I’m seeing an issue on only one of the servers we have running Sympl that seems to prevent it from getting a certificate from LetsEncrypt. This seems to apply to all domains regardless of whether that server has successfully been granted a certificate previously.
Domain name example.com is to redact the actual domain but all of the domains are live and from what I can see the challenge file is created and accessible. There doesn’t seem to be anything obvious that I can see is wrong and I can’t find anything that matches this on the LetsEncrypt forums…
Just to add that I see the following in the logs for the domain:
The 403 response codes make me suspect I’ve got something misconfigured along the way but I can’t make the connection to what I need to actually do to fix things
The easiest way to diagnose this is to create a file in htdocs/.well-known/acme-challenge/ with a random name and see if you can browse to it - you’ll likely get an error message from whatever is redirecting the traffic.
Note that Let’s Encrypt are now doing checks from multiple locations, so if you have DNS out of date/mismatched somewhere, or have load balancing/producing going on, you may run into trouble if all the remote locations can’t see the file.
From the log, 3 of the 4 attempts failed, which suggest something odd, but let us know how you get on!
I’ve given the random file in the /.well-known/acme-challenge folder a try and it’s accessible (tried from a few connections) but I’m still getting the “Unable to verify” error and the logs are showing the same 3 out of 4 failed attempts. Is there any way to see more of what’s going on when running sympl-ssl? I’ve tried --debug but that doesn’t show any more of the response from Let’s Encrypt. I’m still researching so hopefully I’ll find something but if you’ve got any suggestions to help my search it would be much appreciated
Just to be sure, I’ve tried a couple of the test servers running Sympl 9, and it’s getting certs okay.
Not at present - the new version in development will have pretty verbose debug logging and write logs covering the interaction with Let’s Encrypt, but the current Ruby one is rather short on diagnostic logging for the thing that needs it more than anything.
It probably isn’t DNS related, as all 4 of the attempts look to be getting there, so it may be something intercepting the traffic, like a .htaccess rewrite, basic-auth or similar (although theres elements in the apache configuration to prevent that), but that doesn’t explain why one works and the others don’t.
If you want to send me a private message with the domain info, I can take a closer look (click my name, and then ‘Message’).
So your mention of DNS earlier made me think, and I went back and looked at anything that could be DNS related - and realised that we had mod_defensible installed and, a few weeks ago, had set it up for stricter filtering because of a spike in malicious traffic against WordPress sites. That stricter setting was blocking a couple of cloud providers that Let’s Encrypt was using to test the site. Disabled mod_defensible and the certificates are now being issued!
Thanks for giving me the tip that led to the answer Much appreciated!