Acme.sh Verify error: invalid response

pramadiputra · August 27, 2019, 12:50pm

When I’m trying to issue a certificate for my domain using acme.sh by run the following command:
acme.sh --issue -d pedia.id -w /var/www/pedia/ I got the following error that says

pedia.id:Verify error:Invalid response from http://pedia.id/.well-known/acme-challenge/Ix_5Elrq0cGOxCrBSrMjs_BjHUg8g9FWE7ciR0CuV0Y [209.97.175.240]:

When I’m checking the log, here what it says

 Running cmd: cron
[Tue Aug 27 00:01:01 UTC 2019] Using config home:/home/pr4m/.acme.sh
[Tue Aug 27 00:01:01 UTC 2019] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Tue Aug 27 00:01:01 UTC 2019] ===Starting cron===
[Tue Aug 27 00:01:01 UTC 2019] Using config home:/home/pr4m/.acme.sh
[Tue Aug 27 00:01:01 UTC 2019] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Tue Aug 27 00:01:02 UTC 2019] _stopRenewOnError
[Tue Aug 27 00:01:02 UTC 2019] _set_level='2'
[Tue Aug 27 00:01:02 UTC 2019] di='/home/pr4m/.acme.sh/pedia.id/'
[Tue Aug 27 00:01:02 UTC 2019] d='pedia.id'
[Tue Aug 27 00:01:02 UTC 2019] Using config home:/home/pr4m/.acme.sh
[Tue Aug 27 00:01:02 UTC 2019] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Tue Aug 27 00:01:02 UTC 2019] DOMAIN_PATH='/home/pr4m/.acme.sh/pedia.id'
[Tue Aug 27 00:01:02 UTC 2019] Renew: 'pedia.id'
[Tue Aug 27 00:01:02 UTC 2019] Le_API
[Tue Aug 27 00:01:02 UTC 2019] Skip invalid cert for: pedia.id
[Tue Aug 27 00:01:02 UTC 2019] Return code: 2
[Tue Aug 27 00:01:02 UTC 2019] Skipped pedia.id
[Tue Aug 27 00:01:02 UTC 2019] _error_level='3'
[Tue Aug 27 00:01:02 UTC 2019] _set_level='2'
[Tue Aug 27 00:01:02 UTC 2019] ===End cron===
[Tue Aug 27 12:27:43 UTC 2019] Running cmd: issue
[Tue Aug 27 12:27:43 UTC 2019] _main_domain='pedia.id'
[Tue Aug 27 12:27:43 UTC 2019] _alt_domains='no'
[Tue Aug 27 12:27:43 UTC 2019] Using config home:/home/pr4m/.acme.sh
[Tue Aug 27 12:27:43 UTC 2019] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Tue Aug 27 12:27:43 UTC 2019] DOMAIN_PATH='/home/pr4m/.acme.sh/pedia.id'
[Tue Aug 27 12:27:43 UTC 2019] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Tue Aug 27 12:27:43 UTC 2019] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Tue Aug 27 12:27:43 UTC 2019] GET
[Tue Aug 27 12:27:43 UTC 2019] url='https://acme-v02.api.letsencrypt.org/directory'
[Tue Aug 27 12:27:43 UTC 2019] timeout=
[Tue Aug 27 12:27:43 UTC 2019] _CURL='curl -L --silent --dump-header /home/pr4m/.acme.sh/http.header  -g '
[Tue Aug 27 12:27:44 UTC 2019] ret='0'
[Tue Aug 27 12:27:44 UTC 2019] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Tue Aug 27 12:27:44 UTC 2019] ACME_NEW_AUTHZ
[Tue Aug 27 12:27:44 UTC 2019] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Tue Aug 27 12:27:44 UTC 2019] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Tue Aug 27 12:27:44 UTC 2019] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Tue Aug 27 12:27:44 UTC 2019] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Tue Aug 27 12:27:44 UTC 2019] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Tue Aug 27 12:27:44 UTC 2019] ACME_VERSION='2'
[Tue Aug 27 12:27:44 UTC 2019] Le_NextRenewTime
[Tue Aug 27 12:27:44 UTC 2019] _on_before_issue
[Tue Aug 27 12:27:44 UTC 2019] _chk_main_domain='pedia.id'
[Tue Aug 27 12:27:44 UTC 2019] _chk_alt_domains
