.AuthorizationError: Some challenges have failed. - but access log contains - 2 GETs with 200

tmarsak · March 29, 2021, 10:05pm

I already understood what you were talking about, I was still dealing with an existing file and that it correctly returns 404 / possibly the correct token. Only now have I noticed table "7.3" where the "invalid" address on the acme challenge is checked.

but it's still very strange for me, sometimes I get "green" values, sometimes "timeout". What I had to do to improve the results at least a little:

I had the TTL parameter set incorrectly in the DNS configuration, it seems to have been too low (360) and therefore the evaluation was very often a "timeout", I don't know, but increasing the value (42000) helped, at least that's how it looks.

I was able to "see" at least some results "green" but still I received the same error.

but I still don't know where the problem might be next, maybe still a bad NGINX setup, current setup is:

server {

    listen 80;
    listen [::]:80;

    root /var/www/domains/tmapp.cz/web;
    index index.html;

    server_name tmapp.cz www.tmapp.cz;

    location / {
        try_files $uri $uri/ /index.html  =404;
        autoindex on;
    }

    location /api {
        proxy_pass http://localhost:4242;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

    location /socket.io {
        proxy_pass http://localhost:4242;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

    # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
    # We use ^~ here, so that we don't check other regexes (for speed-up). We actually MUST cancel
    # other regex checks, because in our other config files have regex rule that denies access to files wit>
    location ^~ /.well-known/acme-challenge/ {

        # Set correct content type. According to this:
        # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
        # Current specification requires text/plain or no content header at all.
        # It seems that text/plain is a safe option.
        charset utf-8;
        default_type text/html;

        # This directory must be the same as in /etc/letsencrypt/cli.ini
        # as webroot-path parameter. Also don't forget to set authenticator parameter
        # there to webroot.
        # Do NOT use alias, use root! Target directory is located here:
        # /var/www/common/letsencrypt/.well-known/acme-challenge/
        root /var/www/common/letsencrypt;
    }

    # Hide /acme-challenge subdirectory and return 404 on all requests.
    # It is somewhat more secure than letting Nginx return 403.
    # Ending slash is important!
    location = /.well-known/acme-challenge/ {
        return 404;
    }

}

tmarsak · March 31, 2021, 8:54am

ok, original code, no change in my scripts and now I am able to generate the certificates, but it looks that something "wrong" is with my domain, or I don't know, I have two identical settings + domain name:

tmapp.cz
tmappws.cz

there were only following "differences" in process how they were created:

tmapp.cz
= originally created under the different DNS provider, then moved to the current "forpsi"
= still it looks, that it is problematic because the responses reported on https://check-your-website.server-daten.de/?q=tmappws.cz are little bit under 10s
tmappws.cz
= registered directly under "new" / current "forpsi" DNS provider
= it looks OK, responses reported on https://check-your-website.server-daten.de/?q=tmappws.cz are around 3s

It seems to me that the problem is in response time, if it is under 10s, then I am able to generate the certificate. But really I don't know how I can influence / decrease the response time. I will try to contact my DNS provider, if he can compare the configuration for the domains, NS records are the same

Another "strange" thing is, that the "domain" / urls responses are much more faster then reported on the page. So again I do not have any clue how they are calculated.

Pls do you have any link, info how it works? Or do you know if it is possible to configure / increase "timeout" parameter through certbot / letsencrypt?

JuergenAuer · March 31, 2021, 9:23am

That's really bad - https://check-your-website.server-daten.de/?i=a46f4f26-5d47-4fec-9fcc-e0b7d7906554#url-checks shows a lot of timeouts, https://check-your-website.server-daten.de/?i=8633b691-2cee-4336-9ccc-e1d7f8bd8ced#url-checks shows 3 seconds.

More then 10 seconds is always critical -> dead website.

Yes, too long no answer -> timeout.

It's not your dns provider, it's your webserver.

"check-your-website" connects your ip address with the informations found in the NS- and A/AAAA checks and sends the domain name as host header. So it's not a slow dns.

There are some additional checks, especially https. The Chrome-Screenshot time is better.

That's not possible and it wouldn't help. More then 10 seconds is always bad.

system · April 30, 2021, 9:23am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.