Challenge is invalid

Help
1

Hello! I am trying to set up Let's Encrypt SSL certificates for several sites hosted at Nearly Free Speech. I ran their tlssetup tool to attempt to install everything, however it returned this error:

Your scheduled task "tlssetup" on site byseanmichaels:

/usr/local/bin/tls-setup.sh

completed at 2019-08-12 17:04:41 UTC after 26 seconds and produced the
following output:

ERROR: Challenge is invalid! (returned: invalid) (result: {
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from
http://usconductors.byseanmichaels.com/.well-known/acme-challenge/AGHnZDvE4xfjPeDVu2OK7pQ8RJS4SJF5P45VoR0LuiY
[208.94.116.98]: "\u003chtml\u003e\n\u003chead\u003e\n\u003cstyle
type=\"text/css\"\u003e\u003c!--\na { text-decoration: none;
}\na:hover { text-decoration: underline; }\nh1 { font-family:"",
"status": 403
},
"url":
"https://acme-v02.api.letsencrypt.org/acme/challenge/6pDvloTwytH5tqcmNboj3htTSkcZMWtHP-K3o50Wono/19480753492",
"token": "AGHnZDvE4xfjPeDVu2OK7pQ8RJS4SJF5P45VoR0LuiY",
"validationRecord": [
{
"url":
"http://www.byseanmichaels.com/.well-known/acme-challenge/AGHnZDvE4xfjPeDVu2OK7pQ8RJS4SJF5P45VoR0LuiY",
"hostname": "www.byseanmichaels.com",
"port": "80",
"addressesResolved": [
"208.94.117.116"
],
"addressUsed": "208.94.117.116"
},
{
"url":
"http://usconductors.byseanmichaels.com/.well-known/acme-challenge/AGHnZDvE4xfjPeDVu2OK7pQ8RJS4SJF5P45VoR0LuiY",
"hostname": "usconductors.byseanmichaels.com",
"port": "80",
"addressesResolved": [
"208.94.116.98"
],
"addressUsed": "208.94.116.98"
}
]
})

INFO: Using main config file /usr/local/etc/dehydrated/config

Processing www.byseanmichaels.com

I am not technologically sophisticated however I know how to SSL into my server to run commands.

Very very grateful for any help you can provide!

1 Like
2

Hi @gramophone

I don't know what that script is doing.

But checking your domain something doesn't look so good ( https://check-your-website.server-daten.de/?q=byseanmichaels.com ):

Domainname Http-Status redirect Sec. G
http://byseanmichaels.com/
208.94.117.116 301 http://usconductors.byseanmichaels.com/ 0.363 D
http://www.byseanmichaels.com/
208.94.117.116 301 http://usconductors.byseanmichaels.com/ 0.374 D
http://usconductors.byseanmichaels.com/ 200 1.220 H
https://byseanmichaels.com/
208.94.117.116 400 5.230 N
Bad Request
Certificate error: RemoteCertificateNameMismatch
https://www.byseanmichaels.com/
208.94.117.116 400 4.583 N
Bad Request
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
http://byseanmichaels.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
208.94.117.116 301 http://usconductors.byseanmichaels.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.313 D
Visible Content: Moved Permanently The document has moved here .
http://www.byseanmichaels.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
208.94.117.116 301 http://usconductors.byseanmichaels.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.380 D
Visible Content: Moved Permanently The document has moved here .
http://usconductors.byseanmichaels.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 0.373 A

If you use http-01 validation, port 80 + /.well-known/acme-challenge/random-filename is checked.

Checking such an url there is a redirect to another subdomain - usconductors.byseanmichaels.com.

That's ok, Letsencrypt follows these redirects.

But perhaps the script /usr/local/bin/tls-setup.sh creates the validation file in

http://www.byseanmichaels.com/.well-known/acme-challenge/random-filename

Is there a documentation of that script? Something, so you can say: "Create the validation file in /.well-known/acme-challenge of usconductors.byseanmichaels.com?

Or is it a script of your hoster -> then ask your hoster.

Or is it possible to remove the redirect?

There is no older certificate. Perhaps it's impossible to create a certificate with that configuration.

Read some basics:

And please answer the questions of the standard template:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2 Likes
3

Yes, is it possible that Nearly Free Speech has support for the script and could help you with this? I don’t think anyone here is familiar with exactly what tlssetup is doing (although I really appreciate that this hoster is trying to help out customers by providing a recipe to help with the process!).

2 Likes
4

Thanks so much for your help so far. Unfortunately I can’t get support from my host, or I’d have asked there first.

According to their FAQ, “If your site uses custom web daemons or custom access controls, the automatic scripts may not work for you. For such cases, we provide the dehydrated ACME client; it provides hooks to install and clean up challenges that you can use to interface with whatever you’re doing.”

Could I use the dehydrated ACME client to fix these issues? Unfortunately, looking at the Git page it’s way over my head - I’m not sure what commands to use. I do recognize this may be beyond the scope here so I’m so grateful for any help you will offer.

Here are the rest of the standard template answers:

my domain is:
byseanmichaels.com
whisperingmachine.com
seerscatalogue.com
seanmichaels.org
ourshadowsslantingbythelamps.com
igazedatalongshelfofbatteries.com
gramotunes.com
elvithprethley.com

My web server is (include version):
Apache 2.4, PHP, CGI

The operating system my web server runs on is (include version):
General-purpose FreeBSD 2019Q2

My hosting provider, if applicable, is:
Nearly Free Speech

I can login to a root shell on my machine (yes or no, or I don’t know):
I don’t know. I can definitely SSL in, if that’s what that means.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No.

1 Like
5

Can you show us the contents of /usr/local/bin/tls-setup.sh? (Does NearlyFreeSpeech have any objection to customers sharing this code publicly?)

