Skip to Content

Solved: How do I troubleshoot “Let’s Encrypt” issue?

By: Author Alex Lim

Posted on Last updated:

Home > Solved: How do I troubleshoot “Let’s Encrypt” issue?

This article describes how to troubleshoot ‘Let’s Encrypt’.

Scope

FortiWeb version 7.0 and later.

Solution

Enable ‘Let’s Encrypt’ debug command.

Use the following diagnose commands to identify Let’s Encrypt issue.

These commands enable debugging of Let’s Encrypt with the highest debug level of 7.

# diagnose debug application acmed 7
# diagnose debug enable

The CLI may not display any debug output messages.

Triggering the ‘Let’s Encrypt Issue’ shall initiate the diagnose debug.

# (acme_msg_process : 143)recv msg, msg type: 0
(acme_cert_valid_and_issue : 1558)acme: renewal period 30
(acme_cert_valid_and_issue : 1559)acme: domain name testing02.ft-dev.site
(acme_cert_valid_and_issue : 1560)acme: domain size 0
(acme_cert_valid_and_issue : 1561)acme: name testing02.ft-dev.site
(key_load : 963)loading key from /etc/acme/private/testing02.ft-dev.site/key.pem.tmp
(key_load : 983)/etc/acme/private/testing02.ft-dev.site/key.pem.tmp not found
(key_gen : 870)generating new 2048-bit RSA key
(key_gen : 934)key saved to /etc/acme/private/testing02.ft-dev.site/key.pem.tmp
(acme_cert_valid_and_issue : 1640)checking existence and expiration of /etc/acme/testing02.ft-dev.site/cert.pem
(cert_load : 1282)/etc/acme/testing02.ft-dev.site/cert.pem does not exist
(cert_issue : 1300)creating new order for testing02.ft-dev.site at https://acme-v02.api.letsencrypt.org/acme/new-order

To disable the debug.

# diagnose debug application acmed 7
# diagnose debug enable

Common debug outputs containing ‘Let’s Encrypt’ validation response.

Hostname DNS unresolve.

(acme_post : 737)acme_post: HTTP body:
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: NXDOMAIN looking up A for testing02.ft-dev.site - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for testing02.ft-dev.site - check that a DNS record exists for this domain",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/166188661986/XGIUPQ",
"token": "RzsSDrDFjf0nKNgfuGAmSuIohYdc1I-rKgh9i4tMUCk",
"validated": "2022-10-19T03:44:25Z"
}
(acme_log_err_event_process_inner_json : 583)acme_log_err_event_process_inner_json: type = urn:ietf:params:acme:error:dns, detail = DNS problem: NXDOMAIN looking up A for testing02.ft-dev.site - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for testing02.ft-dev.site - check that a DNS record exists for this domain
(acme_post : 742)acme_post: return code 200, json=
(authorize : 1025)challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/166188661986/XGIUPQ failed with status invalid

The hostname has possibly the wrong DNS pointing.

(acme_post : 737)acme_post: HTTP body:
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "1.2.3.4: Fetching http://testing02.ft-dev.site/.well-known/acme-challenge/ef3bjXjlG8qCowQQQ8DSpqBLKskyCI4WvWf-TSRmQDM: Timeout during connect (likely firewall problem)",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/166190614196/VPLZMQ",
"token": "ef3bjXjlG8qCowQQQ8DSpqBLKskyCI4WvWf-TSRmQDM",
"validationRecord": [
{
"url": "http://testing02.ft-dev.site/.well-known/acme-challenge/ef3bjXjlG8qCowQQQ8DSpqBLKskyCI4WvWf-TSRmQDM",
"hostname": "testing02.ft-dev.site",
"port": "80",
"addressesResolved": [
"1.2.3.4"
],
"addressUsed": "1.2.3.4"
}
],
"validated": "2022-10-19T03:52:21Z"
}
(acme_log_err_event_process_inner_json : 583)acme_log_err_event_process_inner_json: type = urn:ietf:params:acme:error:connection, detail = 1.2.3.4: Fetching http://testing02.ft-dev.site/.well-known/acme-challenge/ef3bjXjlG8qCowQQQ8DSpqBLKskyCI4WvWf-TSRmQDM: Timeout during connect (likely firewall problem)
(acme_post : 742)acme_post: return code 200, json=
(authorize : 1025)challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/166190614196/VPLZMQ failed with status invalid

Policy possibly enabled HTTP-to-HTTPS redirection.

(acme_post : 737)acme_post: HTTP body:
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "123.123.123.123: Invalid response from https://testing02.ft-dev.site:443/.well-known/acme-challenge/OiG3iBgsv8aZ5FX3Nxnc0uLbI2Q8BqWIPzuKex_AdiY: 503",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/166192102376/x1UyUw",
"token": "OiG3iBgsv8aZ5FX3Nxnc0uLbI2Q8BqWIPzuKex_AdiY",
"validationRecord": [
{
"url": "http://testing02.ft-dev.site/.well-known/acme-challenge/OiG3iBgsv8aZ5FX3Nxnc0uLbI2Q8BqWIPzuKex_AdiY",
"hostname": "testing02.ft-dev.site",
"port": "80",
"addressesResolved": [
"123.123.123.123"
],
"addressUsed": "123.123.123.123"
},
{
"url": "https://testing02.ft-dev.site:443/.well-known/acme-challenge/OiG3iBgsv8aZ5FX3Nxnc0uLbI2Q8BqWIPzuKex_AdiY",
"hostname": "testing02.ft-dev.site",
"port": "443",
"addressesResolved": [
"123.123.123.123"
],
"addressUsed": "123.123.123.123"
}
],
"validated": "2022-10-19T03:57:51Z"
}
(acme_log_err_event_process_inner_json : 583)acme_log_err_event_process_inner_json: type = urn:ietf:params:acme:error:unauthorized, detail = 123.123.123.123: Invalid response from https://testing02.ft-dev.site:443/.well-known/acme-challenge/OiG3iBgsv8aZ5FX3Nxnc0uLbI2Q8BqWIPzuKex_AdiY: 503
(acme_post : 742)acme_post: return code 200, json=
(authorize : 1025)challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/166192102376/x1UyUw failed with status invalid

‘Let’s Encrypt’ successfully validated and cert issuing.

(acme_post : 737)acme_post: HTTP body:
{
"type": "http-01",
"status": "valid",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/166192382666/rGdUAw",
"token": "DojvfvBnrETFRZiMEpuMHw6mSHcHzJKP1ZzVYnp1UDw",
"validationRecord": [
{
"url": "http://testing02.ft-dev.site/.well-known/acme-challenge/DojvfvBnrETFRZiMEpuMHw6mSHcHzJKP1ZzVYnp1UDw",
"hostname": "testing02.ft-dev.site",
"port": "80",
"addressesResolved": [
"123.123.123.123"
],
"addressUsed": "123.123.123.123"
}
],
"validated": "2022-10-19T03:59:03Z"
}
(acme_post : 742)acme_post: return code 200, json=
(authorize : 1039)running /etc/acme/acme.sh done http-01 testing02.ft-dev.site DojvfvBnrETFRZiMEpuMHw6mSHcHzJKP1ZzVYnp1UDw DojvfvBnrETFRZiMEpuMHw6mSHcHzJKP1ZzVYnp1UDw.YuDQoq9bUCyLuTf6l62dWbeU0GhGiw56oIv417dFplE
(cert_issue : 1333)polling order status at https://acme-v02.api.letsencrypt.org/acme/order/691661577/135897030346

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.