This article describes how to troubleshoot ‘Let’s Encrypt’.
Table of Contents
- Scope
- Solution
- Enable ‘Let’s Encrypt’ debug command.
- To disable the debug.
- Common debug outputs containing ‘Let’s Encrypt’ validation response.
- Hostname DNS unresolve.
- The hostname has possibly the wrong DNS pointing.
- Policy possibly enabled HTTP-to-HTTPS redirection.
- ‘Let’s Encrypt’ successfully validated and cert issuing.
Scope
FortiWeb version 7.0 and later.
Solution
Enable ‘Let’s Encrypt’ debug command.
Use the following diagnose commands to identify Let’s Encrypt issue.
These commands enable debugging of Let’s Encrypt with the highest debug level of 7.
# diagnose debug application acmed 7
# diagnose debug enableThe CLI may not display any debug output messages.
Triggering the ‘Let’s Encrypt Issue’ shall initiate the diagnose debug.
# (acme_msg_process : 143)recv msg, msg type: 0
(acme_cert_valid_and_issue : 1558)acme: renewal period 30
(acme_cert_valid_and_issue : 1559)acme: domain name testing02.ft-dev.site
(acme_cert_valid_and_issue : 1560)acme: domain size 0
(acme_cert_valid_and_issue : 1561)acme: name testing02.ft-dev.site
(key_load : 963)loading key from /etc/acme/private/testing02.ft-dev.site/key.pem.tmp
(key_load : 983)/etc/acme/private/testing02.ft-dev.site/key.pem.tmp not found
(key_gen : 870)generating new 2048-bit RSA key
(key_gen : 934)key saved to /etc/acme/private/testing02.ft-dev.site/key.pem.tmp
(acme_cert_valid_and_issue : 1640)checking existence and expiration of /etc/acme/testing02.ft-dev.site/cert.pem
(cert_load : 1282)/etc/acme/testing02.ft-dev.site/cert.pem does not exist
(cert_issue : 1300)creating new order for testing02.ft-dev.site at https://acme-v02.api.letsencrypt.org/acme/new-orderTo disable the debug.
# diagnose debug application acmed 7
# diagnose debug enableCommon debug outputs containing ‘Let’s Encrypt’ validation response.
Hostname DNS unresolve.
(acme_post : 737)acme_post: HTTP body:
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: NXDOMAIN looking up A for testing02.ft-dev.site - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for testing02.ft-dev.site - check that a DNS record exists for this domain",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/166188661986/XGIUPQ",
"token": "RzsSDrDFjf0nKNgfuGAmSuIohYdc1I-rKgh9i4tMUCk",
"validated": "2022-10-19T03:44:25Z"
}
(acme_log_err_event_process_inner_json : 583)acme_log_err_event_process_inner_json: type = urn:ietf:params:acme:error:dns, detail = DNS problem: NXDOMAIN looking up A for testing02.ft-dev.site - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for testing02.ft-dev.site - check that a DNS record exists for this domain
(acme_post : 742)acme_post: return code 200, json=
(authorize : 1025)challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/166188661986/XGIUPQ failed with status invalidThe hostname has possibly the wrong DNS pointing.
(acme_post : 737)acme_post: HTTP body:
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "1.2.3.4: Fetching http://testing02.ft-dev.site/.well-known/acme-challenge/ef3bjXjlG8qCowQQQ8DSpqBLKskyCI4WvWf-TSRmQDM: Timeout during connect (likely firewall problem)",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/166190614196/VPLZMQ",
"token": "ef3bjXjlG8qCowQQQ8DSpqBLKskyCI4WvWf-TSRmQDM",
"validationRecord": [
{
"url": "http://testing02.ft-dev.site/.well-known/acme-challenge/ef3bjXjlG8qCowQQQ8DSpqBLKskyCI4WvWf-TSRmQDM",
"hostname": "testing02.ft-dev.site",
"port": "80",
"addressesResolved": [
"1.2.3.4"
],
"addressUsed": "1.2.3.4"
}
],
"validated": "2022-10-19T03:52:21Z"
}
(acme_log_err_event_process_inner_json : 583)acme_log_err_event_process_inner_json: type = urn:ietf:params:acme:error:connection, detail = 1.2.3.4: Fetching http://testing02.ft-dev.site/.well-known/acme-challenge/ef3bjXjlG8qCowQQQ8DSpqBLKskyCI4WvWf-TSRmQDM: Timeout during connect (likely firewall problem)
(acme_post : 742)acme_post: return code 200, json=
(authorize : 1025)challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/166190614196/VPLZMQ failed with status invalidPolicy possibly enabled HTTP-to-HTTPS redirection.
