Error with dehydrated and letsecrypt

darkshvein · March 2, 2024, 12:45pm

Good day.
I trying sign site with dehydrated.
Web server nginx.
Site config(piece):
server_name vpstest1.fnxtezt.ru ;
root /var/www/fnxtezt.ru/html;
index index.html index.xml;
location / {
try_files $uri $uri/ =404;
}
location /.well-known/acme-challenge {
alias /var/www/dehydrated;
}
location ^~ /.well-known {
allow all;
Errors log:
dehydrated -c

INFO: Using main config file /etc/dehydrated/config

Processing vpstest1.fnxtezt.ru

Signing domains...
Generating private key...
Generating signing request...
Requesting new certificate order from CA...
Received 1 authorizations URLs from the CA
Handling authorization for vpstest1.fnxtezt.ru
1 pending challenge(s)
Deploying challenge tokens...
Responding to challenge for vpstest1.fnxtezt.ru authorization...
Cleaning challenge tokens...
Challenge validation has failed
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01"
["status"] "invalid"
["error","type"] "urn:ietf:params:acme:error:unauthorized"
["error","detail"] "91.228.155.194: Invalid response from http://vpstest1.fnxtezt.ru/.well-known/acme-challenge/nrE8xo6iAruFoqKPj9LTUoS5E0CPxSFdafdi8jIpAyE: 404"
["error","status"] 403
["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"91.228.155.194: Invalid response from http://vpstest1.fnxtezt.ru/.well-known/acme-challenge/nrE8xo6iAruFoqKPj9LTUoS5E0CPxSFdafdi8jIpAyE: 404","status":403}
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/321591379427/FQFBSQ"
["token"] "nrE8xo6iAruFoqKPj9LTUoS5E0CPxSFdafdi8jIpAyE"
["validationRecord",0,"url"] "http://vpstest1.fnxtezt.ru/.well-known/acme-challenge/nrE8xo6iAruFoqKPj9LTUoS5E0CPxSFdafdi8jIpAyE"
["validationRecord",0,"hostname"] "vpstest1.fnxtezt.ru"
["validationRecord",0,"port"] "80"
["validationRecord",0,"addressesResolved",0] "91.228.155.194"
["validationRecord",0,"addressesResolved"] ["91.228.155.194"]
["validationRecord",0,"addressUsed"] "91.228.155.194"
["validationRecord",0,"resolverAddrs",0] "A:10.1.12.81:27532"
["validationRecord",0,"resolverAddrs",1] "AAAA:10.1.12.83:29977"
["validationRecord",0,"resolverAddrs"] ["A:10.1.12.81:27532","AAAA:10.1.12.83:29977"]
["validationRecord",0] {"url":"http://vpstest1.fnxtezt.ru/.well-known/acme-challenge/nrE8xo6iAruFoqKPj9LTUoS5E0CPxSFdafdi8jIpAyE","hostname":"vpstest1.fnxtezt.ru","port":"80","addressesResolved":["91.228.155.194"],"addressUsed":"91.228.155.194","resolverAddrs":["A:10.1.12.81:27532","AAAA:10.1.12.83:29977"]}
["validationRecord"] [{"url":"http://vpstest1.fnxtezt.ru/.well-known/acme-challenge/nrE8xo6iAruFoqKPj9LTUoS5E0CPxSFdafdi8jIpAyE","hostname":"vpstest1.fnxtezt.ru","port":"80","addressesResolved":["91.228.155.194"],"addressUsed":"91.228.155.194","resolverAddrs":["A:10.1.12.81:27532","AAAA:10.1.12.83:29977"]}]
["validated"] "2024-03-02T12:35:27Z")
Nginx errors log:
2024/03/02 12:40:11 [error] 2141#2141: *13 open() "/var/www/dehydrated/nrE8xo6iAruFoqKPj9LTUoS5E0CPxSFdafdi8jIpAyE","hostname":"vpstest1.fnxtezt.ru","port":"80","addressesResolved":["91.228.155.194"],"addressUsed":"91.228.155.194","resolverAddrs":["A:10.1.12.81:27532","AAAA:10.1.12.83:29977" failed (2: No such file or directory), client: 184.105.99.36, server: vpstest1.fnxtezt.ru, request: "GET /.well-known/acme-challenge/nrE8xo6iAruFoqKPj9LTUoS5E0CPxSFdafdi8jIpAyE%22,%22hostname%22:%22vpstest1.fnxtezt.ru%22,%22port%22:%2280%22,%22addressesResolved%22:%5B%2291.228.155.194%22%5D,%22addressUsed%22:%2291.228.155.194%22,%22resolverAddrs%22:%5B%22A:10.1.12.81:27532%22,%22AAAA:10.1.12.83:29977 HTTP/1.1", host: "vpstest1.fnxtezt.ru"

