Challenge Error 403 on Forge LE SSL Installation

jasperf · July 9, 2018, 2:21pm

We have Laravel Forge Laravel setup on an Ubuntu 18.0.4 server. And on adding an SSL certificate using Forge we get:

--2018-07-09 14:10:59--  https://forge-certificates.laravel.com/le/376792/565125?env=production
Resolving forge-certificates.laravel.com (forge-certificates.laravel.com)... 104.25.9.32, 104.25.8.32, 2400:cb00:2048:1::6819:820, ...
Connecting to forge-certificates.laravel.com (forge-certificates.laravel.com)|104.25.9.32|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘letsencrypt_script1531145459’

     0K ..                                                     27.3M=0s

2018-07-09 14:11:00 (27.3 MB/s) - ‘letsencrypt_script1531145459’ saved [2344]

Cloning into 'letsencrypt1531145460'...
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Invalid response from http://domain.de/.well-known/acme-challenge/FVA4t8uL3LFzp7BHGYdry_QJ3AJ29dzvmz7auqajoyc: \"\u003c!DOCTYPE html\u003e\n\u003chtml lang=\"en\"\u003e\n\u003chead\u003e\n    \u003cmeta charset=\"utf-8\"\u003e\n    \u003ctitle\u003edomain\u003c/title\u003e\n    \u003cmeta name=\"viewport\" content=\"",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/-U1JMAOSWTXcx5U0IVU_zWy7AI6O_noH_r4DO5Jw4ec/5556829746",
  "token": "FVA4t8uL3LFzp7BHGYdry_QJ3AJ29dzvmz7auqajoyc",
  "validationRecord": [
    {
      "url": "http://domain.de/.well-known/acme-challenge/FVA4t8uL3LFzp7BHGYdry_QJ3AJ29dzvmz7auqajoyc",
      "hostname": "domain.de",
      "port": "80",
      "addressesResolved": [
        "xxx.xxx.xxx.xxx",
        "xxxx:7c8:xxxx:1ff::1"
      ],
      "addressUsed": "xxx.xxx.xxxx.xxx",
      "addressesTried": [
        "xxxx:7c8:xxxx:1ff::1"
      ]
    }
  ]
})

The domain is using Nginx conf:

    server {
        listen  80 default_server;
        listen  [::]:80 default_server;
        listen  443 default_server ssl http2;
        listen  [::]:443 default_server ssl http2;
        root /home/forge/my.app.com/current/public;
       ssl_certificate /etc/nginx/ssl/my.app.com/xxxxxx/server.crt;
       ssl_certificate_key /etc/nginx/ssl/my.app.com/xxxxx/server.key;

       ssl_protocols TLSv1.2;
       ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
       ssl_prefer_server_ciphers on;
       ssl_dhparam /etc/nginx/dhparams.pem;

       add_header X-Frame-Options "SAMEORIGIN";
       add_header X-XSS-Protection "1; mode=block";
       add_header X-Content-Type-Options "nosniff";

       index index.html index.htm index.php;

      location / {
        try_files $uri $uri/ /index.php?$query_string;
      }

       location ~ \.php$ {
           fastcgi_split_path_info ^(.+\.php)(/.+)$;
           fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
          fastcgi_index index.php;
          include fastcgi_params;
       }
}

to get in and the site does load like all sites from the same webroot . We do not see the challenge directory created… And on loading the challenge we get a 403. Forge is running this as Forge I would think so should be able to create directories in the web root… Any ideas what the real issue is and how to fix this?

JuergenAuer · July 9, 2018, 2:39pm

Hi @jasperf

without knowing your domain, it's impossible to help.

But your domain smart48.de can be found there

https://acme-v02.api.letsencrypt.org/acme/challenge/-U1JMAOSWTXcx5U0IVU_zWy7AI6O_noH_r4DO5Jw4ec/5556829746

There are two dns-records - ipv4 and ipv6.

Addresses: 2a01:7c8:aac8:1ff::1
136.144.185.172

The ipv4 works. But the ipv6:

This site can’t be reached
http://[2a01:7c8:aac8:1ff::1]/ is unreachable.

