Certbot error "Invalid response from www.example.com"

Help
#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is : ravendellnas.zapto.org

I ran this command : sudo certbot certonly --webroot

It produced this output : Input the webroot for ravendellnas.zapto.org: (Enter 'c' to cancel): /var/www/ravendellnas.zapto.org/web
Waiting for verification...
Challenge failed for domain ravendellnas.zapto.org
http-01 challenge for ravendellnas.zapto.org
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: ravendellnas.zapto.org
    Type: unauthorized
    Detail: Invalid response from http://ravendellnas.zapto.org/ui/
    [xx.xxx.xxx.xxx]: "<!doctype html>\n<html lang="en">\n\n

    \n \n <meta http-eq"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version) :

The operating system my web server runs on is (include version): truenas 12.2

My hosting provider, if applicable, is: no-ip

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.3.0

1 Like
#2

Hi @achillesdakin

there you see the problem. There is a redirect /.well-known/acme-challenge/validation-file to /ui/.

So Letsencrypt doesn't see the content of the validation file.

Remove that redirect if the path starts with /.well-known/acme-challenge.

PS: Your ip must be public, if your domain is public. So hiding your ip is a little bit curious. Every browser / visitor knows your ip.

2 Likes
#3

Thank you for the reply.
Unfortunately I'm very new to this and cannot work out how to remove the redirect with my OS, or what you mean about my ip.

1 Like
#4

Welcome to the Let's Encrypt Community :slightly_smiling_face:

There is likely a setting in your device.

Screenshot_20201111-194511_Samsung Internet
Screenshot_20201111-194511_Samsung Internet1439×1088 162 KB

#5

Oh ok, thank you for explaining the ip.

I don’t think disabling this redirect is something I can do, as this webpage is my webgui for truenas and I have limited control of the the webgui.

1 Like
#6

@achillesdakin

One of our longstanding members @danb35 wrote an official script for Let's Encrypt for TrueNAS that you may find helpful:

@danb35

If you're around, your help is kindly requested here.

#7

I think you’re right, and this is probably the right way to go. I have already spent a few hours trying to get that script to work as I saw it somewhere else earlier but the instructions were a bit above me and I most likely didn’t have it setup right. Causing a similar error I believe.

1 Like
#8

I've seem people say this a few times, and I really don't understand where the idea comes from that "my" script (only mine in that I initially hacked it together; most of the code comes from others) is in any way official--it's a user-contributed script. The only thing that's "official" is the built-in support for DNS validation using a very limited set of DNS hosts (I believe only one).

Also, my script really doesn't have anything to do with obtaining certs, only installing them--though the rest of the resource does address obtaining them.

No, there is no such setting in TrueNAS; it simply isn't designed or intended to be used in this way.

NEVER, UNDER ANY CIRCUMSTANCES, EXPOSE THE FREENAS/TRUENAS GUI TO THE INTERNET. It isn't designed for that, it isn't secured for that, and you're just asking for your server to be compromised. If you need to access the GUI from outside your LAN, use a VPN.

...but without actually asking any questions in the place where that script is discussed. Why?

Now, in-depth discussion or troubleshooting on the use of the script would probably be better done in the discussion thread for that script. And I don't even know how you got certbot installed in the base TrueNAS system; you shouldn't be able to install any software there. But for a few basics--since your DNS provider doesn't have a supported API, you'll need to:

  • Create a jail.
  • In that jail, install socat and bash (pkg install bash socat nano), acme.sh (as described in the resource linked above), and my script (also as described in that resource). Yes, if you really want to use certbot instead of acme.sh you can, but I can't imagine why you'd want to.
  • On your router, forward port 80 to the IP address of that jail, rather than to your TrueNAS box.
  • In the jail, configure the script with the correct IP address for your your TrueNAS box, and other relevant parameters.
  • In the jail, run acme.sh --issue -d fqdn_of_freenas_box --standalone --reloadcmd "/path/to/deploy_freenas.py"

Follow up in that thread if you have further questions.

3 Likes
#9

Thanks for answering the call, danb35.

It's the top search result in Google and hosted on the official TrueNAS website as a resource. Seemed official enough to me. You most likely have worlds more experience with this product than anyone else here regularly. :slightly_smiling_face:

#10

NEVER, UNDER ANY CIRCUMSTANCES, EXPOSE THE FREENAS/TRUENAS GUI TO THE INTERNET.

I understand, I have setup remote access to webgui and share only through a ssh tunnel. I believe this to be secure.

...but without actually asking any questions in the place where that script is discussed. Why?

That probably would have been a good idea. Excuse the noobiness.

Thank you for the advice and instructions, I will re-attempt and follow up with any issues in the script's thread.

1 Like
#11

I know this might not be the right place for this, but you seem very knowledgable, and i cannot find how to setup the jail to get things going.

1 Like
#12

It really isn't; the TrueNAS forums would be much better. But in short, you create a jail with a static IP address--that should be all that matters. Release doesn't really matter, though I'd think you'd want to use the latest (12.2). The only real requirement for the jail is that it be there so you can install other software and have something other than the GUI listening on port 80.

1 Like
#13

Thank you, I have moved the final error I am receiving to your github/deploy-freenas thread :+1:

1 Like