First, I’m not much of a server admin. It’s one of the things I struggle with the most. So perhaps I’m missing something obvious. But, I’m trying to set up a jenkins server at jenkins.ucdev.net. The server uses
- RHEL 7
- apache 2.4.6
- certbot v0.36.0
- I have root access
- the server is (in general) privately managed by my IT dept
Jenkins has a webroot at /var/cache/jenkins/war
in its config (/etc/default/jenkins
) .
<VirtualHost *:80>
Header set X-Robots-Tag: none
DocumentRoot /var/cache/jenkins/war
ServerName jenkins.ucdev.net
ServerAlias jenkins.ucdev.net
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
ProxyRequests Off
AllowEncodedSlashes NoDecode
</VirtualHost>
With al this, I can access the jenkins application at the url behind my CAS plugin.
When I use the certbot certonly --dry-run
, the certification succeeds. However, when I then do exactly the same commands and parameters, the certification fails.
The with verbose logging, the error I get back is
2019-08-21 14:16:21,882:DEBUG:acme.client:Received response:
HTTP 200
content-length: 1712
expires: Wed, 21 Aug 2019 18:16:21 GMT
cache-control: max-age=0, no-cache, no-store
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
pragma: no-cache
boulder-requester: 40668949
date: Wed, 21 Aug 2019 18:16:21 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0001rcUDEfLn2gjlSQhNFVHsTHpViiPXWISJvovQgsXhQRw
{
"identifier": {
"type": "dns",
"value": "jenkins.ucdev.net"
},
"status": "invalid",
"expires": "2019-08-28T18:16:05Z",
"challenges": [
{
"type": "tls-alpn-01",
"status": "invalid",
"url": "https://acme-v02.api.letsencrypt.org/acme/challenge/oPwj_ZhYeBr-aEr8xDL5ifeAzUaE7dHRVYkl0aj1SpQ/19836695963",
"token": "bh_0Tc-5n_NxBBJe0_lDnGkKoAN7ZBnXqafEzy09ZaM"
},
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://jenkins.ucdev.net/.well-known/acme-challenge/X2XGpJcSfE5gWY1OmFPZLmryqH12ZS4gVB1UDrH288o [137.99.51.36]: \"\u003chtml\u003e\u003chead\u003e\u003cmeta http-equiv='refresh' content='1;url=/securityRealm/commenceLogin?from=%!F(MISSING).well-known%!F(MISSING)acme-challenge%!F(MISSING)X2XGpJ\"",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/challenge/oPwj_ZhYeBr-aEr8xDL5ifeAzUaE7dHRVYkl0aj1SpQ/19836695964",
"token": "X2XGpJcSfE5gWY1OmFPZLmryqH12ZS4gVB1UDrH288o",
"validationRecord": [
{
"url": "http://jenkins.ucdev.net/.well-known/acme-challenge/X2XGpJcSfE5gWY1OmFPZLmryqH12ZS4gVB1UDrH288o",
"hostname": "jenkins.ucdev.net",
"port": "80",
"addressesResolved": [
"137.99.51.36"
],
"addressUsed": "137.99.51.36"
}
]
},
{
"type": "dns-01",
"status": "invalid",
"url": "https://acme-v02.api.letsencrypt.org/acme/challenge/oPwj_ZhYeBr-aEr8xDL5ifeAzUaE7dHRVYkl0aj1SpQ/19836695965",
"token": "CzCr1gW_tPvbEws0U-BrCKZxtFUX-GA9xUbdL_-bV98"
}
]
}
2019-08-21 14:16:21,882:DEBUG:acme.client:Storing nonce: 0001rcUDEfLn2gjlSQhNFVHsTHpViiPXWISJvovQgsXhQRw
2019-08-21 14:16:21,884:WARNING:certbot.auth_handler:Challenge failed for domain jenkins.ucdev.net
2019-08-21 14:16:21,884:INFO:certbot.auth_handler:http-01 challenge for jenkins.ucdev.net
2019-08-21 14:16:21,885:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:
Domain: jenkins.ucdev.net
Type: unauthorized
Detail: Invalid response from http://jenkins.ucdev.net/.well-known/acme-challenge/X2XGpJcSfE5gWY1OmFPZLmryqH12ZS4gVB1UDrH288o [137.99.51.36]: "<html><head><meta http-equiv='refresh' content='1;url=/securityRealm/commenceLogin?from=%!F(MISSING).well-known%!F(MISSING)acme-challenge%!F(MISSING)X2XGpJ"
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2019-08-21 14:16:21,886:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 154, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.
2019-08-21 14:16:21,886:DEBUG:certbot.error_handler:Calling registered functions
2019-08-21 14:16:21,886:INFO:certbot.auth_handler:Cleaning up challenges
2019-08-21 14:16:21,886:DEBUG:certbot.plugins.webroot:Removing /var/cache/jenkins/war/.well-known/acme-challenge/X2XGpJcSfE5gWY1OmFPZLmryqH12ZS4gVB1UDrH288o
2019-08-21 14:16:21,887:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2019-08-21 14:16:21,887:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 9, in <module>
load_entry_point('certbot==0.36.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1381, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1264, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 120, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python2.7/site-packages/certbot/client.py", line 406, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python2.7/site-packages/certbot/client.py", line 349, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python2.7/site-packages/certbot/client.py", line 385, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 90, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 154, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.
Any advice or help you could offer would be amazing!