[Tue Aug 27 12:27:44 UTC 2019] Le_LocalAddress
[Tue Aug 27 12:27:44 UTC 2019] d='pedia.id'
[Tue Aug 27 12:27:44 UTC 2019] Check for domain='pedia.id'
[Tue Aug 27 12:27:44 UTC 2019] _currentRoot='/var/www/pedia'
[Tue Aug 27 12:27:44 UTC 2019] d
[Tue Aug 27 12:27:44 UTC 2019] _saved_account_key_hash is not changed, skip register account.
[Tue Aug 27 12:27:44 UTC 2019] Read key length:
[Tue Aug 27 12:27:44 UTC 2019] _createcsr
[Tue Aug 27 12:27:44 UTC 2019] Single domain='pedia.id'
[Tue Aug 27 12:27:44 UTC 2019] Getting domain auth token for each domain
[Tue Aug 27 12:27:44 UTC 2019] d
[Tue Aug 27 12:27:44 UTC 2019] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Tue Aug 27 12:27:44 UTC 2019] payload='{"identifiers": [{"type":"dns","value":"pedia.id"}]}'
[Tue Aug 27 12:27:44 UTC 2019] RSA key
[Tue Aug 27 12:27:44 UTC 2019] HEAD
[Tue Aug 27 12:27:44 UTC 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Tue Aug 27 12:27:44 UTC 2019] _CURL='curl -L --silent --dump-header /home/pr4m/.acme.sh/http.header  -g '
[Tue Aug 27 12:27:44 UTC 2019] _ret='0'
[Tue Aug 27 12:27:44 UTC 2019] POST
[Tue Aug 27 12:27:44 UTC 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Tue Aug 27 12:27:44 UTC 2019] _CURL='curl -L --silent --dump-header /home/pr4m/.acme.sh/http.header  -g '
[Tue Aug 27 12:27:45 UTC 2019] _ret='0'
[Tue Aug 27 12:27:45 UTC 2019] code='201'
[Tue Aug 27 12:27:45 UTC 2019] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/64252358/972126645'
[Tue Aug 27 12:27:45 UTC 2019] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/64252358/972126645'
[Tue Aug 27 12:27:45 UTC 2019] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/77672551'
[Tue Aug 27 12:27:45 UTC 2019] payload
[Tue Aug 27 12:27:45 UTC 2019] POST
[Tue Aug 27 12:27:45 UTC 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/77672551'
[Tue Aug 27 12:27:45 UTC 2019] _CURL='curl -L --silent --dump-header /home/pr4m/.acme.sh/http.header  -g '
[Tue Aug 27 12:27:45 UTC 2019] _ret='0'
[Tue Aug 27 12:27:45 UTC 2019] code='200'
[Tue Aug 27 12:27:45 UTC 2019] d='pedia.id'
[Tue Aug 27 12:27:45 UTC 2019] Getting webroot for domain='pedia.id'
[Tue Aug 27 12:27:45 UTC 2019] _w='/var/www/pedia'
[Tue Aug 27 12:27:45 UTC 2019] _currentRoot='/var/www/pedia'
[Tue Aug 27 12:27:45 UTC 2019] entry='"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/77672551/CCNy5A","token":"Ix_5Elrq0cGOxCrBSrMjs_BjHUg8g9F WE7ciR0CuV0Y"'
[Tue Aug 27 12:27:45 UTC 2019] token='Ix_5Elrq0cGOxCrBSrMjs_BjHUg8g9FWE7ciR0CuV0Y'
[Tue Aug 27 12:27:45 UTC 2019] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/77672551/CCNy5A'
[Tue Aug 27 12:27:45 UTC 2019] keyauthorization='Ix_5Elrq0cGOxCrBSrMjs_BjHUg8g9FWE7ciR0CuV0Y.ttQkvCTbS_-lFZumj6UZgAYGZUcEmcirK0i0u5WvoyA'
[Tue Aug 27 12:27:45 UTC 2019] dvlist='pedia.id#Ix_5Elrq0cGOxCrBSrMjs_BjHUg8g9FWE7ciR0CuV0Y.ttQkvCTbS_-lFZumj6UZgAYGZUcEmcirK0i0u5WvoyA#https://acme-v02.api.letsencrypt.org/acme/chall-v3/77 672551/CCNy5A#http-01#/var/www/pedia'
[Tue Aug 27 12:27:45 UTC 2019] d
[Tue Aug 27 12:27:45 UTC 2019] vlist='pedia.id#Ix_5Elrq0cGOxCrBSrMjs_BjHUg8g9FWE7ciR0CuV0Y.ttQkvCTbS_-lFZumj6UZgAYGZUcEmcirK0i0u5WvoyA#https://acme-v02.api.letsencrypt.org/acme/chall-v3/776 72551/CCNy5A#http-01#/var/www/pedia,'
[Tue Aug 27 12:27:45 UTC 2019] d='pedia.id'
