Domain validation problem. HTTP-01


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: медика-крым.рф

I ran this command: Try to validate domain via http-01 challenge

It produced this output: urn:acme:error:connection, http://медика-крым.рф/.well-known/acme-challenge/3q6lV0GM2LPyRKtOr7B3myaG__NEuZ7Y7t3IuJItXyc : Error getting validatio
n data

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Ubuntu xenial

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

We have a lot of clients and all is work correctly, but for this domain we can’t validate domain.


#2

Your web server doesn’t appear to be responding to any type of HTTP request on port 80: https://letsdebug.net/xn----7sbldqmcjh3bzi.xn--p1ai/11274

or …

$ curl -i 136.243.25.1
curl: (52) Empty reply from server

#3

Because require domain

$ curl -I медика-крым.рф
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 10 Dec 2018 09:27:32 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: PHPSESSID=a1d12e673ae4de2d1bbb2a1cee3231c5; expires=Tue, 11-Dec-2018 09:27:31 GMT; Max-Age=86400; path=/; domain=.xn----7sbldqmcjh3bzi.xn--p1ai; HttpOnly
X-Frame-Options: SAMEORIGIN
Set-Cookie: SC_USER_IDENT=20019737195c0e3183f393a3.58346304; expires=Thu, 13-Dec-2018 09:27:31 GMT; Max-Age=259200; path=/; domain=.xn----7sbldqmcjh3bzi.xn--p1ai; HttpOnly
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: X-Requested-With, Content-Type
Set-Cookie: intarget=585556cff12ee562aaf27fda5abf61b4; expires=Mon, 17-Dec-2018 09:27:32 GMT; Max-Age=604800; path=/; domain=.xn----7sbldqmcjh3bzi.xn--p1ai
Set-Cookie: SC_USER_IDENT=f65a6932f5354d86bd4f769a9abe7ce3; expires=Wed, 09-Jan-2019 09:27:32 GMT; Max-Age=2592000; path=/; domain=.xn----7sbldqmcjh3bzi.xn--p1ai; HttpOnly
Access-Control-Allow-Methods: GET, POST, OPTIONS, DELETE, PUT
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: User-Agent,Keep-Alive,Content-Type


#4
$ curl -v медика-крым.рф
* Rebuilt URL to: медика-крым.рф/
*   Trying 136.243.25.1...
* TCP_NODELAY set
* Connected to медика-крым.рф (136.243.25.1) port 80 (#0)
> GET / HTTP/1.1
> Host: xn----7sbldqmcjh3bzi.xn--p1ai
> User-Agent: curl/7.61.0
> Accept: */*
>
* Empty reply from server
* Connection #0 to host медика-крым.рф left intact

Is there some kind of L7 firewall sitting in front of nginx?


#5

It can be problem with firewall. But i can’t find IP’s for your servers


#6

Try whitelist the IP for letsdebug.net - 172.104.24.29.

There is no whitelist or known set of IP addresses for Let’s Encrypt’s actual validation servers. These addresses change over time, so they are not published.

So you will need to figure out how to make your server not drop these requests.

Interestingly, the request succeeds if sent over HTTPS:

$ curl -ik https://медика-крым.рф/.well-known/acme-challenge/xx-test
HTTP/2 200
server: nginx
date: Mon, 10 Dec 2018 09:33:31 GMT
content-type: text/html; charset=UTF-8
set-cookie: PHPSESSID=6d5daf6acf84f55005dd078afa017ac1; expires=Tue, 11-Dec-2018 09:33:31 GMT; Max-Age=86400; path=/; domain=.xn----7sbldqmcjh3bzi.xn--p1ai; HttpOnly
access-control-allow-methods: GET, POST, OPTIONS, DELETE, PUT
access-control-allow-credentials: true
access-control-allow-headers: User-Agent,Keep-Alive,Content-Type

So something is dropping the requests only on port 80.


#7

Thank you. Now I see where is problem. Problem is in DDoS protection for this domain.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.