(acme_post : 737)acme_post: HTTP body:
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "123.123.123.123: Invalid response from https://testing02.ft-dev.site:443/.well-known/acme-challenge/OiG3iBgsv8aZ5FX3Nxnc0uLbI2Q8BqWIPzuKex_AdiY: 503",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/166192102376/x1UyUw",
"token": "OiG3iBgsv8aZ5FX3Nxnc0uLbI2Q8BqWIPzuKex_AdiY",
"validationRecord": [
{
"url": "http://testing02.ft-dev.site/.well-known/acme-challenge/OiG3iBgsv8aZ5FX3Nxnc0uLbI2Q8BqWIPzuKex_AdiY",
"hostname": "testing02.ft-dev.site",
"port": "80",
"addressesResolved": [
"123.123.123.123"
],
"addressUsed": "123.123.123.123"
},
{
"url": "https://testing02.ft-dev.site:443/.well-known/acme-challenge/OiG3iBgsv8aZ5FX3Nxnc0uLbI2Q8BqWIPzuKex_AdiY",
"hostname": "testing02.ft-dev.site",
"port": "443",
"addressesResolved": [
"123.123.123.123"
],
"addressUsed": "123.123.123.123"
}
],
"validated": "2022-10-19T03:57:51Z"
}
(acme_log_err_event_process_inner_json : 583)acme_log_err_event_process_inner_json: type = urn:ietf:params:acme:error:unauthorized, detail = 123.123.123.123: Invalid response from https://testing02.ft-dev.site:443/.well-known/acme-challenge/OiG3iBgsv8aZ5FX3Nxnc0uLbI2Q8BqWIPzuKex_AdiY: 503
(acme_post : 742)acme_post: return code 200, json=
(authorize : 1025)challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/166192102376/x1UyUw failed with status invalid‘Let’s Encrypt’ successfully validated and cert issuing.
(acme_post : 737)acme_post: HTTP body:
{
"type": "http-01",
"status": "valid",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/166192382666/rGdUAw",
"token": "DojvfvBnrETFRZiMEpuMHw6mSHcHzJKP1ZzVYnp1UDw",
"validationRecord": [
{
"url": "http://testing02.ft-dev.site/.well-known/acme-challenge/DojvfvBnrETFRZiMEpuMHw6mSHcHzJKP1ZzVYnp1UDw",
"hostname": "testing02.ft-dev.site",
"port": "80",
"addressesResolved": [
"123.123.123.123"
],
"addressUsed": "123.123.123.123"
}
],
"validated": "2022-10-19T03:59:03Z"
}
(acme_post : 742)acme_post: return code 200, json=
(authorize : 1039)running /etc/acme/acme.sh done http-01 testing02.ft-dev.site DojvfvBnrETFRZiMEpuMHw6mSHcHzJKP1ZzVYnp1UDw DojvfvBnrETFRZiMEpuMHw6mSHcHzJKP1ZzVYnp1UDw.YuDQoq9bUCyLuTf6l62dWbeU0GhGiw56oIv417dFplE
(cert_issue : 1333)polling order status at https://acme-v02.api.letsencrypt.org/acme/order/691661577/135897030346