[Tue Aug 27 12:27:45 UTC 2019] ok, let's start to verify
[Tue Aug 27 12:27:45 UTC 2019] Verifying: pedia.id
[Tue Aug 27 12:27:45 UTC 2019] d='pedia.id'
[Tue Aug 27 12:27:45 UTC 2019] keyauthorization='Ix_5Elrq0cGOxCrBSrMjs_BjHUg8g9FWE7ciR0CuV0Y.ttQkvCTbS_-lFZumj6UZgAYGZUcEmcirK0i0u5WvoyA'
[Tue Aug 27 12:27:45 UTC 2019] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/77672551/CCNy5A'
[Tue Aug 27 12:27:45 UTC 2019] _currentRoot='/var/www/pedia'
[Tue Aug 27 12:27:45 UTC 2019] wellknown_path='/var/www/pedia/.well-known/acme-challenge'
[Tue Aug 27 12:27:45 UTC 2019] writing token:Ix_5Elrq0cGOxCrBSrMjs_BjHUg8g9FWE7ciR0CuV0Y to /var/www/pedia/.well-known/acme-challenge/Ix_5Elrq0cGOxCrBSrMjs_BjHUg8g9FWE7ciR0CuV0Y
[Tue Aug 27 12:27:45 UTC 2019] Changing owner/group of .well-known to pr4m:www-data
[Tue Aug 27 12:27:45 UTC 2019] chown: changing ownership of '/var/www/pedia/.well-known/acme-challenge/Ix_5Elrq0cGOxCrBSrMjs_BjHUg8g9FWE7ciR0CuV0Y': Operation not permitted
[Tue Aug 27 12:27:45 UTC 2019] chown: changing ownership of '/var/www/pedia/.well-known/acme-challenge/Ix_5Elrq0cGOxCrBSrMjs_BjHUg8g9FWE7ciR0CuV0Y': Operation not permitted
[Tue Aug 27 12:27:45 UTC 2019] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/77672551/CCNy5A'
[Tue Aug 27 12:27:45 UTC 2019] payload='{}'
[Tue Aug 27 12:27:45 UTC 2019] POST
[Tue Aug 27 12:27:45 UTC 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/77672551/CCNy5A'
[Tue Aug 27 12:27:45 UTC 2019] _CURL='curl -L --silent --dump-header /home/pr4m/.acme.sh/http.header  -g '
[Tue Aug 27 12:27:46 UTC 2019] _ret='0'
[Tue Aug 27 12:27:46 UTC 2019] code='200'
[Tue Aug 27 12:27:46 UTC 2019] trigger validation code: 200
[Tue Aug 27 12:27:46 UTC 2019] sleep 2 secs to verify
[Tue Aug 27 12:27:48 UTC 2019] checking
[Tue Aug 27 12:27:48 UTC 2019] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/77672551/CCNy5A'
[Tue Aug 27 12:27:48 UTC 2019] payload
[Tue Aug 27 12:27:48 UTC 2019] POST
[Tue Aug 27 12:27:48 UTC 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/77672551/CCNy5A'
[Tue Aug 27 12:27:48 UTC 2019] _CURL='curl -L --silent --dump-header /home/pr4m/.acme.sh/http.header  -g '
[Tue Aug 27 12:27:48 UTC 2019] _ret='0'
[Tue Aug 27 12:27:48 UTC 2019] code='200'
[Tue Aug 27 12:27:48 UTC 2019] pedia.id:Verify error:Invalid response from http://pedia.id/.well-known/acme-challenge/Ix_5Elrq0cGOxCrBSrMjs_BjHUg8g9FWE7ciR0CuV0Y [209.97.175.240]:
[Tue Aug 27 12:27:48 UTC 2019] pid
[Tue Aug 27 12:27:48 UTC 2019] No need to restore nginx, skip.
[Tue Aug 27 12:27:48 UTC 2019] _clearupdns
[Tue Aug 27 12:27:48 UTC 2019] dns_entries
[Tue Aug 27 12:27:48 UTC 2019] skip dns.
[Tue Aug 27 12:27:48 UTC 2019] _on_issue_err
[Tue Aug 27 12:27:48 UTC 2019] Please check log file for more details: /home/pr4m/.acme.sh/acme.sh.log
[Tue Aug 27 12:27:48 UTC 2019] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/77672551/CCNy5A'
[Tue Aug 27 12:27:48 UTC 2019] payload='{}'
[Tue Aug 27 12:27:48 UTC 2019] POST
[Tue Aug 27 12:27:48 UTC 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/77672551/CCNy5A'
[Tue Aug 27 12:27:48 UTC 2019] _CURL='curl -L --silent --dump-header /home/pr4m/.acme.sh/http.header  -g '
[Tue Aug 27 12:27:48 UTC 2019] _ret='0'
[Tue Aug 27 12:27:48 UTC 2019] code='400'

