CURL the challenge OK but `Invalid response` with certbot

Help
1

My domain is: status.m090.vn

I ran this command: certbot certonly --manual

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): status.m090.vn
Requesting a certificate for status.m090.vn
Performing the following challenges:
http-01 challenge for status.m090.vn

Create a file containing just this data:

NuzvSaKKV_fUDV6jUHxcw7f1V_1qa3GYU2wm3OfuUZI.HdWOzEeSYByo_LNnQA74mtWV1sTCQN3gvYtIqbhB9qc

And make it available on your web server at this URL:

http://status.m090.vn/.well-known/acme-challenge/NuzvSaKKV_fUDV6jUHxcw7f1V_1qa3GYU2wm3OfuUZI

Press Enter to Continue
Waiting for verification...
Challenge failed for domain status.m090.vn
http-01 challenge for status.m090.vn
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version): nginx + node js

The operating system my web server runs on is (include version): Alpine with Nodejs inside docker

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.13.0

I tried to run following command at a few locations, all responded with 200 with correct content

http://status.m090.vn/.well-known/acme-challenge/NuzvSaKKV_fUDV6jUHxcw7f1V_1qa3GYU2wm3OfuUZI

Letsdebug also responsed OK for my site

I think somewhere in the middle of my server and let's encrypt, something block the access the response with some HTML. Is there anyway to get the full body response from let's encrypt. I believe there may be error message in the HTML.

Thanks

1 Like
2

I still keep the old challenge file in case someone need it to help me debugging

./.well-known
./.well-known/acme-challenge
./.well-known/acme-challenge/BSOuvJOhckVKlI1W7eOMHWJK9CXJ14v1ivMS1_kXg4U
./.well-known/acme-challenge/NuzvSaKKV_fUDV6jUHxcw7f1V_1qa3GYU2wm3OfuUZI
./.well-known/acme-challenge/letsdebug-test

3

No, Let's Encrypt looks at the first 128 bytes of the response only, and discards the rest.

The HTML you see in the Certbot output is the extent of what's available:

Since this is a Kubernetes setup, might cert-manager be more suitable than doing a manual certificate setup?

4

Well, I used cert-manager but it produce the same error. So I try manual to remove all moving parts

5

Also, I tried switching server to another ACME server ("b**pass") and it's fine. So I guess something could be wrong with the connection

6

That's an interesting detail.

BuyPass only download the challenge response file a single time.

Let's Encrypt, however, performs 4 simultaneous requests (from different locations) to download the challenge file (see here).

Is there anything about the way you are publishing the file, that would prevent it being downloaded 4 times? Or from different locations? Like "deleted after the first time it is downloaded"?

7

Hi,

I have a nginx log that contains below requests. I believe they all responded 200 and with the content size, I think it couldn’t be a full HTML response.

10.3.60.101 - - [03/Mar/2021:08:23:30 +0000] "GET /.well-known/acme-challenge/8fAJUJWT8kvxydwu6Pd_Gm1zydHnxiyz9HTiA_ZpKEo HTTP/1.1" 200 87 "-" "cert-manager/v1.2.0 (clean)" 195 0.002 [default-cm-acme-http-solver-vbp65-8089] 10.244.0.71:8089 87 0.001 200 8d1695b6506757f9918e7bc5d7f66d8d

10.3.60.101 - - [03/Mar/2021:08:23:32 +0000] "GET /.well-known/acme-challenge/8fAJUJWT8kvxydwu6Pd_Gm1zydHnxiyz9HTiA_ZpKEo HTTP/1.1" 200 87 "-" "cert-manager/v1.2.0 (clean)" 195 0.001 [default-cm-acme-http-solver-vbp65-8089] 10.244.0.71:8089 87 0.001 200 3ba53bc7e35de41058234d65330eb93b

10.3.60.101 - - [03/Mar/2021:08:23:34 +0000] "GET /.well-known/acme-challenge/8fAJUJWT8kvxydwu6Pd_Gm1zydHnxiyz9HTiA_ZpKEo HTTP/1.1" 200 87 "-" "cert-manager/v1.2.0 (clean)" 195 0.001 [default-cm-acme-http-solver-vbp65-8089] 10.244.0.71:8089 87 0.001 200 0179d5c02bbaa12e930ff6ff86b19a98

10.3.60.101 - - [03/Mar/2021:08:23:36 +0000] "GET /.well-known/acme-challenge/8fAJUJWT8kvxydwu6Pd_Gm1zydHnxiyz9HTiA_ZpKEo HTTP/1.1" 200 87 "-" "cert-manager/v1.2.0 (clean)" 195 0.002 [default-cm-acme-http-solver-vbp65-8089] 10.244.0.71:8089 87 0.001 200 365f64c03dfa74a10414a769cbd28c21

10.3.60.101 - - [03/Mar/2021:08:23:38 +0000] "GET /.well-known/acme-challenge/8fAJUJWT8kvxydwu6Pd_Gm1zydHnxiyz9HTiA_ZpKEo HTTP/1.1" 200 87 "-" "cert-manager/v1.2.0 (clean)" 195 0.001 [default-cm-acme-http-solver-vbp65-8089] 10.244.0.71:8089 87 0.001 200

8

Those are the cert-manager preflight requests, not the ones from Let's Encrypt.

The Let's Encrypt requests are identifiable by a distinctive user-agent.

9

Is it hard for a firewall to block this somehow? Are 4 IPs made public and remain unchanged?

10

No:

What IP addresses does Let’s Encrypt use to validate my web server?

We don’t publish a list of IP addresses we use to validate, and these IP addresses may change at any time. Note that we now validate from multiple IP addresses.

But if you're having trouble figuring out what's happening, one useful technique is to just run a packet capture (using tcpdump or tshark) on port 80, while you request a certificate.

That will show you the full request/response bodies and will hopefully let you identify what exactly is happening.

11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.