Cerbot renew opensuse 15.4 failed authenticate some domains

rg305 · January 2, 2023, 2:30am

BINGO!

It seems the University is using Palo Alto firewalls and they need to be instructed to allow the LE challenge requests to reach your web server.
Below we can see the first request [from my system] reaches your server.
The second request [simulating the LE request] does not have the same response.
It is interrupted by the firewall:

#1
curl -Ii dna.engr.latech.edu/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 301 Moved Permanently
Date: Mon, 02 Jan 2023 02:28:04 GMT
Server: Apache
Location: https://dna.engr.latech.edu/.well-known/acme-challenge/Test_File-1234
Content-Type: text/html; charset=iso-8859-1

#2
curl -Ii dna.engr.latech.edu/.well-known/acme-challenge/Test_File-1234  -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
curl: (52) Empty reply from server

tcbishop · January 2, 2023, 2:31am

very good ... so what specific info do I need to provide the IT folks?

rg305 · January 2, 2023, 2:33am

Palo Alto firewall users with failing HTTP-01 challenges: enable "acme-protocol" - Help - Let's Encrypt Community Support (letsencrypt.org)

tcbishop · January 2, 2023, 2:35am

so this is information for the IT folks... NOT something that's under my control. Correct?

rg305 · January 2, 2023, 2:37am

To whomever controls the [Palo Alto] firewall.

tcbishop · January 2, 2023, 2:38am

Thanks ya'll! Much appreciated. I'll send them the above link.
Cheers
Tom

rg305 · January 2, 2023, 2:39am

Cheers from Miami
and Happy New Year!

system · February 1, 2023, 2:39am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.