How can I fix this issue?

Thanks anyone

mnordhoff · August 27, 2019, 12:56pm

Check Nginx’s error.log to see if it says anything about this.

Can you post the server block from Nginx’s configuration?

Is /var/www/pedia/ the correct root? Are requests to /.well-known/acme-challenge/ being proxied to your backend web application?

pramadiputra · August 27, 2019, 1:02pm

Hello there, thanks for helping me.

If you access http://pedia.id/.well-known/acme-challenge/Ix_5Elrq0cGOxCrBSrMjs_BjHUg8g9FWE7ciR0CuV0Y it returns the Laravel 404 page, does it tells you something?

yes /var/www/pedia/ is the correct root. I don’t understand about " Are requests to /.well-known/acme-challenge/ being proxied to your backend web application? "

And by saying the server block, did you mean the /etc/nginx/sites-available/pedia.id ?

Thanks

schoen · August 27, 2019, 9:42pm

This is probably related to what @mnordhoff was asking about—the default behavior on nginx is to serve static files out of a particular directory, but this can be extensively modified to pass requests to some other kinds of software instead of answering them using files on disk, often using a proxy_pass directive but sometimes using other methods too. In this case it may be that your nginx server is passing every request through to a Laravel process, which means that the challenge files within /var/www end up getting ignored completely, even if they otherwise have the correct names and contents.

Most likely, unless there is a different file on your system that sets up nginx's behavior with respect to the pedia.id domain.

pramadiputra · August 27, 2019, 11:37pm

I think I agree " In this case it may be that your nginx server is passing every request through to a Laravel process, which means that the challenge files within /var/www end up getting ignored completely". Now how do I fix it, how do I make the nginx server to not ignore the challenge?

