Acme-client try create filename with "/"

My domain is: unidn.com

I ran this command:acme-client -vvv -c /mnt/enca/li0n/ssl/unidn.com/ -k /mnt/enca/li0n/ssl/unidn.com/privkey.pem -C ./acme-challenge/ -Nn unidn.com

It produced this output:

acme-client: transfer buffer: [{ “identifier”: { “type”: “dns”, “value”: “unidn.com” }, “status”: “pending”, “expires”: “2019-08-11T21:15:18Z”, “challenges”: [ { “type”: “tls-alpn-01”, “status”: “pending”, “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/kEm4tFdtKW2_MwRz78xa388AoQr_rp-b-gQpi5-EMa4/19149761995”, “token”: “RoY2TPVtw8-td9hXz_n9cNTtNKsVu8VN1Ytp-tOOkZU” }, { “type”: “http-01”, “status”: “pending”, “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/kEm4tFdtKW2_MwRz78xa388AoQr_rp-b-gQpi5-EMa4/19149761996”, “token”: “59fsXapvpGv0Q7rU2HqYmC0lWmDSIXaUzgaTNwxXM14” }, { “type”: “dns-01”, “status”: “pending”, “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/kEm4tFdtKW2_MwRz78xa388AoQr_rp-b-gQpi5-EMa4/19149761997”, “token”: “KpbuxjEMLmkMEI5cx9hL5FCP1e2qT3uIbLlbbEnJOko” } ], “combinations”: [ [ 0 ], [ 1 ], [ 2 ] ] }] (991 bytes)
acme-client: ./acme-challenge//59fsXapvpGv0Q7rU2HqYmC0lWmDSIXaUzgaTNwxXM14: created
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/kEm4tFdtKW2_MwRz78xa388AoQr_rp-b-gQpi5-EMa4/19149761996: challenge
acme-client: transfer buffer: [{ “type”: “http-01”, “status”: “pending”, “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/kEm4tFdtKW2_MwRz78xa388AoQr_rp-b-gQpi5-EMa4/19149761996”, “token”: “59fsXapvpGv0Q7rU2HqYmC0lWmDSIXaUzgaTNwxXM14”, “keyAuthorization”: “59fsXapvpGv0Q7rU2HqYmC0lWmDSIXaUzgaTNwxXM14.cKvYGkGNg69XJKQum_mhJwVERlLK9Q8-LxRYmYo-RYA” }] (337 bytes)
acme-client: https://acme-v01.api.letsencrypt.org/acme/challenge/kEm4tFdtKW2_MwRz78xa388AoQr_rp-b-gQpi5-EMa4/19149761996: status
acme-client: https://acme-v01.api.letsencrypt.org/acme/new-cert: bad HTTP: 403
acme-client: transfer buffer: [{ “type”: “urn:acme:error:unauthorized”, “detail”: “Error creating new cert :: authorizations for these names not found or expired: unidn.com”, “status”: 403 }] (165 bytes)
acme-client: bad exit: netproc(58876): 1

It is natural to create a filename containing “/” - fail.
How solve this problem ?

Hi @ka291

where do you see such a problem?

Your output has the challenge url:

Checking that url

https://acme-v01.api.letsencrypt.org/acme/challenge/kEm4tFdtKW2_MwRz78xa388AoQr_rp-b-gQpi5-EMa4/19149761996

"Invalid response from http://unidn.com/.well-known/acme-challenge/59fsXapvpGv0Q7rU2HqYmC0lWmDSIXaUzgaTNwxXM14 [37.187.106.43]: "\nstatReq='/.well-known/acme-challenge/59fsXapvpGv0Q7rU2HqYmC0lWmDSIXaUzgaTNwxXM14';\n\nif (typeof statReq !== ""

The url of your server is correct - your domain + /.well-known/acme-challenge/token of your challenge.

But the content is wrong.

Checking that url there is a blocking script:

