Confusing error message:incorrect validation certificate for TLS-SNI-01 challenge

Help
1

Please fill out the fields below so we can help you better.

My domain is: gerastree.at

I ran this command:
sudo certbot certonly --standalone --expand -d gerastree.at -d wiki.gerastree.at -d caldav.gerastree.at -d www.gerastree.at -d pg.gerastree.at -d geras.gerastree.at -d tu.gerastree.at -d sparql.gerastree.at

It produced this output:
Failed authorization procedure. caldav.gerastree.at (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested 32b61d730fa00cbd3cdb17ca00b46b52.bae90135c771932bcebe8b490a56e665.acme.invalid from 193.81.65.102:443. Received certificate containing ‘caldav.gerastree.at, geras.gerastree.at, gerastree.at, pg.gerastree.at, sparql.gerastree.at, wiki.gerastree.at, www.gerastree.at’, gerastree.at (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested 3fe9ea5a69ea886acc3bdaff548169a8.131b0b6f7de1647ca893ce65163f1d2e.acme.invalid from 193.81.65.102:443. Received certificate containing ‘caldav.gerastree.at, geras.gerastree.at, gerastree.at, pg.gerastree.at, sparql.gerastree.at, wiki.gerastree.at, www.gerastree.at’, sparql.gerastree.at (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested 6c439e1a65ab14d175b9e3bd5067021b.70301f2937c2684400d5b02f2666c61c.acme.invalid from 193.81.65.102:443. Received certificate containing ‘caldav.gerastree.at, geras.gerastree.at, gerastree.at, pg.gerastree.at, sparql.gerastree.at, wiki.gerastree.at, www.gerastree.at’, wiki.gerastree.at (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested dd3fa1416116f382e05eb5b9bc5f83d0.df1c5a9e9bfc06ba9f5b2329a7eed54b.acme.invalid from 193.81.65.102:443. Received certificate containing ‘caldav.gerastree.at, geras.gerastree.at, gerastree.at, pg.gerastree.at, sparql.gerastree.at, wiki.gerastree.at, www.gerastree.at’, tu.gerastree.at (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested e2d0a0c3f95eeec37cc78cf760fbe242.e7d633ffe8b07beae9c644ddcbfcb85f.acme.invalid from 193.81.65.102:443. Received certificate containing ‘caldav.gerastree.at, geras.gerastree.at, gerastree.at, pg.gerastree.at, sparql.gerastree.at, wiki.gerastree.at, www.gerastree.at

IMPORTANT NOTES:

i do not understand the error message:
it says that the certificate includes the domain it checks - so what is making it believe that something is wrong. eg.
certbot checks wiki.gerastree.at and the certificate encountered includes wiki.gerastree.at. this looks ok to me. perhaps there is another problem, which a more precise error message could describe.

My operating system is (include version): debian jessie and stretch (the computer at gerastree.at stretch and the one on the computer the command is running on (geras.gerastree.at) is jessie

My web server is (include version): nginx
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):?

2

To run the “standalone” challenge you need to stop your existing nginx which is listening on port 443.

Since you have an existing webserver (nginx) you may be easier using the “webroot” method

3

i tried this, with both computer running nginx. the command is now:

sudo certbot certonly --expand --webroot --webroot-path /var/www/html
-d gerastree.at -d wiki.gerastree.at -d caldav.gerastree.at -d www.gerastree.at -d pg.gerastree.at -d geras.gerastree.at -d tu.gerastree.at -d sparql.gerastree.at

and the response is:

Domain: tu.gerastree.at
Type: unauthorized
Detail: Invalid response from
http://tu.gerastree.at/.well-known/acme-challenge/fnD7JLjOE709a6rpjotj-96bdUnRIoO2e5LTXgl9IrM:
"

401 Authorization Required 401 Authorization Required</"

can you help further? (and perhaps explain the error i encountered initially)
thank you for prompt attention!
andrew

4

What the system is trying to do ( using the current webroot challenge) is place a file in webroot/.well-known/acme-challenge and then Let’s Encrypt will verify that from the internet. Once it has verified your domain, it will issue a certificate.

You have something running on your website that prompts for a user / password to access - hence Let’s Encrypt can’t verify your domain. You need to turn this off for the .well-known/lets-encrypt directory.

The original error was because it was using the “standalone” method, and presenting the token in the SSL certificate. Let’s Encrypt couldn’t reach that to verify it though, because your web server was running, and hence Let’s Encrypt was seeing that.

5

i start to understand, thanks to your help.
i added an exception for the .well-known/… dir as follows, but i get the same response. i am not very experienced with nginx.conf files, perhaps you can spot the error immediately. (i have other servers, but they are all more specific for domains in the requests, with authorization, but they seem not to complain).

thank you for your effort!

server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name _;

    ssl_certificate    /etc/letsencrypt/live/gerastree.at/fullchain.pem;
    ssl_certificate_key    /etc/letsencrypt/live/gerastree.at/privkey.pem;

root /var/www/html;

# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;


location / {
    # First attempt to serve request as file, then
    # as directory, then fall back to displaying a 404.
    try_files $uri $uri/ =404;
}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
#    include snippets/fastcgi-php.conf;
#
#    # With php5-cgi alone:
#    fastcgi_pass 127.0.0.1:9000;
#    # With php5-fpm:
#    fastcgi_pass unix:/var/run/php5-fpm.sock;
#}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /\.ht {
            deny all;
    }
    # Allow access to the letsencrypt ACME Challenge
    location ~ /\.well-known\/acme-challenge {
                allow all;
    }

}

6

The newly added exemption for the challenge dir should be in the HTTP server block (i.e., port 80), not the HTTPS (i.e., port 443) block.

7

i did what i thought was your recommendation (moving the exemption in the HTTP block, but i still have a problem, probably with the 301 redirection. what is the correct solution for the http block? the 301 seems to kick in before the certbot can access the .well-known directory:

server {
listen 80 default_server;
listen [::]:80 default_server;

    server_name _;

    root /var/www/html;

    # Allow access to the letsencrypt ACME Challenge
    location ~ /\.well-known\/acme-challenge {
                allow all;
    }
    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently resp$
    return 301 https://$host$request_uri;

thank you for the help!

8

Hm, perhaps I spoke too soon. Let’s Encrypt should follow the redirect without any problems (didn’t notice that one I guess). So the ‘exemption’ for /.well-known/acme-challenge/ should have worked in the HTTPS block too. But it didn’t.

What puzzles me is: where is the authorization part in your config anyway? To ‘bypass’ it, it’s probably good to know how you’ve set that up.

Also, when trying some stuff on your server, I now get a HTTP 404 file not found when trying to access stuff from your /.well-known/acme-challenge/ dir:

osiris@desktop ~ $ telnet tu.gerastree.at 80
Trying 178.189.197.172...
Connected to tu.gerastree.at.
Escape character is '^]'.
GET /.well-known/acme-challenge/blaat HTTP/1.1
Host: tu.gerastree.at

HTTP/1.1 404 Not Found
Server: nginx/1.6.2
Date: Sat, 14 Jan 2017 12:19:48 GMT
Content-Type: text/html
Content-Length: 168
Connection: keep-alive

<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.6.2</center>
</body>
</html>
Connection closed by foreign host.
osiris@desktop ~ $

It doesn’t redirect anymore…?

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.