Challenge fails despite good conf [solved]

22decembre · 2016-02-17 11:29:05 UTC

I am running openbsd 5.8 and try now to renew certificates and it fails, whatever client or acme server (staging or prod’) I try.

Here it is with acme-tiny:

stephane@blackblock:/var/www/www.22decembre.eu doas -u le /var/le/generate www.22decembre.eu 
doas (stephane@blackblock.22decembre.eu) password: 
Generating RSA private key, 4096 bit long modulus
................................................................................................................................................................++
............................................................................................................................................................................................++
e is 65537 (0x10001)
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying www.22decembre.eu...
Traceback (most recent call last):
  File "/var/le/acme-tiny/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "/var/le/acme-tiny/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "/var/le/acme-tiny/acme_tiny.py", line 149, in get_crt
    domain, challenge_status))
ValueError: www.22decembre.eu challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'url': u'http://www.22decembre.eu/.well-known/acme-challenge/ti1aguTK5m-YoINFyUtzkB7tDkNaYaAXYSFiaKdFsuQ', u'hostname': u'www.22decembre.eu', u'addressUsed': u'90.185.111.213', u'port': u'80', u'addressesResolved': [u'90.185.111.213']}], u'keyAuthorization': u'ti1aguTK5m-YoINFyUtzkB7tDkNaYaAXYSFiaKdFsuQ.L4TPRmCy6xGjPSjU2Xzk1Yq6IDS9Z3hiv2ASxM1z42s', u'uri': u'https://acme-staging.api.letsencrypt.org/acme/challenge/65TH7qDYiXRxcGpTFixP8LSMOX-ogpthaQF9OSFLiJw/1336745', u'token': u'ti1aguTK5m-YoINFyUtzkB7tDkNaYaAXYSFiaKdFsuQ', u'error': {u'type': u'urn:acme:error:unauthorized', u'detail': u'Invalid response from http://www.22decembre.eu/.well-known/acme-challenge/ti1aguTK5m-YoINFyUtzkB7tDkNaYaAXYSFiaKdFsuQ [90.185.111.213]: 404'}, u'type': u'http-01'}

this one with letsacme:

stephane@blackblock:/home/stephane/letsacme doas python letsacme.py --no-chain --account-key /var/le/master.key  --csr /var/le/domains/www.22decembre.eu/cu>
doas (stephane@blackblock.22decembre.eu) password: 
Parsing account key...
Parsing CSR...
CN: www.22decembre.eu
Registering account...
Already registered!
Verifying www.22decembre.eu...
www.22decembre.eu challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'url': u'http://www.22decembre.eu/.well-known/acme-challenge/yxltSqajH3bXXESF_7WiWI8kYLmPgbQWF69S6W_bKFQ', u'hostname': u'www.22decembre.eu', u'addressUsed': u'90.185.111.213', u'port': u'80', u'addressesResolved': [u'90.185.111.213']}], u'keyAuthorization': u'yxltSqajH3bXXESF_7WiWI8kYLmPgbQWF69S6W_bKFQ.L4TPRmCy6xGjPSjU2Xzk1Yq6IDS9Z3hiv2ASxM1z42s', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/y8xr56unkvO00RAwpJCqOAfkCA5y1rgVSD7XsRXP6hs/17564408', u'token': u'yxltSqajH3bXXESF_7WiWI8kYLmPgbQWF69S6W_bKFQ', u'error': {u'type': u'urn:acme:error:unauthorized', u'detail': u'Invalid response from http://www.22decembre.eu/.well-known/acme-challenge/yxltSqajH3bXXESF_7WiWI8kYLmPgbQWF69S6W_bKFQ [90.185.111.213]: 404'}, u'type': u'http-01'}

yet, when I check, I can write a random text file as the user, then download it from an other computer:

stephane@luciole:~$ wget http://www.22decembre.eu/.well-known/acme-challenge/t
--2016-02-17 12:21:32--  http://www.22decembre.eu/.well-known/acme-challenge/t
Résolution de www.22decembre.eu (www.22decembre.eu)… 2001:16d8:dd00:8207::, 2001:16d8:dd00:8207:be5f:f4ff:fe73:a7e0, 2001:16d8:dd00:207::2, ...
Connexion à www.22decembre.eu (www.22decembre.eu)|2001:16d8:dd00:8207::|:80… connecté.
requête HTTP transmise, en attente de la réponse… 200 OK
Taille : 34 [application/octet-stream]
Sauvegarde en : « t.1 »

100%[=============================================================>] 34          --.-K/s   ds 0s

any idea ?

eridan911 · 2016-02-17 14:10:44 UTC

I’m able to fetch http://www.22decembre.eu/.well-known/acme-challenge/t when using IPv6, but it’s not working for IPv4.

wget -4 http://www.22decembre.eu/.well-known/acme-challenge/t --2016-02-17 15:08:59-- http://www.22decembre.eu/.well-known/acme-challenge/t Resolving www.22decembre.eu... 90.185.111.213 Connecting to www.22decembre.eu|90.185.111.213|:80... connected. HTTP request sent, awaiting response... 404 Not Found 2016-02-17 15:09:00 ERROR 404: Not Found.

I’m pretty sure IPv4 is used by Let’s Encrypt to perform the validation. Something wrong with your web server configuration perhaps?

22decembre · 2016-02-17 22:03:13 UTC

That explain the whole thing. Eventhough it’s weird cause my website is reachable by ipv4-only without trouble.

Thanks.

22decembre · 2016-02-18 06:38:01 UTC

It made it. Thank you so much.