Bad string in Http challenge and probable solution

Help
1

Hello, I've got:

  1. problem and
  2. probable solution which I want to validate.

My domain I will provide if it will be needed.

I ran this command:
# certbot certonly --standalone --http-01-port 80 -d our.domain.com --agree-tos --no-eff-email --register-unsafely-without-email

It produced this output:

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: our.domain.com
  Type:   unauthorized
  Detail: The key authorization file from the server did not match this challenge. Expected "0_AjkGBJufhULLs25WOJ3pPr7N9J45f-SEfDUFK1b6s.bCAWl_CqF8_ctcevB2V0xsMKA25_PliHfqbN5KQR0SE" (got "")

The operating system my web server runs on is (include version):
Red Hat Enterprise Linux 8.10 (Ootpa)

I can login to a root shell on my machine: yes

The version of my pip installed client:

# certbot --version
certbot 2.11.0
  1. Problem: I try to make certificate and I've got error (because Empty string did not match the challenge)

Our problem is that: we have Consul, and it sends domain request to k8s pod (I can't send request directly to certbot server). So domain request (http://<YOUR_DOMAIN>/.well-known/acme-challenge/) first goes to pod's webserver, then request's copy sends to certbot standalone server to localhost:80.
But Certbot's response doesn't contain a string, it only contains headers:
{'Server': 'BaseHTTP/0.6 Python/3.10.12', 'Date': 'Tue, 16 Jul 2024 13:53:28 GMT'}

  1. Probable solution:

I know that response for acme-challenge should contain string: <TOKEN>.<Account Thumbprint> .

So my webserver forms this string and sends it in response. Then everything is Fine!

But my question is: this solution is good? There will not be consequences, some side-effects?

2

Certbot --standalone definitely returns data along with headers. Even when replying just to test requests. Could you be sending a HEAD request instead of GET?

Headers and Data from invalid request to --standalone. A valid request gets the challenge response.

HTTP/1.0 200 OK
Server: BaseHTTP/0.6 Python/3.8.10
Date: Wed, 17 Jul 2024 11:30:22 GMT
Content-Type: text/html

ACME client standalone challenge solver
2 Likes
3

Sorry, all is fine! I got problem to take body from client, because there was no header: "Content-Length". Why it's not provided by certbot? It's misleaded me...

Topic can be closed.

4

I'm glad you got this working. I just wanted to point out 2 things:

--http-01-port 80

This is implied by default and not needed.

Our problem is that: we have Consul, and it sends domain request to k8s pod (I can't send request directly to certbot server). So domain request (http://<YOUR_DOMAIN>/.well-known/acme-challenge/) first goes to pod's webserver, then request's copy sends to certbot standalone server to localhost:80.

Something that might be more straightfoward in the future is to do the following:

  1. Dedicate a specific port to the Certbot standalone:

    --http-01-port 8082

  2. Then you can route the acme-challenge directory to the 8082 port

Using a dedicated higher port tends to simplify this type of usage when it comes to routing between servers and containers/pods.

4 Likes
5

Thanks guys for your help!

4 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.