CURL issue 406 from header


#1

Dear All,

I want to get certificate for this domain: commercialcleaninginmelbourne.net.au
The domain is redirected (HTTP/1.1 301 Moved Permanently) to the “www” version.
But when I use CURL to get header info (like in the the acme.sh (curl -v -s http://www.commercialcleaninginmelbourne.net.au 1> /dev/null)) than I get an error: HTTP/1.1 406 Not Acceptable

When I use a fake user agent (curl -v -s http://www.commercialcleaninginmelbourne.net.au -A “Mozilla” 1> /dev/null) than everything working fine the result is: HTTP/1.1 200 OK

Please help me how I can fix this issue.

Thank you


#2

First hit on Google says it has something to do with mod_security.


#3

Thank you, I know the issue while written before.
I looking for a solution to use LE.
Some reason the word “Mozilla” as user agent pass over the security filter but without user agent or with “#USER_AGENT=“acme.sh/2.6.5 (https://github.com/Neilpang/acme.sh)”” not possible to get “good” header status.


#4

mod_security can be a total pain if not configured correctly which is often the case.
Try disabling mod_security with

sudo a2dismod mod_security
or
sudo a2dismod mod_security2

then restart apache

If you want to disable mod_security for only one site you can try the following in your .htaccess file

<IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule>

A curl -I http://www.commercialcleaninginmelbourne.net.au/ gives HTTP/1.1 406 Not Acceptable

While a curl -I https://www.commercialcleaninginmelbourne.net.au/ gives SSL certificate problem: Invalid certificate chain

Also check this: https://www.ssllabs.com/ssltest/analyze.html?d=www.commercialcleaninginmelbourne.net.au&ignoreMismatch=on&latest it is giving a certificate mismatch to a wildcard certificate *.hostpapa.com

Your http site port 80 is not redirecting at all:

`


200 OK

Status: 200 OK
Code: 200
Date: Wed, 11 Jan 2017 09:34:27 GMT
Server: Apache
X-Powered-By: PHP/5.6.28
Link: http://www.commercialcleaninginmelbourne.net.au/wp-json/; rel=“https://api.w.org/”, http://www.commercialcleaninginmelbourne.net.au/; rel=shortlink
Connection: close
Content-Type: text/html; charset=UTF-8`


#5

Thank you! But once again: I have an other server where I want to use LE issued SSL certificate. The acme.sh script want to access to the website to on other server, where is probably mis-configured. I haven’t access to the bad server, need to work as is.
The acme.sh script is FAIL to CURL the website, I need help to override.


#6

I am not understanding your “other server” and “bad server”. If you want to generate an SSL certificate on your “other” server then generate the certificate there not on your “bad” server which you have no access to.

Currently your site is configured to use a certificate *.hostpapa.com


#7

Please try to generate certificate for the domain: commercialcleaninginmelbourne.net.au
You will see the result.

I want to install a 2nd mail server and I have no access to the hostpapa certificate.


#8
  • The following errors were reported by the server:

Domain: www.commercialcleaninginmelbourne.net.au
Type: unauthorized
Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
Requested
7630e01990c67d89a49604d08a7e6646.0f6589c77f7e0746e65c3279777bd117.acme.invalid
from 76.74.235.210:443. Received certificate containing
’*.hostpapa.com, hostpapa.com

Domain: commercialcleaninginmelbourne.net.au
Type: unauthorized
Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
Requested
cbbc2bc3a82b050373b6f9de1685ed83.09c91abb95ae044d98486c69654ade74.acme.invalid
from 76.74.235.210:443. Received certificate containing
’*.hostpapa.com, hostpapa.com

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain

You will need to point your A record to your new server before you can generate the certificate.

What certificates have you got configured in your apache config for that site ???


#9

The second server is here: mx.commercialcleaninginmelbourne.net.au
…with good DNS record.


#10

so you want a certficate then for mx.commercialcleaningmelbourne.net.au ??

Try run this and paste the output here: (change the email address to your real email address)

sudo ./certbot-auto certonly --agree-tos --rsa-key-size 4096 -m youname@youremail.com -d mx.commercialcleaninginmelbourne.net.au --renew-by-default --dry-run


#11

:frowning:
-bash: ./certbot-auto: No such file or directory

I use simple acme.sh script…


#12

Have you even installed the certbot client?

sudo mkdir /opt/certbot cd /opt/cerbot sudo wget https://dl.eff.org/certbot-auto sudo chmod +x certbot-auto

Then from /opt/certbot dir

run sudo ./certbot-auto


#13

IMPORTANT NOTES:

  • The dry run was successful.

But I not really understand what’s happen.

I installed many other mail server like this:
curl https://get.acme.sh | sh
acme.sh --issue --dns -d mx.commercialcleaninginmelbourne.net.au
acme.sh --renew -d mx.commercialcleaninginmelbourne.net.au

Thank you for your help! Could you shortly explain how I can use LE SSL certificate on the second installed mail server, I want to use the domain name not the sub domain. Example: info@commercialcleaninginmelbourne.net.au

Thank you


#14

Then remove the --dry-run flag off the end and run it again and see what you get


#15

I’m not familiar with the acme client at all.

To have an SSL certificate on your mail server the certificate must be for the name of the MX which in your case is

commercialcleaninginmelbourne.net.au mail exchanger = 10 commercialcleaninginmelbourne.net.au.

but you cannot seem to generate a certificate for that due the *.hostpapa.com problem.

Your MX should rather be called mx.commercialcleaninginmelbourne.net.au and that’s the domain you should generate the certificate for if you want to use the certificate on your mailserver. I do not understand how you or your host has your site configured as it defaults to trying to use *.hostpapa.com


#16

Read this topic

Web Hosting who support Lets Encrypt I don’t think your host supports Let’s Encrypt certificates.

No Planned Support:

1and1.com (Source)
247-host.com (maybe anytime in the future, via support chat)
Amazili-communication (Not a hosting company)
df.eu (DomainFactory - no plans to support LE, Source in German157)
Greengeeks.com (tech support said 'no plans and you can buy our SSL')
HostEurope.de (via email reply from customer support; LE can be installed manually)
Hostinger.com (no plans to support LE)
HostMonster.com ('no plans', via live chat)
**Hostpapa.ca (tech support said 'no plans')**
Hostripples.com (no plans, via live chat)
Inmotionhosting.com (Source488)
Linode (doesn't offer shared hosting)
Namecheap.com (Source1.3k)
Netsons.com (no plans to support LE)
Site5.com (no plans to support at all, except unmanaged vps - via support chat)

I think they would rather have you buy their SSL certificates - https://www.hostpapa.com/ssl-certificates/


#17

This is a complete chaos!
I do marketing. The Australian website owner is my client. I see (unfortunately) the hostpapa hosting some scam while there is everything not on that way working as needed and they charge my client more than $150 for a year, only for hosting which is too much.
My task, create an independent mail server for use to marketing. I always use acme.sh script, while in the first round generate a TXT record which need to insert to the DNS and in the second round (when will create a certificate) will check the record in the DNS.
If everything nice and working than the acme.sh script without any problem generate certificate. But here get an issue to read back the domain from the DNS. The CURL return with 406 error (Not acceptable) and the script can’t finish the challenge.
Anyway, I think to move all DNS records to (example) Cloudflare, where can setup everything fine.

Thank you for your help!


#18

No problem, sorry I could not help more $150 a month for hosting is criminal to say the least. Visit the topic below and find a new host that does support LE. For $150 a month you could rent an entire server an run all your clients off there.


#19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.