{{tag>certbot letsencrypt ssl troubleshooting}} ====== Letsencrypt certbot troubleshooting ====== * certbot first establishes connection over ipv6. If you are getting timeout errors check firewall for ipv6 https access or set network stack to [[wiki:ipv4_over_ipv6|prefer ipv4 over ipv6]]. Also remove the AAAA record for your domain if you don't want it to connect over IPv6. * Make sure that you can access a file path under webserver root as certbot uses .well-acme folder inside it to fetch the token it uses to check the owner of domain/server * If there is a previous redirect in webserver configuration it could also interfere with certificate generation * Certbot only works on default ports, 80 and 443. Check if the Listen directive has a different port if you get "Unauthorized error. * When using the [[https://docs.ansible.com/ansible/latest/collections/community/crypto/acme_certificate_module.html#examples|ansible module]] make sure you add a [[https://github.com/ansible-collections/community.crypto/pull/11/files|check]] for the //challenge_data// this part: when: sample_com_challenge is changed and 'sample.com' in sample_com_challenge['challenge_data'] otherwise the step will fail with this error TASK [letsencrypt : Implement http-01 challenge files] *********************************************************************************************************** fatal: [1.1.1.1]: FAILED! => msg: |- The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'my.domain.com' ===== Failed authorization procedure.... ===== Error: //Failed authorization procedure. www.example.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from...// There might redirect rules in effect. Try putting this in your .htaccess or vhost file: RewriteCond %{REQUEST_URI} !^\.well-known/(.*)$ ===== SEC_ERROR_UNKNOWN_ISSUER with certbot in Firefox ===== If you get this weird error only on Firefox (89.0.2) and other browsers are ok, delete the existing certificate certbot delete and run again certbot This should resolve the issue. ====== Tested on ====== * Debian 10.8 * certbot 0.31.0 ====== See also ====== * [[wiki:install_certbot|Install certbot]] * [[wiki:certbot_installation|Install certbot via manual method]] * [[wiki:certbot_download_certificates_only|Certbot download certificates only]] ====== References ====== * https://github.com/ansible/ansible/issues/67949 * https://letsencrypt.org/docs/ipv6-support/