[SOLVED] Prox can't validate certificate ssl

sup98765

New Member
Feb 11, 2021
11
1
3
45
Ask you help
I can't successfully order LetsEncrypt certificate for proxmox dns-name.
Code:
Loading ACME account details
Placing ACME order
Order URL: https://acme-v02.api.letsencrypt.org/acme/order/455705530/72278481650

Getting authorization details from 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/88641467490'
The validation for prox.yyy.ua is pending!
Setting up webserver
Triggering validation
Sleeping for 5 seconds
Status is still 'pending', trying again in 10 seconds
TASK ERROR: validating challenge 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/88641467490' failed - status: invalid

As I used several methods, I know that error on stage while letsencrypt try to access dns name that I am validating by 80 port and can't do this.
In order to Prox uses 8006 port and https.

Second attempt in another way:
Code:
PS C:\Users\Администратор> certbot certonly -d prox.yyy.ua --force-renewal
Saving debug log to C:\Certbot\log\letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Requesting a certificate for prox.yyy.ua
Problem binding to port 80: [WinError 10013] An attempt was made to access a socket in a method prohibited by access rights
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

https://forum.proxmox.com/threads/pve-5-2-lets-encrypt-task-error-validating-challenge-failed.43782/
 
Last edited:
Concerning your first attempt:
While the listening server seems to be created it cannot be reached from the outside. This depends on your network setup (i.e. whether you are hosting through a hosting provider or in your private network) and may require that you set up port forwarding for port 80.
Conveniently, Let's encrypt tells you what is wrong in the following line:
TASK ERROR: validating challenge 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/88641467490' failed - status: invalid
You can visit -> https://acme-v02.api.letsencrypt.org/acme/authz-v3/88641467490 - this site tells you what went wrong.

Concerning Windows:
It seems that something is already running on port 80. You can look up what that is by using netstat -pant TCP. In this case the listening server can not be created, you will have to kill the other process first.
More info on this here: https://community.letsencrypt.org/t...-forbidden-by-its-access-permissions/168443/3
 
Last edited:
yeah, like the docs say, for standalone/http-01 validation the following requirements must be met:

There are a few prerequisites to use it for certificate management with Let’s Encrypts ACME.
  • You have to accept the ToS of Let’s Encrypt to register an account.
  • Port 80 of the node needs to be reachable from the internet.
  • There must be no other listener on port 80.
  • The requested (sub)domain needs to resolve to a public IP of the Node.
if you use the pve-firewall in the default setup, you need to manually allow port 80 on your public interface(s).
 
I added rule
iptables -I INPUT -i vmbr0 -p tcp --dport 80 -m comment --comment "# ssl #" -j ACCEPT
and after this possible to connect by 80 port, but nothing changed.

"detail": "CAA record for prox.softico.ua prevents issuance"
 

Attachments

  • Screenshot from 2022-03-18 12-27-54.png
    Screenshot from 2022-03-18 12-27-54.png
    33.3 KB · Views: 41
  • Screenshot from 2022-03-18 12-29-48.png
    Screenshot from 2022-03-18 12-29-48.png
    22.4 KB · Views: 46
Last edited:
  • Like
Reactions: sup98765