:32.000Z

Has anyone found a fix to this?