Failed to validate ownership of domainName 'barbarosa.ge'. Reason: urn:ietf:params:acme:error:connection: Timeout during connect (likely firewall problem), Code = BadRequest

[petre-c]

I'm getting the error:
Failed to validate ownership of domainName 'barbarosa.ge'. Reason: urn:ietf:params:acme:error:connection: Timeout during connect (likely firewall problem), Code = BadRequest #208

Here's the docker command I am issuing on my Debian 10 (Linode) server with its output:

root@li1418-221:/docker/barbarosa# docker run -p 80:80 -p 443:443 -e "ASPNETCORE_ENVIRONMENT=Production" -e ASPNETCORE_URLS="http://+;https://+" -e ASPNETCORE_HTTPS_PORT=443   --mount type=bind,source=/docker/barbarosa/root/.aspnet,target=/root/.aspnet   --mount type=bind,source=/docker/barbarosa/x509stores/,target=/root/.dotnet/corefx/cryptography/x509stores/   registry.gitlab.com/appifysheets/mrda1/barbarosa
trce: LettuceEncrypt.Internal.AcmeCertificateLoader[0]
      ACME state transition: moving to ServerStartupState
trce: LettuceEncrypt.Internal.AcmeCertificateLoader[0]
      ACME state transition: moving to BeginCertificateCreationState
trce: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Looking for account information in /app/accounts/acme-v02.api.letsencrypt.org/directory
dbug: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Could not find account information in /app/accounts/acme-v02.api.letsencrypt.org/directory
info: LettuceEncrypt.Internal.AcmeClient[0]
      Using certificate authority https://acme-v02.api.letsencrypt.org/directory
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: FetchTOS
trce: LettuceEncrypt.Internal.TermsOfServiceChecker[0]
      Terms of service has been accepted per configuration options
info: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Creating new account for petre.chitashvili@appifysheets.com
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: NewAccount
info: Microsoft.Hosting.Lifetime[0]
      Now listening on: http://[::]:80
info: Microsoft.Hosting.Lifetime[0]
      Now listening on: https://[::]:443
info: Microsoft.Hosting.Lifetime[0]
      Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
      Hosting environment: Production
info: Microsoft.Hosting.Lifetime[0]
      Content root path: /app
trce: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Saving account information to /app/accounts/acme-v02.api.letsencrypt.org/directory/133783041.json
dbug: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Saved account information to /app/accounts/acme-v02.api.letsencrypt.org/directory/133783041.json
info: LettuceEncrypt.Internal.AcmeStates.ServerStartupState[0]
      Using account 133783041
info: LettuceEncrypt.Internal.AcmeStates.ServerStartupState[0]
      Creating certificate for barbarosa.ge
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: FetchOrderList
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: FetchOrderDetails, (null)
dbug: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Creating new order for a certificate
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: NewOrder
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: FetchAuthorizations, https://acme-v02.api.letsencrypt.org/acme/order/133783041/11610560831
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: FetchAuthorizationDetails, https://acme-v02.api.letsencrypt.org/acme/authz-v3/15470041821
dbug: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Requesting authorization to create certificate for barbarosa.ge
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: CreateChallenge, https://acme-v02.api.letsencrypt.org/acme/authz-v3/15470041821
trce: LettuceEncrypt.Internal.TlsAlpnChallengeResponder[0]
      Creating ALPN self-signed cert for barbarosa.ge and key authz 6DJJu3aZyAAdhqJrWtPT8vr0ZETjlVgqQcae2BOGUac.pUyROTeskdFSQ9BhUgnVjqmB1ypye70oAlogWhjFS3g
trce: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Waiting for server to start accepting HTTP requests
trce: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Requesting server to validate TLS/ALPN challenge
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: ValidateChallenge, https://acme-v02.api.letsencrypt.org/acme/chall-v3/15470041821/utdUPA
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: FetchAuthorizationDetails, https://acme-v02.api.letsencrypt.org/acme/authz-v3/15470041821
trce: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      ACMEv2 action: GetAuthorization
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: FetchAuthorizationDetails, https://acme-v02.api.letsencrypt.org/acme/authz-v3/15470041821
trce: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      ACMEv2 action: GetAuthorization
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: FetchAuthorizationDetails, https://acme-v02.api.letsencrypt.org/acme/authz-v3/15470041821
trce: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      ACMEv2 action: GetAuthorization
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: FetchAuthorizationDetails, https://acme-v02.api.letsencrypt.org/acme/authz-v3/15470041821
trce: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      ACMEv2 action: GetAuthorization
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: FetchAuthorizationDetails, https://acme-v02.api.letsencrypt.org/acme/authz-v3/15470041821
trce: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      ACMEv2 action: GetAuthorization
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: FetchAuthorizationDetails, https://acme-v02.api.letsencrypt.org/acme/authz-v3/15470041821
trce: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      ACMEv2 action: GetAuthorization
fail: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Failed to validate ownership of domainName 'barbarosa.ge'. Reason: urn:ietf:params:acme:error:connection: Timeout during connect (likely firewall problem), Code = BadRequest
trce: LettuceEncrypt.Internal.TlsAlpnChallengeResponder[0]
      Clearing ALPN cert for barbarosa.ge
dbug: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Validation with TlsAlpn01DomainValidator failed with error: Failed to validate ownership of domainName 'barbarosa.ge'
      System.InvalidOperationException: Failed to validate ownership of domainName 'barbarosa.ge'
         at LettuceEncrypt.Internal.DomainOwnershipValidator.WaitForChallengeResultAsync(IAuthorizationContext authorizationContext, CancellationToken cancellationToken)
         at LettuceEncrypt.Internal.TlsAlpn01DomainValidator.ValidateOwnershipAsync(IAuthorizationContext authzContext, CancellationToken cancellationToken)
         at LettuceEncrypt.Internal.AcmeCertificateFactory.ValidateDomainOwnershipAsync(IAuthorizationContext authorizationContext, CancellationToken cancellationToken)
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: CreateChallenge, https://acme-v02.api.letsencrypt.org/acme/authz-v3/15470041821
dbug: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Validation with Http01DomainValidator failed with error: Did not receive challenge information for challenge type http-01
      System.InvalidOperationException: Did not receive challenge information for challenge type http-01
         at LettuceEncrypt.Internal.Http01DomainValidator.PrepareHttpChallengeResponseAsync(IAuthorizationContext authorizationContext, CancellationToken cancellationToken)
         at LettuceEncrypt.Internal.Http01DomainValidator.ValidateOwnershipAsync(IAuthorizationContext authzContext, CancellationToken cancellationToken)
         at LettuceEncrypt.Internal.AcmeCertificateFactory.ValidateDomainOwnershipAsync(IAuthorizationContext authorizationContext, CancellationToken cancellationToken)
fail: LettuceEncrypt.Internal.AcmeStates.ServerStartupState[0]
      Failed to automatically create a certificate for barbarosa.ge
      System.InvalidOperationException: Failed to validate ownership of domainName 'barbarosa.ge'
         at LettuceEncrypt.Internal.AcmeCertificateFactory.ValidateDomainOwnershipAsync(IAuthorizationContext authorizationContext, CancellationToken cancellationToken)
         at LettuceEncrypt.Internal.AcmeCertificateFactory.CreateCertificateAsync(CancellationToken cancellationToken)
         at LettuceEncrypt.Internal.AcmeStates.BeginCertificateCreationState.MoveNextAsync(CancellationToken cancellationToken)
fail: LettuceEncrypt.Internal.AcmeCertificateLoader[0]
      ACME state machine encountered unhandled error
      System.InvalidOperationException: Failed to validate ownership of domainName 'barbarosa.ge'
         at LettuceEncrypt.Internal.AcmeCertificateFactory.ValidateDomainOwnershipAsync(IAuthorizationContext authorizationContext, CancellationToken cancellationToken)
         at LettuceEncrypt.Internal.AcmeCertificateFactory.CreateCertificateAsync(CancellationToken cancellationToken)
         at LettuceEncrypt.Internal.AcmeStates.BeginCertificateCreationState.MoveNextAsync(CancellationToken cancellationToken)
         at LettuceEncrypt.Internal.AcmeCertificateLoader.ExecuteAsync(CancellationToken stoppingToken)

