Cert renewal failing when using diff tlds

common disclaimer, this has been working for a while now but only recently started failing.

i’m running certbot/acme 0.15.0 and apache 2.4.25 on linux.

example command/output:

`$ certbot certonly --webroot --webroot-path /var/www/wh0rd
-d wh0rd.org -d wh0rd.ca -d wh0rd.info -d wh0rd.net
-d wh0rd.org -d wh0rd.us -d www.wh0rd.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for wh0rd.org
http-01 challenge for wh0rd.ca
http-01 challenge for wh0rd.info
http-01 challenge for wh0rd.net
http-01 challenge for wh0rd.us
http-01 challenge for www.wh0rd.org
Using the webroot path /var/www/wh0rd for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. wh0rd.ca (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://wh0r.org/.well-kn
own/acme-challenge/rzZBylXcnMlJm1KiERYc2nM-K5NF9ELp8PvCeBzeFwk: Error getting validation data, wh0rd.info (http-01): urn:acme:error:connection :: The server could not connect to the
client to verify the domain :: Fetching http://wh0rd…org/.well-known/acme-challenge/zNZZiRLg-hbn2dQKLby_SSsIsu5MhdM6DQBrCjNC-Po: Error getting validation data, wh0rd.us (http-01):
urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://wh0r.org/.well-known/acme-challenge/8tX7DV9tfcDmsJV3SluCT6Hs5j9PrEne
9B5qkpogjcU: Error getting validation data
.
IMPORTANT NOTES:

now the interesting bits are the domains that are failing. they’re the ones where the tld is a different length from the target. e.g. these domains all point to wh0rd.org (strlen(“org”) == 3), and we see the failures:
wh0rd.ca (strlen(“ca”) == 2) fails trying to fetch "wh0r.org"
wh0rd.info (strlen(“info”) == 4) fails trying to fetch "wh0rd…org"
wh0rd.us (strlen(“us”) == 2) fails trying to fetch “wh0r.org

from what i can tell, these responses/errors are coming from the LE servers, so there isn’t much i can do about them ?

when i remove those three domains from the certbot command, i’m able to renew the certs just fine.

This actually seems to be a redirect sent by your own servers. Try running

curl -v http://wh0rd.info/foo
curl -v http://wh0rd.ca/foo
curl -v http://wh0rd.us/foo

You’ll see that it sends back a redirection pointing to the same invalid domains that you encountered—without having anything related to Let’s Encrypt in the picture at all!

i’m using standard apache rewrite/serveralias rules here, so i’m going to guess it’s a bug in apache/. i’ll debug that angle then. thanks for the obvious debug starting point :).

RewriteEngine on RewriteCond %{HTTPS} off RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

<VirtualHost _default_:443> ServerName wh0rd.org ServerAlias www.wh0rd.org wh0rd.net wh0rd.com wh0rd.info wh0rd.ca wh0rd.us

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.