[contribteam] [Bug 10399] status 400 - Challenge is invalid! - acme error connection - Renewal fails

Sun, 30 Jul 2017 01:02:45 -0700 

https://bugs.contribs.org/show_bug.cgi?id=10399

--- Comment #21 from Stefan Schulz <[email protected]> ---
As I reported server is behind a firewall. Server is definitely whitelistet in
web-proxy filter.

Disabling following rules leads to success:

in NAT port forward
- redirect traffic to proxy from port 80

in LAN
- IP4 and IP6 Block http bypass set to disabled from port 80 and 443
- IP4 TCP NAT redirect traffic to proxy set to disabled
- IP4 and IP6 Default allow LAN to any rule set to enabled


Running with this settings dehydrated -c -x leads to success:

# dehydrated -c -x
# INFO: Using main config file /etc/dehydrated/config
Processing ivbonline.de with alternative names: mail.ivbonline.de
saturn.ivbonline.de www.ivbonline.de
 + Checking domain name(s) of existing cert... changed!
 + Domain name(s) are not matching!
 + Names in old certificate: ftp.ivbonline.de ivbonline.de mail.ivbonline.de
proxy.ivbonline.de saturn.ivbonline.de wpad.ivbonline.de www.ivbonline.de
 + Configured names: ivbonline.de mail.ivbonline.de saturn.ivbonline.de
www.ivbonline.de
 + Forcing renew.
 + Checking expire date of existing cert...
 + Valid till Aug 18 20:19:00 2017 GMT (Less than 30 days). Renewing!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for ivbonline.de...
 + Already validated!
 + Requesting challenge for mail.ivbonline.de...
 + Already validated!
 + Requesting challenge for saturn.ivbonline.de...
 + Already validated!
 + Requesting challenge for www.ivbonline.de...
 + Already validated!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
Set up modSSL db keys
Signal events
All complete
 + Done!

I'll revert my firewall settings now, but I'd like to know, why do I have to
open/alter/disable the rules for letsencrypt for the renewal?

Anybody with a pfsense or opnsense firewall in front of the server? Maybe?

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
_______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail [email protected]
Searchable archive at https://lists.contribs.org/mailman/public/contribteam/

Reply via email to