So change or remove your ipv6 - entry and try it again.

jasperf · July 9, 2018, 2:50pm

How would I change or remove the ipv6 here? In the server block? Or in DNS? I prefer fixing really…

JuergenAuer · July 9, 2018, 2:59pm

This is a DNS-setting.

Name -> IP-Address

schoen · July 9, 2018, 3:11pm

Currently it's not even being routed to your server, so you'll probably need to ask your hosting provider how that IPv6 address was assigned and how to make it work.

I appreciate that, because most people in this situation just try to delete their IPv6 records in order to get their sites working in IPv4 as quickly as possible.

jasperf · July 9, 2018, 3:23pm

Thanks. Just opened a ticket . The ipv6 no is used in a records pointing to the server so not sure why ipv6 cannot connect to server. Name is @ and ip is the ipv6 address and that ip is attached to VPS… No ideas yet.

schoen · July 9, 2018, 4:28pm

As you already have listen [::]:80 in your nginx configuration, it would probably be helpful to get the provider’s help figuring out why the service is inaccessible.

jasperf · July 11, 2018, 8:53am

Moved to Digital Ocean and there I can ping the new ipv6 using http://www.ipv6now.com.au/pingme.php and I can also get whois data and so on using https://www.ultratools.com/tools/ipv6Info , but I still get the same Let’s Encrypt Error. And ipv4 gets an app error in the browser, but ipv6 cannot be reached. So I am starting to wonder if this a server issue or an app issue… Or is it because I am on an ipv4 network and so is the Laravel Forge site trying to generate the certificate?

_az · July 11, 2018, 9:01am

Your site works fine on IPv4 and IPv6 now.

I think this comes down to how the Laravel Forge “letsencrypt_script” actually works - how it makes your nginx server serve the correct domain validation response. There’s a number of reasons why it may be malfunctioning, but since it isn’t open source and there’s no way for us to see what it’s doing, it’s hard to give an answer.

JuergenAuer · July 11, 2018, 9:10am

I've got two new ip-addresses:

Name: smart48.de
Addresses: 2a03:b0c0:0:1010::1aa:d001
37.139.22.56

But the ipv6-address doesn't work. Used Opera / Chrome, which supports such a call.

This site can’t be reached
http://[2a03:b0c0:0:1010::1aa:d001]/ is unreachable.

Because http://www.ipv6now.com.au/pingme.php can ping the page, it may be an error of your webserver-configuration.

_az · July 11, 2018, 9:12am

Might be a problem on your own network.

jasperf · July 11, 2018, 9:13am

Did mention the nginx config before and these two lines should deal with ipv6:

listen  [::]:80 default_server;
listen  [::]:443 default_server ssl http2;

or so I would think with limited knowledge of Nginx.

And yes, as @_az said. Could be your network.

JuergenAuer · July 11, 2018, 9:20am

Yep, it's an own problem.

Name: hosted-vh2.discourse.org
Addresses: 2001:470:1:3a8::201
64.71.168.201
Aliases: community.letsencrypt.org

Calling http://64.71.168.201/ get's a discourse - error-page -

Sorry, the site you are looking for does not exist.

Calling http://[2001:470:1:3a8::201]/ get's also a

This site can’t be reached
http://[2001:470:1:3a8::201]/ is unreachable.

jasperf · July 11, 2018, 2:31pm

I see we have a special challenge file:

cat /etc/nginx/forge-conf/app.com/server/letsencrypt_challenge.conf

and that file has:

location /.well-known/acme-challenge {
auth_basic off;
allow all;
alias /home/forge/.letsencrypt;
}

and in /home/forge/.letsencrypt we have a forge test file and no others

So the script checks the root , but the alias sends it to /home/forge/.letsencrypt it seems… But somehow this does not work now and no challenge is stored and or read…

jasperf · July 11, 2018, 2:41pm

I fixed it! I was missing

charset utf-8;
# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/app.com/server/*;

in my custom server block. So that is how the specific acme challenge location could not be loaded. All good now!

system · August 10, 2018, 2:41pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.