Skip to Content

Solved: How do I troubleshoot “Let’s Encrypt” issue?

This article describes how to troubleshoot ‘Let’s Encrypt’.

Scope

FortiWeb version 7.0 and later.

Solution

Enable ‘Let’s Encrypt’ debug command.

Use the following diagnose commands to identify Let’s Encrypt issue.

These commands enable debugging of Let’s Encrypt with the highest debug level of 7.

# diagnose debug application acmed 7
# diagnose debug enable

The CLI may not display any debug output messages.

Triggering the ‘Let’s Encrypt Issue’ shall initiate the diagnose debug.

# (acme_msg_process : 143)recv msg, msg type: 0
(acme_cert_valid_and_issue : 1558)acme: renewal period 30
(acme_cert_valid_and_issue : 1559)acme: domain name testing02.ft-dev.site
(acme_cert_valid_and_issue : 1560)acme: domain size 0
(acme_cert_valid_and_issue : 1561)acme: name testing02.ft-dev.site
(key_load : 963)loading key from /etc/acme/private/testing02.ft-dev.site/key.pem.tmp
(key_load : 983)/etc/acme/private/testing02.ft-dev.site/key.pem.tmp not found
(key_gen : 870)generating new 2048-bit RSA key
(key_gen : 934)key saved to /etc/acme/private/testing02.ft-dev.site/key.pem.tmp
(acme_cert_valid_and_issue : 1640)checking existence and expiration of /etc/acme/testing02.ft-dev.site/cert.pem
(cert_load : 1282)/etc/acme/testing02.ft-dev.site/cert.pem does not exist
(cert_issue : 1300)creating new order for testing02.ft-dev.site at https://acme-v02.api.letsencrypt.org/acme/new-order

To disable the debug.

# diagnose debug application acmed 7
# diagnose debug enable

Common debug outputs containing ‘Let’s Encrypt’ validation response.

Hostname DNS unresolve.

(acme_post : 737)acme_post: HTTP body:
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: NXDOMAIN looking up A for testing02.ft-dev.site - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for testing02.ft-dev.site - check that a DNS record exists for this domain",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/166188661986/XGIUPQ",
"token": "RzsSDrDFjf0nKNgfuGAmSuIohYdc1I-rKgh9i4tMUCk",
"validated": "2022-10-19T03:44:25Z"
}
(acme_log_err_event_process_inner_json : 583)acme_log_err_event_process_inner_json: type = urn:ietf:params:acme:error:dns, detail = DNS problem: NXDOMAIN looking up A for testing02.ft-dev.site - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for testing02.ft-dev.site - check that a DNS record exists for this domain
(acme_post : 742)acme_post: return code 200, json=
(authorize : 1025)challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/166188661986/XGIUPQ failed with status invalid

The hostname has possibly the wrong DNS pointing.

(acme_post : 737)acme_post: HTTP body:
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "1.2.3.4: Fetching http://testing02.ft-dev.site/.well-known/acme-challenge/ef3bjXjlG8qCowQQQ8DSpqBLKskyCI4WvWf-TSRmQDM: Timeout during connect (likely firewall problem)",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/166190614196/VPLZMQ",
"token": "ef3bjXjlG8qCowQQQ8DSpqBLKskyCI4WvWf-TSRmQDM",
"validationRecord": [
{
"url": "http://testing02.ft-dev.site/.well-known/acme-challenge/ef3bjXjlG8qCowQQQ8DSpqBLKskyCI4WvWf-TSRmQDM",
"hostname": "testing02.ft-dev.site",
"port": "80",
"addressesResolved": [
"1.2.3.4"
],
"addressUsed": "1.2.3.4"
}
],
"validated": "2022-10-19T03:52:21Z"
}
(acme_log_err_event_process_inner_json : 583)acme_log_err_event_process_inner_json: type = urn:ietf:params:acme:error:connection, detail = 1.2.3.4: Fetching http://testing02.ft-dev.site/.well-known/acme-challenge/ef3bjXjlG8qCowQQQ8DSpqBLKskyCI4WvWf-TSRmQDM: Timeout during connect (likely firewall problem)
(acme_post : 742)acme_post: return code 200, json=
(authorize : 1025)challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/166190614196/VPLZMQ failed with status invalid

Policy possibly enabled HTTP-to-HTTPS redirection.

(acme_post : 737)acme_post: HTTP body:
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "123.123.123.123: Invalid response from https://testing02.ft-dev.site:443/.well-known/acme-challenge/OiG3iBgsv8aZ5FX3Nxnc0uLbI2Q8BqWIPzuKex_AdiY: 503",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/166192102376/x1UyUw",
"token": "OiG3iBgsv8aZ5FX3Nxnc0uLbI2Q8BqWIPzuKex_AdiY",
"validationRecord": [
{
"url": "http://testing02.ft-dev.site/.well-known/acme-challenge/OiG3iBgsv8aZ5FX3Nxnc0uLbI2Q8BqWIPzuKex_AdiY",
"hostname": "testing02.ft-dev.site",
"port": "80",
"addressesResolved": [
"123.123.123.123"
],
"addressUsed": "123.123.123.123"
},
{
"url": "https://testing02.ft-dev.site:443/.well-known/acme-challenge/OiG3iBgsv8aZ5FX3Nxnc0uLbI2Q8BqWIPzuKex_AdiY",
"hostname": "testing02.ft-dev.site",
"port": "443",
"addressesResolved": [
"123.123.123.123"
],
"addressUsed": "123.123.123.123"
}
],
"validated": "2022-10-19T03:57:51Z"
}
(acme_log_err_event_process_inner_json : 583)acme_log_err_event_process_inner_json: type = urn:ietf:params:acme:error:unauthorized, detail = 123.123.123.123: Invalid response from https://testing02.ft-dev.site:443/.well-known/acme-challenge/OiG3iBgsv8aZ5FX3Nxnc0uLbI2Q8BqWIPzuKex_AdiY: 503
(acme_post : 742)acme_post: return code 200, json=
(authorize : 1025)challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/166192102376/x1UyUw failed with status invalid

‘Let’s Encrypt’ successfully validated and cert issuing.

(acme_post : 737)acme_post: HTTP body:
{
"type": "http-01",
"status": "valid",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/166192382666/rGdUAw",
"token": "DojvfvBnrETFRZiMEpuMHw6mSHcHzJKP1ZzVYnp1UDw",
"validationRecord": [
{
"url": "http://testing02.ft-dev.site/.well-known/acme-challenge/DojvfvBnrETFRZiMEpuMHw6mSHcHzJKP1ZzVYnp1UDw",
"hostname": "testing02.ft-dev.site",
"port": "80",
"addressesResolved": [
"123.123.123.123"
],
"addressUsed": "123.123.123.123"
}
],
"validated": "2022-10-19T03:59:03Z"
}
(acme_post : 742)acme_post: return code 200, json=
(authorize : 1039)running /etc/acme/acme.sh done http-01 testing02.ft-dev.site DojvfvBnrETFRZiMEpuMHw6mSHcHzJKP1ZzVYnp1UDw DojvfvBnrETFRZiMEpuMHw6mSHcHzJKP1ZzVYnp1UDw.YuDQoq9bUCyLuTf6l62dWbeU0GhGiw56oIv417dFplE
(cert_issue : 1333)polling order status at https://acme-v02.api.letsencrypt.org/acme/order/691661577/135897030346
Tags

Tags

    Ads Blocker Image Powered by Code Help Pro

    Ads Blocker Detected!!!

    This site depends on revenue from ad impressions to survive. If you find this site valuable, please consider disabling your ad blocker.