Did you ever have any of your domains work with Let's Encrypt on this hosting provider, or is this the first time you've tried? Does the script from the hosting provider automatically try to enable a certificate for every domain that you have hosted here?

I think you mean SSH in, not SSL in.

The question about a root shell is about whether you are the administrator of this server. Usually this is equivalent to the question of whether you can run commands with administrative privileges using sudo or not.

1 Like
6

I do not have sudo access so I am apparently not an administrator, but I was able to copy/paste the script tls-setup.sh:

#!/bin/sh

Help=no
Reinstall=no
Verbose=no

while [ ${#} -gt 0 ]
do
Arg=${1}
shift 1
case ${Arg} in
"-h"|"--help")
Help=yes
;;
"-r"|"--reinstall")
Reinstall=yes
;;
"-v"|"--verbose")
Verbose=yes
;;
*)
echo "Bad argument: ${Arg}"
return 20
esac
done

if [ "${Help}" = "yes" ]
then
echo
echo "YourPrompt> ${0} [-r|--reinstall] [-v|--verbose]"
echo "YourPrompt> ${0} <-h|--help>"
echo
echo "Options:"
echo " -h, --help = Display this output."
echo " -r, --reinstall = Reinstall existing certificates."
echo " -v, --verbose = Don't suppress boring output."
echo
return 0
fi

. /usr/local/etc/dehydrated/config
if [ ! -d "${BASEDIR}" ]
then
echo "Creating base directory for Dehydrated."
mkdir "${BASEDIR}"
fi

if [ ! -d "${BASEDIR}/accounts" ]
then
echo
echo "To use Let's Encrypt you must agree to their Subscriber Agreement,"
echo "which is linked from:"
echo
echo " Policy and Legal Repository - Let's Encrypt"
echo
echo -n "Do you accept the Let's Encrypt Subscriber Agreement (y/n)? "
read yes
case $yes in
y|Y|yes|YES|Yes|yup)
break 2
;;
*)
echo "OK, tls-setup.sh will be aborted."
return 30
esac
/usr/local/bin/dehydrated --register --accept-terms
fi

if [ ! -d "${WELLKNOWN}" ]
then
echo "Creating well-known directory for Let's Encrypt challenges."
mkdir -p "${WELLKNOWN}"
fi

/usr/local/bin/nfsn list-aliases >${BASEDIR}/domains.txt

if [ ! -s "${BASEDIR}/domains.txt" ]
then
echo "There are no aliases for this site."
return 10
fi

for Alias in cat "${BASEDIR}/domains.txt"
do
if [ -d "/home/public/${Alias}" ]
then
AliasWellKnown="/home/public/${Alias}/.well-known"
if [ -h "${AliasWellKnown}" ]
then
echo "Upgrading ${AliasWellKnown}"
rm "${AliasWellKnown}"
fi
if [ ! -d "${AliasWellKnown}" ]
then
echo "Creating .well-known directory for ${Alias}."
mkdir "${AliasWellKnown}"
ACMEChallenge="${AliasWellKnown}/acme-challenge"
if [ ! -h "${ACMEChallenge}" ]
then
if [ -e "${ACMEChallenge}" ]
then
echo "Please remove existing ${ACMEChallenge} to use this script." >&2
return 40
fi
echo "Linking acme-challenge for ${Alias}."
ln -s ../../.well-known/acme-challenge ${ACMEChallenge}
fi
fi
fi
if [ "${Reinstall}" = "yes" ]
then
cat
"${BASEDIR}/certs/${Alias}/cert.pem"
"${BASEDIR}/certs/${Alias}/chain.pem"
"${BASEDIR}/certs/${Alias}/privkey.pem"
| /usr/local/bin/nfsn -i set-tls
fi
done

if [ "${Reinstall}" = "yes" ]
then
return 0
fi

/usr/local/bin/dehydrated --cron >${BASEDIR}/dehydrated.out

if fgrep -v INFO: "${BASEDIR}/dehydrated.out" | fgrep -v unchanged | fgrep -v 'Skipping renew' | fgrep -v 'Reusing account from' | fgrep -v 'Creating chain cache directory' | fgrep -v 'Checking expire date' | fgrep -v 'Running automatic cleanup' | egrep -q -v '^Processing' || [ "${Verbose}" = "yes" ]
then
cat "${BASEDIR}/dehydrated.out"
fi

if ! /usr/local/bin/nfsn test-cron tlssetup | fgrep -q 'exists=true'
then
echo Adding scheduled task to renew certificates.
/usr/local/bin/nfsn add-cron tlssetup /usr/local/bin/tls-setup.sh me ssh '?' '' ''
fi

1 Like
7

Thanks!

Are all of your sites hosted on the same server and account?

How did you set up the HTTP redirect that @JuergenAuer mentioned above?

1 Like
8

thank you!

yes, i'm the one who set up the redirect. i honestly don't remember exactly how - probably in the DNS config? i can look into this more.

hmm, now that i see your comment I realize they're not all on the same server/account.

I tried running tls-setup.sh on one of the other sites, without a redirect, and it returned this error:

1 Like
9

Is there a .well-known/acme-challenge directory in the webroot for that other domain?

1 Like
10

Yes, there is one there.

11

Could you try making a file test.txt inside it?

12

I created a test.txt file using nano without any trouble.

13

Thanks!

Currently with

https://www.igazedatalongshelfofbatteries.com/.well-known/acme-challenge/test.txt

I see a 404 not found error (rather than a 403). Do you have any idea why that is?

14

it was my stupid mistake - I created the test file inside .well-known instead of /acme-challenge.

https://www.igazedatalongshelfofbatteries.com/.well-known/acme-challenge/test.txt
works now

1 Like
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.