Error getting validation data (status 400)

arsylum · 2018-01-12 18:09:22 UTC

I don’t want to create additional noise on top of the current security issue but my understanding is that the http-01 challenge is supposed to work normally? If so then I don’t know what to do anymore.

My domain is: sittenkammer.de
My web server is: apache2 [2.4.10-10+deb8u11] (also tested on nginx [1.6.2-5+deb8u5] which made no difference) on raspbian 8
I ran this command (among many many others):
certbot certonly --webroot -w /var/www/html/ -d sittenkammer.de --staging

certbot always fails with

 - The following errors were reported by the server:

   Domain: sittenkammer.de
   Type:   connection
   Detail: Fetching
   http://185.142.180.85/sittenkammer/.well-known/acme-challenge/RfW8Z7Cwe89s3Zk7LQkQXwutbc84xeMYdmm3y0teo4c:
   Error getting validation data

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

I quadrupelchecked the A Records several times, asking different DNS servers, even from different hosts.

Something weird is going on with the resolution though - I don’t know why it is trying to fetch /sittenkammer/.well-known/acme-challenge instead of /.well-known/acme-challenge (this is where certbot actually places the file). I did not set up this hosting environment, but looking at all the relevant configuration files leaves me clueless about this. However I tried to work around the issue by symlinking:
lrwxrwxrwx 1 root root 15 Jan 12 17:54 /var/www/html/sittenkammer/.well-known -> ../.well-known/

Last but not least I ensured with manual mode that the file is there and is fetchable, in either case. Check for yourself:
http://sittenkammer.de/.well-known/acme-challenge/RfW8Z7Cwe89s3Zk7LQkQXwutbc84xeMYdmm3y0teo4c
http://185.142.180.85/.well-known/acme-challenge/RfW8Z7Cwe89s3Zk7LQkQXwutbc84xeMYdmm3y0teo4c
http://185.142.180.85/sittenkammer/.well-known/acme-challenge/RfW8Z7Cwe89s3Zk7LQkQXwutbc84xeMYdmm3y0teo4c
They are all pointing at the same file. But acme-v01.api.letsencrypt.org apparently can’t reach it.

This has gotten somewhat frustrating. Any help greatly appreciated!

stevenzhu · 2018-01-12 18:23:48 UTC

The issue is not dns, it’s root path.

The correct path to your file is
http://185.142.180.85/.well-known/acme-challenge/RfW8Z7Cwe89s3Zk7LQkQXwutbc84xeMYdmm3y0teo4c

Try change your command to
certbot certonly --webroot -w /var/www/html/sittenkammer/ -d sittenkammer.de --staging

This should work

arsylum · 2018-01-12 18:30:42 UTC

Thanks for the suggest. However it does not really change anything because of the symlink in place. If I replace the symlink with an actual folder the outcome also is the same.

The files are there, at any location. I can GET them. I can also curl them from a remote box. I don’t think root path is the problem.

stevenzhu · 2018-01-12 18:32:21 UTC

According to your command, it’s the problem…

Can you share the output for the command (the one i suggested)?

arsylum · 2018-01-12 18:36:37 UTC

To clarify: there is a difference for your command, that is the challenge file will be placed in /sittenkammer/.well-known/acme-challenge instead of /.well-known/acme-challenge

there you go for the output. It’s the same as always

# certbot certonly --webroot -w /var/www/html/sittenkammer/ -d sittenkammer.de --staging
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sittenkammer.de
Using the webroot path /var/www/html/sittenkammer for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. sittenkammer.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://185.142.180.85/sittenkammer/.well-known/acme-challenge/xe33jczhshkVDXZ6sHJ31eHhP5-xzOPYGGPEDKorRWg: Error getting validation data

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: sittenkammer.de
   Type:   connection
   Detail: Fetching
   http://185.142.180.85/sittenkammer/.well-known/acme-challenge/xe33jczhshkVDXZ6sHJ31eHhP5-xzOPYGGPEDKorRWg:
   Error getting validation data

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

stevenzhu · 2018-01-12 18:43:00 UTC

In this case, can you please share your config?

i’m wondering what path your website is on.

Is your website on /var/www/html/ or /var/www/html/sittenkammer/ ?

arsylum · 2018-01-12 18:52:30 UTC

/var/www/html is the document root. From my extensive digging around it seems to be still a very standard apache config. Also I thought a certificate is for a domain, not for a website?

Anything specific? I’m afraid putting ‘the config’ (webserver, certbot, ip tables, systemd, network, whatnot…?) up here completely would dillute the problem more.

For now I’ll be afk for a little bit, dinner

sahsanu · 2018-01-12 19:08:14 UTC

Hi @arsylum,

Your domain advertises IPv4 and IPv6 addresses, Let’s Encrypt prefers IPv6 over IPv4 so it tries to validate your domain using the IPv6 address but you have a redirection that Let’s Encrypt won’t follow.

So, trying to reach the challenge using IPv4 it works, no problem:

$ curl -ikL4 http://sittenkammer.de/.well-known/acme-challenge/RfW8Z7Cwe89s3Zk7LQkQXwutbc84xeMYdmm3y0teo4c
HTTP/1.1 200 OK
Date: Fri, 12 Jan 2018 19:01:57 GMT
Server: Apache/2.4.10 (Raspbian)
Last-Modified: Fri, 12 Jan 2018 17:26:23 GMT
ETag: "58-562979043fb67"
Accept-Ranges: bytes
Content-Length: 88

RfW8Z7Cwe89s3Zk7LQkQXwutbc84xeMYdmm3y0teo4c.2yZ2fR3iDBQesHdvMZFl3ngmJQmXvVDz3_vzf4bz9g8

But trying to reach it using IPv6 you have 2 problems:

$ curl -ikL6 http://sittenkammer.de/.well-known/acme-challenge/RfW8Z7Cwe89s3Zk7LQkQXwutbc84xeMYdmm3y0teo4c
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Fri, 12 Jan 2018 19:02:05 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: http://185.142.180.85/sittenkammer/.well-known/acme-challenge/RfW8Z7Cwe89s3Zk7LQkQXwutbc84xeMYdmm3y0teo4c

HTTP/1.1 404 Not Found
Date: Fri, 12 Jan 2018 19:02:05 GMT
Server: Apache/2.4.10 (Raspbian)
Content-Length: 363
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /sittenkammer/.well-known/acme-challenge/RfW8Z7Cwe89s3Zk7LQkQXwutbc84xeMYdmm3y0teo4c was not found on this server.</p>
<hr>
<address>Apache/2.4.10 (Raspbian) Server at 185.142.180.85 Port 80</address>
</body></html>

1.- You are not serving the same content as using IPv4, using IPv6 I can’t reach the same challenge I can reach using IPv4.

2.- Let’s Encrypt follows redirections but doesn’t follow them if the redirection is an ip instead of a domain so this redirection won’t work:

Location: http://185.142.180.85/sittenkammer/.well-known/acme-challenge/RfW8Z7Cwe89s3Zk7LQkQXwutbc84xeMYdmm3y0teo4c

Solution, fix your IPv6 conf or remove AAAA record for your domain.

Good luck.
sahsanu

arsylum · 2018-01-13 19:59:40 UTC

Thank you so much, perfect answer!
IPv6 always fills me with irrational fear and unending confusion. I avoid it whenever I can

system · 2018-02-12 20:00:03 UTC

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.