Acme.sh error : <domain> Verify error:Invalid response from <domain>

trying to issue a cert and getting the following issue.

domain in question is staging.flutter.tours

The command I run : ./acme.sh --issue -d staging.flutter.tours -w /usr/share/nginx/html

The error I see: staging.flutter.tours:Verify error:Invalid response from https://staging.flutter.tours/.well-known/acme-challenge/sB7PXIrlNqAKD7uS5PU5A7_cqbsNWbEDJP4kZxxpWQM

1 Like

It looks like you have some kind of reverse proxying setup happening in nginx, so you need to exclude that URL from the proxying.

Something like:

location /.well-known/acme-challenge/ {
    root /usr/share/nginx/html;
}

and reload nginx.

2 Likes

where do I put that in the nginx conf file? In both http and https sections?

1 Like

Either one should work. I usually put it in the HTTP block to avoid unnecessary redirects.

2 Likes

Thanks. So making progress.

Im now seeing this.... i tried to run it with sudo and then acme spit out a link and I went to the link and it said "dont do that".


[Sat Feb 13 01:27:18 UTC 2021] Changing owner/group of .well-known to root:root

[Sat Feb 13 01:27:18 UTC 2021] chown: changing ownership of ‘/usr/share/nginx/html/.well-known/acme-challenge/Y8pndb4_Ke4v6sfANxV_CP1QPzfoi_Eu5MpE96whgUM’: Operation not permitted

chown: changing ownership of ‘/usr/share/nginx/html/.well-known/acme-challenge/7zA3B4p3P6Unz7dZbKWKBQzJnWt5fxpGZhZpB1lvCIQ’: Operation not permitted

chown: changing ownership of ‘/usr/share/nginx/html/.well-known/acme-challenge/sB7PXIrlNqAKD7uS5PU5A7_cqbsNWbEDJP4kZxxpWQM’: Operation not permitted

chown: changing ownership of ‘/usr/share/nginx/html/.well-known/acme-challenge/BsOne8G2R6LvsgPHrfjTfvnMM5o2M9mUEt4ifeF5-LI’: Operation not permitted

chown: changing ownership of ‘/usr/share/nginx/html/.well-known/acme-challenge/9mQ3sdYsiIT4sVo0ETUxmypPogGrlgDCRnM3BULV18o’: Operation not permitted

chown: changing ownership of ‘/usr/share/nginx/html/.well-known/acme-challenge’: Operation not permitted

chown: changing ownership of ‘/usr/share/nginx/html/.well-known’: Operation not permitted

1 Like

What user are you running acme.sh as?

1 Like

its an ec2 instance so ec2-user.

1 Like

Well, I've always been of the opinion that it makes sense to run acme.sh as root. It needs to be able to reload your webserver after a certificate renewal, which is a privileged operation. Without root, you need to do a bunch of other things to make it work.

The wiki page describes how can you can escalate to root (sudo su and then run acme.sh) without breaking acme.sh. That's what I would do personally.

1 Like

Thanks.

Well... the permission issues have gone away... but its still throwing the following. I dont see any other obvious bad things up stream in the log. And unfortunately its such a generic error.

[Sat Feb 13 02:13:11 UTC 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/10819736205/s6YqbQ'

[Sat Feb 13 02:13:11 UTC 2021] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g '

[Sat Feb 13 02:13:11 UTC 2021] _ret='0'

[Sat Feb 13 02:13:11 UTC 2021] code='200'

[Sat Feb 13 02:13:11 UTC 2021] **staging.flutter.tours:Verify error:Invalid response from https://staging.flutter.tours/.well-known/acme-challenge/fOpMZCnoZBBe-c-tT_aeGi7BZ3hnZ1Od_BrUS1byj-E

1 Like

Are you sure you added the changes to nginx?

If you did, I would expect that the below request would result in a 404, not a 301 redirect:

$ curl -i staging.flutter.tours/.well-known/acme-challenge/xx
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Sat, 13 Feb 2021 02:22:50 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://staging.flutter.tours/.well-known/acme-challenge/xx

<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

Could you post the HTTP block from nginx?

2 Likes

Hey! I got past that issue. Thanks for all the help.