Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Lets Encrypt certificate generation or renewal issues

Let's Encrypt – Kemp Support (kemptechnologies.com)

Information

 

Summary:

Issues with renewal or generation of lets encrypt certificate

Environment:

Product: Load Master

Version:7.2.57

Platform: 

Application:

Question/Problem Description:

Lets encrypt shows error (code: 13) when trying to create or renew certificates

Steps to Reproduce:  
Error Message: Acme: Validation failed for {"type": "dns","value": "<yourdomain.com>"}: { "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "Invalid response from http://<yourdomain.com>/.well-known/acme-challenge/Xe-qt2y65NG7VXuu6dzyCjcKfMJ6sqK0Z36pv5zm200 [199.199.199.199]: 503", "status": 403 }, "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/96069950940/Oter2g", "token": "Xe-qt2y65NG7VXuu6dzyCjcKfMJ6sqK0Z36pv5zm200", "validationRecord": [ { "url": "http://<yourdomain.com>/.well-known/acme-challenge/Xe-qt2y65NG7VXuu6dzyCjcKfMJ6sqK0Z36pv5zm200", "hostname": "learninghub.glptraining.co.uk", "port": "80", "addressesResolved": [ "199.199.199.199" ], "addressUsed": "199.199.199.199" } ], "validated": "2022-04-08T08:20:50Z" } (code: 13)
Defect Number:  
Enhancement Number:  
Cause:

Possible causes for the error/Issue:

  1. A Palo-Alto firewall firmware update caused the lets encrypt HTTP01 challenge to fail.
  2. Firewall blocking incoming port 80 and 443 requests from public IPs
  3. Redirect is not in place for port 80 but port is open
  4. Real server on virtual service on port 80 or 443 directly
  5. No public DNS entry exists for the domain/virtual service
Resolution:

Please verify the following information:

  1. For Palo-Alto firewall - "acme-protocol" must be allowed as well as "Web browsing" to allow the communication from the LoadMaster (LM) and from Lets Encrypt servers to the virtual service.
  2. Multiple IPs are used for validation so public access to the virtual service on 443 and 80 (if a redirect is in place) is required.: https://letsencrypt.org/2020/02/19/multi-perspective-validation.html
  3. Put in redirect if Port 80 is open to the port 443 service
  4. Make sure the real servers are in a Sub Virtual Service (SubVS) on the port 80 or 443 offloaded/re-encrypted service even if it is the only one SubVS in the virtual service. The lets encrypt process will create a SubVS temporarily to conduct the HTTP01 challenge and will remove it directly afterwards.
  5. The DNS must be setup before the cert can be created with lets encrypt.


If the issue persists after the recommended checks have been verified then please contact the  customer support line for further assistance.

Workaround:  
Notes:

Lets Encrypt deployment guide:

https://support.kemptechnologies.com/hc/en-us/articles/6600408705165-Let-s-Encrypt


Comments