Thanks

pramadiputra · August 27, 2019, 11:47pm

I think I’m gonna reset the ../sites-available/pedia.id/ to the default nginx configuration and see if it can do the trick.

pramadiputra · August 28, 2019, 12:05am

I’ve reset the /sites-available/pedia.id to default nginx configuration, and when I’m accessing the .acme-challenge http://pedia.id/.well-known/acme-challenge/Ix_5Elrq0cGOxCrBSrMjs_BjHUg8g9FWE7ciR0CuV0Y it returns with 404 Error Not Found by Nginx.

schoen · August 28, 2019, 12:14am

Can you post that default configuration? Can you see any files on the web site that you create in /var/www on the server?

pramadiputra · August 28, 2019, 12:19am

Default configuration of /sites-available/pedia.id:

##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

        # Just Added These Lines
	location /.well-known/acme-challenge/ {
           root /var/www/pedia;
        }

	root /var/www/pedia;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name _;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}

	# pass PHP scripts to FastCGI server
	#
	#location ~ \.php$ {
	#	include snippets/fastcgi-php.conf;
	#
	#	# With php-fpm (or other unix sockets):
	#	fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
	#	# With php-cgi (or other tcp sockets):
	#	fastcgi_pass 127.0.0.1:9000;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#	listen 80;
#	listen [::]:80;
#
#	server_name example.com;
#
#	root /var/www/example.com;
#	index index.html;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
#}

Any files in /var/www/ are:

html
pedia

any files in /var/www/pedia are the files of Laravel

schoen · August 28, 2019, 12:21am

This should normally be root /var/www/pedia/.well-known/acme-challenge/ because if you pass a webroot option to acme.sh, it's going to add its own ./well-known/acme-challenge to the end of that when creating the challenge files.

pramadiputra · August 28, 2019, 12:24am

Did you mean it should be like this?

location /.well-known/acme-challenge/ {
   root /var/www/pedia/.well-known/acme-challenge/;
}

schoen · August 28, 2019, 12:28am

That’s my impression.

pramadiputra · August 28, 2019, 12:30am

It still returns 404 not found

schoen · August 28, 2019, 12:32am

With this setting (and reloading nginx), if you create /var/www/pedia/.well-known/acme-challenge/test.txt on the server, can you see its contents at http://pedia.id/.well-known/acme-challenge/test.txt?

pramadiputra · August 28, 2019, 12:36am

It works: http://pedia.id/.well-known/acme-challenge/text.txt

pramadiputra · August 28, 2019, 12:41am

@schoen thanks for helping me, the reason that’s it returns 404 when accessing http://pedia.id/.well-known/acme-challenge/Ix_5Elrq0cGOxCrBSrMjs_BjHUg8g9FWE7ciR0CuV0Y is that because I haven’t generated any challenge.

I just ran acme.sh --issue -d pedia.id -w /var/www/pedia/ and it successfully verifying pedia.id and generating the certificate. Thanks for your help

schoen · August 28, 2019, 12:55am

Great! I’m glad that’s worked out now.

pramadiputra · August 28, 2019, 1:35am

Thanks again Schoen, if you ever come to Bali let me know and I’ll buy you a drink!

schoen · August 29, 2019, 5:06pm

That sounds great!

system · September 28, 2019, 5:06pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Invalid Response from well-known/acme-challenge with .acme.sh/acme.sh --issue -d typing12.com Help	34	3185	September 29, 2022
One Domain Issues Correctly; Second Does Not (ACME.sh) Help	24	2112	December 18, 2021
Renewing cert, invalid response (404) Help	6	1052	July 1, 2018
Invalid response when trying to issue a certificate using cPanel Help	2	910	April 5, 2021
Error downloading certificate Help	4	1419	August 2, 2018

Acme.sh Verify error: invalid response

Related topics