Logout

Alt-N Discussion Groups > MDaemon Discussion Groups > MDaemon Issues > Let's Encrypt suddenly stopped working

 [F] Alt-N Discussion Groups  / MDaemon Discussion Groups  / MDaemon Issues  /

Let's Encrypt suddenly stopped working

Hi everyone

Let's Encrypt worked just fine until yesterday evening when I got an
"Error Retrieving Certificate" email, notifying me that:
"An error occurred during the LetsEncrypt process. The error message is:
Error: The challenge did not complete."

Let's Encrypt log finishes with:
Waiting for the order status to update... 0
Error: The challenge did not complete.
The script is stopping because an error occurred.

...and when I lookup individual challenge status URLs I can see
{
   "type": "http-01",
   "status": "invalid",
   "error": {
     "type": "urn:ietf:params:acme:error:connection",
     "detail": "During secondary validation: Fetching
http://***/.well-known/acme-challenge/oRHilLxXN_GwJfSRgm1iXyUag_C2QdhlWXKLas9yzhA:
Timeout during connect (likely firewall problem)",
     "status": 400
...

We have two Internet links working in parallel, with all of the mail
related ports redirected to mail server, so (quite a few) alternate host
names go to two public IP addresses. Challenges directed to either one
produce timeout errors (so it's not one link or the other).
Even if I try single or no alternate names at all result is the same.

Both Internet links seem to be working fine, nothing affecting port 80
(or any other email relevant port) connectivity has been changed in the
router/firewall configuration, webmail works normally from the Internet,
RemoteAdmin as well.

MDaemon is v19.5.4 with Cyren/ClamAV enabled, ActiveSync on, everything
fully updated.

Any ideas what could be the cause?


Regards

  (older msg: 4)All MessagesOldest ItemsOlder ItemsNewer ItemsNewest Items

Aleksandar Devecerski - May 6, 2020 5:04 am (#5 Total: 6)  

 

Photo of Author
Aleksandar Deve…
Newbie
Newbie
Posts: 29
On 06.03.2020 21:41, Arron Caruth wrote:
> Great! I'm glad you were able to get the issue resolved.

Two months later, same story. I was affraid the issue will reoccur,
although hoped it wouldn't.
The problem is, LetsEncrypt does not publish IP addresses used in
validation process
(https://letsencrypt.org/docs/faq/#what-ip-addresses-does-let-s-encrypt-use-to-validate-my-web-server)
AND I just cannot left port 80 unprotected.

Last night I've got "Error Retrieving Certificate" notification,
inspected LetsEncrypt logs first, then firewall logs and found out that
following IP addresses had to be added to exceptions in order to
complete validation process:
18.196.96.172
3.14.255.131
34.209.232.166
34.222.229.130
52.15.254.228
52.28.236.88

All of them belong to Amazon IP address ranges, 2 are in Europe, the
rest in US. Nothing in them points to LetsEncrypt (net names, host
names, reverse DNS,...). As guys from Top Gear car show would say, these
are just "some addresses". Next time, in 2 months, I'm sure some other
addresses will be used.

I can, of course, do this manually (disable firewall rule, run
validation script, re-enable firewall rule) or add new IP addresses in
exclusions group every 2 months hoping LetsEncrypt only got limited
number of them, but I would really like to make the re-validation
process automatic.

As no one else mentioned this here I'm guessing you guys made it work.
Any suggestions how to handle this, other then "open port 80 completely"?

Thanks in advance


Stay safe everybody

Arron Caruth - May 6, 2020 7:03 am (#6 Total: 6)  

Guest User  

Photo of Author
Posts: 1
Based on what I've read on the LetsEncrypt, it doesn't seem like they intend to publish a list. The discussion groups seem to indicate that the best option if you need to restrict access to port 80 is to use a DNS challenge instead of an HTTP challenge. The script we provide only supports HTTP challenges, but you could create your own script that works with DNS challenges or look for a third party LetsEncrypt tool that supports DNS challenges.

--
Arron Caruth
Vice President of Product Development
o: 817-601-3222 e: Arron.Caruth@mdaemon.com

MDaemon Technologies
Simple Secure Email
Visit us on www.mdaemon.com | Facebook | LinkedIn | YouTube
Sent using the MDaemon Email Server
-----Original Message-----
From: md-issues@mdaemon.com [mailto:md-issues@mdaemon.com] On Behalf Of Aleksandar Devecerski
Sent: Wednesday, May 6, 2020 5:05 AM
To: md-issues List Member <md-issues@mdaemon.com>
Subject: [md-issues] Let's Encrypt suddenly stopped working

On 06.03.2020 21:41, Arron Caruth wrote:
> Great! I'm glad you were able to get the issue resolved.

Two months later, same story. I was affraid the issue will reoccur, although hoped it wouldn't.
The problem is, LetsEncrypt does not publish IP addresses used in validation process
(https://letsencrypt.org/docs/faq/#what-ip-addresses-does-let-s-encrypt-use-to-validate-my-web-server)
AND I just cannot left port 80 unprotected.

Last night I've got "Error Retrieving Certificate" notification, inspected LetsEncrypt logs first, then firewall logs and found out that following IP addresses had to be added to exceptions in order to complete validation process:
18.196.96.172
3.14.255.131
34.209.232.166
34.222.229.130
52.15.254.228
52.28.236.88

All of them belong to Amazon IP address ranges, 2 are in Europe, the rest in US. Nothing in them points to LetsEncrypt (net names, host names, reverse DNS,...). As guys from Top Gear car show would say, these are just "some addresses". Next time, in 2 months, I'm sure some other addresses will be used.

I can, of course, do this manually (disable firewall rule, run validation script, re-enable firewall rule) or add new IP addresses in exclusions group every 2 months hoping LetsEncrypt only got limited number of them, but I would really like to make the re-validation process automatic.

As no one else mentioned this here I'm guessing you guys made it work.
Any suggestions how to handle this, other then "open port 80 completely"?

Thanks in advance


Stay safe everybody


------------------------------------------------------
View/reply at <http://lists.altn.com/WebX?13@@.59863484/4>
--MD-ISSUES---------------------------------------------------------------
This list is for questions and discussions regarding issues with MDAEMON.
To unsubscribe from this mailing list send an email to md-issues-unsubscribe@mdaemon.com .
--POWERED BY MDAEMON!-----------------------------------------------------

--------------------------------------------------------------------------
These forums are provided by MDaemon Technologies for user-to-user support and discussion. MDaemon staff members may participate in the forums periodically but please recognize that this is not the official method of receiving technical support. To receive personal technical support please use the form here:
http://www.mdaemon.com/Support/RequestSupport/
--------------------------------------------------------------------------
--MD-ISSUES---------------------------------------------------------------
This list is for questions and discussions regarding issues with MDAEMON.
To unsubscribe from this mailing list send an email to
md-issues-unsubscribe@mdaemon.com .
--POWERED BY MDAEMON!-----------------------------------------------------

--------------------------------------------------------------------------
These forums are provided by MDaemon Technologies for user-to-user
support and discussion. MDaemon staff members may participate in the
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical
support please use the form here:
http://www.mdaemon.com/Support/RequestSupport/
--------------------------------------------------------------------------






  All MessagesOldest ItemsOlder ItemsNewer ItemsNewest Items



 Content:

Read New | Search

 Guest:

Email to Admin



You are visiting as a Guest user.