Certificate renewal failed but challenge file is accesible via browser and curl


#1

Hi, I’m trying to test the renewal of my certificate but the file challenge is failing. The challenge file is accessible using the web browser at http://abasy.ccg.unam.mx/.well-known/acme-challenge/0aCShSw7bQULkuyUQ1GLuK736PGx5R5tYOXEADwA5EI

curl is also able to access the challenge file:

curl -A “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)” http://abasy.ccg.unam.mx/.well-known/acme-challenge/0aCShSw7bQULkuyUQ1GLuK736PGx5R5tYOXEADwA5EI

0aCShSw7bQULkuyUQ1GLuK736PGx5R5tYOXEADwA5EI.PgpElZcEMtVKNbipvXAfkUYd_WS3Y8J1AnwNQGvyYhw

My domain is: abasy.ccg.unam.mx

I ran this command:
le64 --key jfreyre-zerossl.key --csr abasy.csr --csr-key abasy.key --crt abasy.crt --domains “abasy.ccg.unam.mx” --path C:\Users\jfreyre\Dropbox (FreyreLab)\OtrosProyectos\Abasy\Websites\Abasy.well-known\acme-challenge --generate-missing --email jfreyre@ccg.unam.mx --renew 89 --issue-code 100

It produced this output:
2019/03/22 13:02:05 [ ZeroSSL Crypt::LE client v0.32 started. ]
2019/03/22 13:02:05 Loading an account key from C:\Users\jfreyre\Dropbox (FreyreLab)\OtrosProyectos\Abasy\Websites\SSL_files\jfreyre-zerossl.key
2019/03/22 13:02:05 Loading a CSR from C:\Users\jfreyre\Dropbox (FreyreLab)\OtrosProyectos\Abasy\Websites\SSL_files\abasy.csr
2019/03/22 13:02:05 Checking certificate for expiration (local file).
2019/03/22 13:02:05 Expiration threshold set at 89 days, the certificate expires in 88 days - will be renewing.
2019/03/22 13:02:07 Registering the account key
2019/03/22 13:02:08 The key is already registered. ID: 8666299
2019/03/22 13:02:08 Current contact details: jfreyre@ccg.unam.mx
2019/03/22 13:02:09 Successfully saved a challenge file ‘C:\Users\jfreyre\Dropbox (FreyreLab)\OtrosProyectos\Abasy\Websites\Abasy.well-known\acme-challenge/0aCShSw7bQULkuyUQ1GLuK736PGx5R5tYOXEADwA5EI’ for domain ‘abasy.ccg.unam.mx’
2019/03/22 13:02:12 Domain verification results for ‘abasy.ccg.unam.mx’: error. Invalid response from http://abasy.ccg.unam.mx/.well-known/acme-challenge/0aCShSw7bQULkuyUQ1GLuK736PGx5R5tYOXEADwA5EI [132.248.220.234]: "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN”\r\n “http://www.w3.org/TR/xhtml1
2019/03/22 13:02:12 You can now delete the ‘C:\Users\jfreyre\Dropbox (FreyreLab)\OtrosProyectos\Abasy\Websites\Abasy.well-known\acme-challenge/0aCShSw7bQULkuyUQ1GLuK736PGx5R5tYOXEADwA5EI’ file.
2019/03/22 13:02:12 All verifications failed

My web server is (include version): Apache/2.4.33 (Win32)

The operating system my web server runs on is (include version): Windows 7 Professional

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): ZeroSSL Crypt::LE client v0.32

Thanks for any help!


#2

Hi @jfreyre

you have a valid certificate ( https://check-your-website.server-daten.de/?q=abasy.ccg.unam.mx ):

CN=abasy.ccg.unam.mx
	21.03.2019
	19.06.2019
expires in 89 days	abasy.ccg.unam.mx - 1 entry

And it’s CT-logged:

CRT-Id	Issuer	not before	not after	Domain names	LE-Duplicate
1305798909
	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
	2019-03-21 16:52:22
	2019-06-19 15:52:22
	abasy.ccg.unam.mx
	no duplicate

Your port 80 is open, your port 443 uses that certificate.

So all looks good.


#3

Thanks @JuergenAuer for your quick reply . I agree, everything looks ok but after trying again the renewal is still failing.

Apache log tells:
66.133.109.36 - - [22/Mar/2019:14:22:26 -0600] “GET /.well-known/acme-challenge/ddkMYyiERIgzQVtKKOLH5e45RSjR-6_qBr9OLxPo-3Q HTTP/1.1” 404 1019 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”

A 404 error, but using a browser and curl I still have access to the challenge file:

curl -A “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)” http://abasy.ccg.unam.mx/.well-known/acme-challenge/ddkMYyiERIgzQVtKKOLH5e45RSjR-6_qBr9OLxPo-3Q

ddkMYyiERIgzQVtKKOLH5e45RSjR-6_qBr9OLxPo-3Q.PgpElZcEMtVKNbipvXAfkUYd_WS3Y8J1AnwNQGvyYhw


#4

But how did you created the certificate yesterday?

I have no idea what that client is doing.

Is there a bot detection?

It’s a CNAME to another server:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
abasy.ccg.unam.mx C xanadu.ccg.unam.mx yes 1 0
A 132.248.220.234 yes
www.abasy.ccg.unam.mx Name Error yes 1 0

Are you running the tool on that ip?


#5

Hi @JuergenAuer,

I created the certificate as follow:
le64 --key jfreyre-zerossl.key --csr abasy.csr --csr-key abasy.key --crt abasy.crt --domains “abasy.ccg.unam.mx” --path %DROPBOXB%\OtrosProyectos\Abasy\Websites\Abasy.well-known\acme-challenge --generate-missing --unlink --email jfreyre@ccg.unam.mx --live

Yes, there is a bot protection that bans by user-agent, but the response is 403 (forbidden) not 404.

No, I’m not running the renewal from 132.248.220.234. I was running on 132.248.220.132. In fact, I created the certificate also running from 132.248.220.132, so I assumed the renewal could be ran from that IP too.


#6

To do HTTP validation, Let’s Encrypt’s validation servers connect to whatever IP addresses your hostname has in the DNS, not necessarily the machine it’s running on.


#7

That can’t work.

The ip address the world sees is 132.248.220.234.

So this IP is connected, then the hostname abasy.ccg.unam.mx is sent.

That’s how browsers and every online tool works. So if your client creates the file to check on another ip, the file is not found.


#8

Sorry, I missed to tell you that I’m using a distributed file system over a gigabit connection so while the challenge file is created in a different machine than the host, it is propagated to the machine hosting the web server. I then suspect the problem is the delay. I will try the --delayed option. Thanks for all your support!


closed #9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.