I ran this command: certbot certonly --expand --standalone --preferred-challenges http-01 -m <redacted> --agree-tos --http-01-port 31337
It produced this output:
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: net.timetracer.se
Type: unauthorized
Detail: The key authorization file from the server did not match
this challenge
[QKvAHbl-hOoeG1NQjz4vDDGAc18ctOzkiGJ_R6Oc9y0.XpYE1csbTAwI5U6XHESpfV9rWWaU8mwMcAdjnk2Gc-Y]
!= []
My operating system is (include version):
Linux ha-01 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 GNU/Linux
My web server is (include version):
HAProxy / Standalone
I’m using HAProxy to forward requests to acme-challenges at port 80 to the standalone server at port 31337
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
Yes, the directory “/well-known/” should be “/.well-known/”, and since the standalone server only runs when I’m running the command, it’s only reporting a 503 (Service unavailable)-page.
But when I check the log, it gets a 200 HTTP code when it tries to fetch the challenge.
Unless the old certs have been compromised ( hopefully not) you shouldn’t need to revoke them.
Maybe if @cpu can see if there is any additional info on the Let’s Encrypt logs as to why it looks as if it was giving a correct 200 page but Let’s Encrypt was rejecting it.
Correct! Thanks @serverco. @NoLifeKing, please don't revoke certificates unless you suspect them compromised. It's unnecessary and doesn't accomplish much due to the inherent problems with revocation.
Sure thing!
@NoLifeKing Looking at the logs from our end it appears like HAProxy or the origin webserver behind it are producing a 200 response to the validation HTTP request, but with an empty response body. Is there anything in your configuration that might suggest why?
E.g. for the most recent failed attempt I see:
"type":"urn:acme:error:unauthorized",
"detail":"The key authorization file from the server did not match this challenge [nckax...] != []"
The first portion [nckax...] is what we expected to find. The second portion [] is the whitespace trimmed response body from the HTTP request.
I see the same error for the QKvAHb... authorization shared in this thread:
"type":"urn:acme:error:unauthorized",
"detail":"The key authorization file from the server did not match this challenge [QKvAHb...] != []"
Can you verify that you can externally CURL a file from the /.well-known/acme-challenge directory through HAProxy and receive the correct response body?
Right, but what about the domain that's failing? Can you verify you can access a file from the /.well-known/acme-challenge directory for that domain through HAProxy?
I don't think there is anything particularly sensitive to worry about here. I'd normally suggest emailing sensitive information to me directly but in this case I'm confident it's not a server-side issue and I'm afraid I don't have the cycles today to help debug anything non-Boulder related this week. Sharing in the forum is the best way for someone to help you with your HAProxy/webserver configuration.
Since I’m using standalone create my certificates, it’s quite bothersome to see if I can access the file through the HAProxy, since by the time I know what URL I’m supposed to go to, the server is already closed down.
Is there some way to keep the standalone server up for a while longer?
This is the first time I’m using certbot on linux, so I don’t know if there is anything I can do to fix this.
That’s giving the same issue as before ( by the look of the logs). i.e. the Let’s Encrypt server is obtaining a null response.
What’s the device you are running certbot on in standalone ? Is it possible to place a really simple web server there and check that everything is going through the HAproxy correctly ?
Also, whilst not finding the cause of this specific issue) would the DNS-01 challenge be better for you ? that just requires an API to your DNS to add a specific text entry for Let’s Encrypt to verify.
You’re welcome If you have python on there it may be as easy to test with “python -m SimpleHTTPServer 80” since that will give you a webserver in a one-liner ( just do it in a directory that only has a test file in it )