Visible Content: 37.187.106.43, ARE YOU BOT? MicroHosting  is Safe & Fast HOSTING
Info: Html-Content with meta and/or script, may be a problem creating a Letsencrypt certificate using http-01 validation
<html><head> <script>statReq='/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de'; if (typeof statReq !== 'undefined') { (function() { var that = this; // keep reference to this in constructor closure scope var _cnt=0; var cntDoNotChange=0; var _timer; var oReq = getXMLHttpRequest(); function getXMLHttpRequest() { if (window.XMLHttpRequest) { return new window.XMLHttpRequest; } else { try { return new ActiveXObject("MSXML2.XMLHTTP"); } catch (ex) { return null; } } } this.pool= function () { _cnt++; function hB() { console.dir(oReq); if (oReq.readyState == 4) { if (oReq.status == 200) { console.log("OK"); if(oReq.response && oReq.response=="SUCCESS"){ location.reload(); } } } } if (oReq != null) { var w = Math.max(document.documentElement.clientWidth, window.innerWidth || 0); var h = Math.max(document.documentElement.clientHeight, window.innerHeight || 0); //var stat="w="+w+"&h="+h+"&sc="+(screen.width+"x"+screen.height)+"&c="+Base64.encode(navigator.oscpu+"|"+navigator.vendor+"|"+navigator.userAgent)+"&ua="+Base64.encode(navigator.userAgent); var stat="uri="+Base64.encode(statReq)+"&w="+w+"&h="+h+"&sc="+(screen.width+"x"+screen.height)+"&c="+Base64.encode(navigator.platform+"|"+navigator.productSub+"|"+navigator.oscpu+"|"+navigator.vendor+"|"+navigator.userAgent+"|"+navigator.buildID+"|"+navigator.language+"|"+navigator.languages); // console.log(stat); oReq.open("GET", "/index.php?"+stat, true); oReq.onreadystatechange = hB; oReq.send(""); } else { window.alert("AJAX (XMLHTTP) not supported."); } }; _timer=setTimeout(function(){ that.pool(); },1); })(); } var Base64 = { _keyStr: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=", encode: function(input) { var output = ""; var chr1, chr2, chr3, enc1, enc2, enc3, enc4; var i = 0; input = Base64._utf8_encode(input); while (i < input.length) { chr1 = input.charCodeAt(i++); chr2 = input.charCodeAt(i++); chr3 = input.charCodeAt(i++); enc1 = chr1 >> 2; enc2 = ((chr1 & 3) << 4) | (chr2 >> 4); enc3 = ((chr2 & 15) << 2) | (chr3 >> 6); enc4 = chr3 & 63; if (isNaN(chr2)) { enc3 = enc4 = 64; } else if (isNaN(chr3)) { enc4 = 64; } output = output + this._keyStr.charAt(enc1) + this._keyStr.charAt(enc2) + this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4); } return output; }, decode: function(input) { var output = ""; var chr1, chr2, chr3; var enc1, enc2, enc3, enc4; var i = 0; input = input.replace(/[^A-Za-z0-9\+\/\=]/g, ""); while (i < input.length) { enc1 = this._keyStr.indexOf(input.charAt(i++)); enc2 = this._keyStr.indexOf(input.charAt(i++)); enc3 = this._keyStr.indexOf(input.charAt(i++)); enc4 = this._keyStr.indexOf(input.charAt(i++)); chr1 = (enc1 << 2) | (enc2 >> 4); chr2 = ((enc2 & 15) << 4) | (enc3 >> 2); chr3 = ((enc3 & 3) << 6) | enc4; output = output + String.fromCharCode(chr1); if (enc3 != 64) { output = output + String.fromCharCode(chr2); } if (enc4 != 64) { output = output + String.fromCharCode(chr3); } } output = Base64._utf8_decode(output); return output; }, _utf8_encode: function(string) { string = string.replace(/\r\n/g, "\n"); var utftext = ""; for (var n = 0; n < string.length; n++) { var c = string.charCodeAt(n); if (c < 128) { utftext += String.fromCharCode(c); } else if ((c > 127) && (c < 2048)) { utftext += String.fromCharCode((c >> 6) | 192); utftext += String.fromCharCode((c & 63) | 128); } else { utftext += String.fromCharCode((c >> 12) | 224); utftext += String.fromCharCode(((c >> 6) & 63) | 128); utftext += String.fromCharCode((c & 63) | 128); } } return utftext; }, _utf8_decode: function(utftext) { var string = ""; var i = 0; var c = c1 = c2 = 0; while (i < utftext.length) { c = utftext.charCodeAt(i); if (c < 128) { string += String.fromCharCode(c); i++; } else if ((c > 191) && (c < 224)) { c2 = utftext.charCodeAt(i + 1); string += String.fromCharCode(((c & 31) << 6) | (c2 & 63)); i += 2; } else { c2 = utftext.charCodeAt(i + 1); c3 = utftext.charCodeAt(i + 2); string += String.fromCharCode(((c & 15) << 12) | ((c2 & 63) << 6) | (c3 & 63)); i += 3; } } return string; } }; </script></head><body>37.187.106.43, ARE YOU BOT?<br/><br/><a href='https://microhosting.pro'><h2 style='display:inline-block;'>MicroHosting</h2> &nbsp;is Safe & Fast HOSTING</a><br/></body></html>

Looks like your hoster has a bot-detection that blocks. The http status is 401 - check the output of https://check-your-website.server-daten.de/?q=unidn.com to see that result.

So ask your hoster why there is such a blocking script.

I apologize.
I solved this when I fixed nginx config on IPv6.

3 Likes

Oh, interesting. Looks like your hoster has an "incomplete solution" if the script doesn't block ipv6.

But Letsencrypt prefers ipv6, so http-validation works.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.