300 Multiple Choices

Lansalot · June 12, 2017, 12:52pm

Hi
I just wanted to let you know that I’ve been troubleshooting an issue this morning with a host that previously renewed OK. The error message was as follows:

Attempting to renew cert from /etc/letsencrypt/renewal/{mydomain}.com.conf produced an unexpected error:

Failed authorization procedure. {mydomain}.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://{mdomain}.com/.well-known/acme-challenge/OkKx4TkuhVp3gl9x6mMazWm31Ojg7N_CaVHPDeuhobw: "
300 Multiple Choices
Multiple C". Skipping.

Not much on the web about 300 Multiple Choices errors, especially in relation to Certbot / LE. Even running manually gave the same error.

I was just about to post a help request when I saw the issues with Plesk and it made me think - and I checked - and our DNS provider has a default AAAA record. So although our A record was spot on and I could correctly browse to http://{mydomain}.com/.well-known/acme-challenge/test.txt so I know it was right - I hadn’t considered that the Acme servers may be attempting to contact a different server that I was.

Removing the erroneous AAAA record has allowed the renewal to process correctly and immediately.

Hope this helps someone else in the future.

It might be useful to have a command line switch to allow to specify that the server should check using IPv4 only, rather than assuming that if an IPv6 address exists that it’s correct.

Thanks

schoen · June 12, 2017, 4:37pm

Hi @Lansalot,

I'm glad you were able to resolve your problem.

I think the CA folks' thinking on this is that if you advertise an AAAA record, you're staring that the site should be accessible there and that this is a valid way to reach it. Remember that the CA does not know you are you, as opposed to someone impersonating you. Since the whole point of the domain control validations performed with ACME challenges is checking whether the person requesting the certificate is or is not authorized, we don't want to give them arbitrary power to contradict the DNS data or further control the validation process, particularly in the face of concerns about DNS and routing attacks against CA validation. (Otherwise, for example, an attacker who can control IPv4 routes but not IPv6 routes can falsely assert that the IPv6 routes are erroneous.)

Also, I think we want to encourage IPv6 adoption and use (although I'd admit that encountering it this way has often led people to disable it).

system · July 12, 2017, 4:37pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.