Challenge is invalid > Nearlyfreespeech

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://www.franklinford.org/

I ran this command:

I basically followed these steps since I’m also trying to install TLS on nearlyfreespeech. So:

$ ssh
$ cd public/
$ tls-setup.sh

Then I went to home/public/.well-known/acme-challenge and created a file test.txt there with some content inside. When i’m trying to access http://franklinford.org/.well-known/acme-challenge/test.txt, I’m not able to see the content.

It produced this output:

When I’m running in /home/public the command tls-setup.sh, it produces the following error:

ERROR: Challenge is invalid! (returned: invalid) (result: {
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “Invalid response from https://juliette-demaeyer.squarespace.com/.well-known/acme-challenge/LLR-PlnQih3e3FKNeAZU781c6PQqkHAotl25wLmK000 [198.185.159.176]: 404”,
“status”: 403
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/1465037135/8fe-2Q”,
“token”: “LLR-PlnQih3e3FKNeAZU781c6PQqkHAotl25wLmK000”,
“validationRecord”: [
{
“url”: “http://www.franklinford.org/.well-known/acme-challenge/LLR-PlnQih3e3FKNeAZU781c6PQqkHAotl25wLmK000”,
“hostname”: “www.franklinford.org”,
“port”: “80”,
“addressesResolved”: [
“208.94.118.129”,
“2607:ff18:80:4::2a4d”
],
“addressUsed”: “2607:ff18:80:4::2a4d”
},
{
“url”: “https://juliette-demaeyer.squarespace.com/.well-known/acme-challenge/LLR-PlnQih3e3FKNeAZU781c6PQqkHAotl25wLmK000”,
“hostname”: “juliette-demaeyer.squarespace.com”,
“port”: “443”,
“addressesResolved”: [
“198.185.159.176”,
“198.49.23.176”,
“198.185.159.177”,
“198.49.23.177”
],
“addressUsed”: “198.185.159.176”
}
]
})

INFO: Using main config file /usr/local/etc/dehydrated/config

Processing www.franklinford.org

My web server is (include version):

Apache 2.4, PHP, CGI

The operating system my web server runs on is (include version):

General-purpose FreeBSD 2019Q2

My hosting provider, if applicable, is:

Nearly Free Speech

I can login to a root shell on my machine (yes or no, or I don’t know):

I can ssh but I don’t know if I can sudo since I’m an adjunct member. When I sudo, I get -bash: sudo: command not found.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

Hi @CyrusLK

checking your domain that can’t work - https://check-your-website.server-daten.de/?q=franklinford.org

There are redirects to another domain:

Domainname Http-Status redirect Sec. G
http://franklinford.org/
208.94.118.129 GZip used - 203 / 250 - 18,80 % 301 https://juliette-demaeyer.squarespace.com/
Html is minified: 100,00 % 0.383 E
http://franklinford.org/
2607:ff18:80:4::2a4d GZip used - 203 / 250 - 18,80 % 301 https://juliette-demaeyer.squarespace.com/
Html is minified: 100,00 % 0.390 E

Ipv4 and ipv6 have the same answer, that’s good.

But /.well-known/acme-challenge is redirected too.

And what’s the script tls-setup.sh is doing?

It may be enough if you remove the redirect to that other domain.

Does

support Letsencrypt certificates? Checking the website https://www.nearlyfreespeech.net/ there is no information that Letsencrypt is supported or that it’s possible to install an own certificate. https://www.nearlyfreespeech.net/services/support shows 1-Year DV SSL Certificates, so I don’t think it’s possible to install own Letsencrypt certificates.

1 Like

Thanks for the reply @JuergenAuer, I think it had to do with the redirection.
We disabled the redirection, then ran the tls-setup.sh command NFS created and it works now!

2 Likes

You may be able to re-enable redirection while including an automatic exclusion/bypass for the challenge requests.
[so that you won’t have to manually turn it off before and on after every time you need to renew your cert]

1 Like

Thanks @rg305, we enabled the redirection again and it worked.

2 Likes