Poderia ser devido à recente vulnerabilidade anunciada com o método de verificação tls-sni-01, o Let's Encrypt desativado até ser corrigido.
Até então, eles recomendaram o uso de http para verificação.
Eu tenho um script bem testado que estava funcionando bem até algumas semanas atrás.
Parece que o desafio do certbot é padronizado agora para http em vez de https. Não consigo descobrir o motivo.
echo 'rsa-key-size = 2048
renew-hook = /usr/sbin/ipsec reload && /usr/sbin/ipsec secrets
' > /etc/letsencrypt/cli.ini
certbot certonly --non-interactive --agree-tos --email $EMAIL --standalone -d $VPNHOST
Configurações do firewall:
Firewall stopped and disabled on system startup
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state NEW recent: UPDATE seconds: 60 hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255
all -- anywhere anywhere state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- ip-10-10-10-0.eu-west-2.compute.internal/24 anywhere policy match dir in pol ipsec proto esp
ACCEPT all -- anywhere ip-10-10-10-0.eu-west-2.compute.internal/24 policy match dir out pol ipsec proto esp
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Certbot:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for vpn-1.duelify.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. vpn-1.duelify.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://vpn-1.duelify.com/.well-known/acme-challenge/BsPR5NK4JVb8rgIyS2VR4VTOv4Bc1F5TNppjoo95O70: Timeout
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: vpn-1.duelify.com
Type: connection
Detail: Fetching
http://vpn-1.duelify.com/.well-known/acme-challenge/BsPR5NK4JVb8rgIyS2VR4VTOv4Bc1F5TNppjoo95O70:
Timeout
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
Poderia ser devido à recente vulnerabilidade anunciada com o método de verificação tls-sni-01, o Let's Encrypt desativado até ser corrigido.
Até então, eles recomendaram o uso de http para verificação.