Startup.cs adds to ConfigureServices:

services.AddLettuceEncrypt();

Program.cs:

  public static IHostBuilder CreateHostBuilder(string[] args) =>
            Host.CreateDefaultBuilder(args)
                .ConfigureWebHostDefaults(webBuilder =>
                {
                    webBuilder.UseStartup<Startup>();

                    {
                        webBuilder.UseKestrel(k =>
                        {
                            var appServices = k.ApplicationServices;
                            k.ConfigureHttpsDefaults(h =>
                            {
                                h.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
                                h.UseLettuceEncrypt(appServices);
                            });
                        });
                    }
                }

appsettings.json:

  "LettuceEncrypt": {
    "AcceptTermsOfService": true,
    "DomainNames": [ "barbarosa.ge" ],
    "EmailAddress": "petre.chitashvili@appifysheets.com"
  },

[petre-c]

I can telnet to port 443 on barbarosa.ge and HTTP://barbarosa.ge is accessible

[natemcmaster]

I assume this is the problem:

h.ClientCertificateMode = ClientCertificateMode.RequireCertificate;

This is configuring your server to require Let's Encrypt to connect to your server using a client certificate, but they don't have one, so they can't verify domain ownership in order to issue you a server certificate.

Try using Http01 instead https://github.com/natemcmaster/LettuceEncrypt#changing-which-challenge-types-are-used

[petre-c]

Oh, that is good to know!

Actually, I copied that from here - https://github.com/natemcmaster/LettuceEncrypt/blob/cd68f74586f2aba4dce1d25db4762de1457ee65f/samples/Web/Program.cs#L34

I ended up obtaining certificates using a certbot on the host machine and supplied certificates to the docker container via mounts.

I'll close the issue for now and reopen it as needed.

Thank you, Nate, and have a good day!

[natemcmaster]

Good to know. I think the part of the sample that you might have missed is https://github.com/natemcmaster/LettuceEncrypt/blob/cd68f74586f2aba4dce1d25db4762de1457ee65f/samples/Web/Program.cs#L25-L27

Glad you figured it out.

[petre-c]

Oh, right.. I remember seeing that but chose to ignore it for no other reason but because I'm a fool 🙂

Thank you again, Nate.