Cannot create new certificate

NoLifeKing · January 5, 2017, 10:56am

Please fill out the fields below so we can help you better.

My domain is:
net.timetracer.se (among other sub domains)

I ran this command:
certbot certonly --expand --standalone --preferred-challenges http-01 -m <redacted> --agree-tos --http-01-port 31337

It produced this output:
IMPORTANT NOTES:
- The following errors were reported by the server:

   Domain: net.timetracer.se
   Type:   unauthorized
   Detail: The key authorization file from the server did not match
   this challenge
   [QKvAHbl-hOoeG1NQjz4vDDGAc18ctOzkiGJ_R6Oc9y0.XpYE1csbTAwI5U6XHESpfV9rWWaU8mwMcAdjnk2Gc-Y]
   != []

My operating system is (include version):
Linux ha-01 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 GNU/Linux

My web server is (include version):
HAProxy / Standalone
I’m using HAProxy to forward requests to acme-challenges at port 80 to the standalone server at port 31337

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

serverco · January 5, 2017, 11:13am

You need to use port 80 for the http-01 challenge - not port 31337

NoLifeKing · January 5, 2017, 11:17am

I use HAProxy, which forwards the requests from port 80 to the standalone servers port 31337.

serverco · January 5, 2017, 11:29am

The error is essentially saying that when the external Let’s Encrypt server tries to verify your domain at

net.timetracer.se/well-known/acme-challenge/QKvAHb…jnk2Gc-Y

it doesn’t get a simple, correct, text reply.

If I try to go to that URL I get a redirect to login pages. is there anything else running?

NoLifeKing · January 5, 2017, 11:33am

Yes, the directory “/well-known/” should be “/.well-known/”, and since the standalone server only runs when I’m running the command, it’s only reporting a 503 (Service unavailable)-page.

But when I check the log, it gets a 200 HTTP code when it tries to fetch the challenge.

2017-01-05 11:36:16,590:DEBUG:acme.standalone:127.0.0.1 - - Incoming request
2017-01-05 11:36:16,590:DEBUG:acme.standalone:127.0.0.1 - - Serving HTTP01 with token u'VCOzuNfQgPYQX9j4zivuEEjyhUqC-PaKb1aS2eG_8AU'
2017-01-05 11:36:16,591:DEBUG:acme.standalone:127.0.0.1 - - "GET /.well-known/acme-challenge/VCOzuNfQgPYQX9j4zivuEEjyhUqC-PaKb1aS2eG_8AU HTTP/1.1" 200 -

This command works well for other domains, but this specific domain have been issued before, on another server.

I have revoked the old certificates. If I try to revoke them again, it tells me they’re already revoked.

serverco · January 5, 2017, 11:51am

Unless the old certs have been compromised ( hopefully not) you shouldn’t need to revoke them.

Maybe if @cpu can see if there is any additional info on the Let’s Encrypt logs as to why it looks as if it was giving a correct 200 page but Let’s Encrypt was rejecting it.

cpu · January 5, 2017, 3:33pm

Correct! Thanks @serverco. @NoLifeKing, please don't revoke certificates unless you suspect them compromised. It's unnecessary and doesn't accomplish much due to the inherent problems with revocation.

Sure thing!

@NoLifeKing Looking at the logs from our end it appears like HAProxy or the origin webserver behind it are producing a 200 response to the validation HTTP request, but with an empty response body. Is there anything in your configuration that might suggest why?

E.g. for the most recent failed attempt I see:

"type":"urn:acme:error:unauthorized",
"detail":"The key authorization file from the server did not match this challenge [nckax...] != []"

The first portion [nckax...] is what we expected to find. The second portion [] is the whitespace trimmed response body from the HTTP request.

I see the same error for the QKvAHb... authorization shared in this thread:

"type":"urn:acme:error:unauthorized",
"detail":"The key authorization file from the server did not match this challenge [QKvAHb...] != []"

Can you verify that you can externally CURL a file from the /.well-known/acme-challenge directory through HAProxy and receive the correct response body?

Hope this helps!

cpu · January 6, 2017, 7:13pm

A post was split to a new topic: Does revocation cause additional load?

NoLifeKing · January 9, 2017, 7:17am

@cpu It works well, when I try and create/renew certs for another domain (multiresurs.com).

But when I try and run the exact same command, but with either of my timetracer.se domains, it always fails.

Is there some way I can attach the log, without it being compromised, I’m not sure what information is “dangerous” to post.

cpu · January 9, 2017, 3:23pm

Right, but what about the domain that's failing? Can you verify you can access a file from the /.well-known/acme-challenge directory for that domain through HAProxy?

I don't think there is anything particularly sensitive to worry about here. I'd normally suggest emailing sensitive information to me directly but in this case I'm confident it's not a server-side issue and I'm afraid I don't have the cycles today to help debug anything non-Boulder related this week. Sharing in the forum is the best way for someone to help you with your HAProxy/webserver configuration.

NoLifeKing · January 9, 2017, 3:29pm

Here’s the log for the combined command for all .timetracer.se domains.

letsencrypt.txt (117.1 KB)

Since I’m using standalone create my certificates, it’s quite bothersome to see if I can access the file through the HAProxy, since by the time I know what URL I’m supposed to go to, the server is already closed down.

Is there some way to keep the standalone server up for a while longer?

This is the first time I’m using certbot on linux, so I don’t know if there is anything I can do to fix this.

serverco · January 9, 2017, 3:40pm

That’s giving the same issue as before ( by the look of the logs). i.e. the Let’s Encrypt server is obtaining a null response.

What’s the device you are running certbot on in standalone ? Is it possible to place a really simple web server there and check that everything is going through the HAproxy correctly ?

Also, whilst not finding the cause of this specific issue) would the DNS-01 challenge be better for you ? that just requires an API to your DNS to add a specific text entry for Let’s Encrypt to verify.

NoLifeKing · January 9, 2017, 3:42pm

I’ll try with a small nginx tomorrow and post the results.

Edit: Thank you for all your help, it’s really helpful with people who doesn’t just go “RTFM”

serverco · January 9, 2017, 3:47pm

You’re welcome If you have python on there it may be as easy to test with “python -m SimpleHTTPServer 80” since that will give you a webserver in a one-liner ( just do it in a directory that only has a test file in it )

NoLifeKing · January 10, 2017, 7:59am

Using nginx to handle all incoming requests worked fine!

Thanks @cpu and @serverco for your help.

Strange that the standalone one presented empty challenges for .timetracer.se, when .multiresurs.com works though

system · February 9, 2017, 8:00am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.