darkshvein · March 2, 2024, 12:45pm

Also, I disable ipv6 in centos, but no luck.

darkshvein · March 2, 2024, 12:48pm

I am sorry, This log too much. Too many details.
cause of this error are wrong location for .well-known/acme-challenge ? Or other cause.
Ps. look like 443 port opened in firewall, but unsure.

darkshvein · March 2, 2024, 12:50pm

Should I use site location or separate directory for dehydrated?

MikeMcQ · March 2, 2024, 1:12pm

Separate is best but you should use root instead of alias for this situation.

The 404 error means that dehydrated placed the challenge token in the folder you said. But, when Let's Encrypt server tried to find that token your nginx said 404 Not Found.

So, the path in your nginx is not matching the folder you said in dehydrated.

I see you got 3 2 certs yesterday. What have you changed to make this not work? Be careful because you can only get 5 certs per week with the same names and many more will get you blocked for a week. You should use the Let's Encrypt staging system when testing. I don't know how you do that in dehydrated.

darkshvein · March 2, 2024, 2:37pm

Unfortunatelly, this not working.
I replace syntax config. No luck. After I tried replace path for .well-known :

location /.well-known/acme-challenge {
  root /var/www/fnxtezt.ru/html/;
}

=============
This is not working.

Cleaning challenge tokens...
Challenge validation has failed
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01"
["status"] "invalid"
["error","type"] "urn:ietf:params:acme:error:unauthorized"
["error","detail"] "91.228.155.194: Invalid response from http://www.vpstest1.fnxtezt.ru/.well-known/acme-challenge/dfZI-I38gYdUIU3qF_ZURWaVKhdwnKLpbie-3z4jTLY: 404"
["error","status"] 403
["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"91.228.155.194: Invalid response from http://www.vpstest1.fnxtezt.ru/.well-known/acme-challenge/dfZI-I38gYdUIU3qF_ZURWaVKhdwnKLpbie-3z4jTLY: 404","status":403}
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/321619994287/uVdOuA"
["token"] "dfZI-I38gYdUIU3qF_ZURWaVKhdwnKLpbie-3z4jTLY"
["validationRecord",0,"url"] "http://www.vpstest1.fnxtezt.ru/.well-known/acme-challenge/dfZI-I38gYdUIU3qF_ZURWaVKhdwnKLpbie-3z4jTLY"
["validationRecord",0,"hostname"] "www.vpstest1.fnxtezt.ru"
["validationRecord",0,"port"] "80"
["validationRecord",0,"addressesResolved",0] "91.228.155.194"
["validationRecord",0,"addressesResolved"] ["91.228.155.194"]
["validationRecord",0,"addressUsed"] "91.228.155.194"
["validationRecord",0,"resolverAddrs",0] "A:10.0.12.81:30446"
["validationRecord",0,"resolverAddrs",1] "AAAA:10.0.12.81:30446"
["validationRecord",0,"resolverAddrs"] ["A:10.0.12.81:30446","AAAA:10.0.12.81:30446"]
["validationRecord",0] {"url":"http://www.vpstest1.fnxtezt.ru/.well-known/acme-challenge/dfZI-I38gYdUIU3qF_ZURWaVKhdwnKLpbie-3z4jTLY","hostname":"www.vpstest1.fnxtezt.ru","port":"80","addressesResolved":["91.228.155.194"],"addressUsed":"91.228.155.194","resolverAddrs":["A:10.0.12.81:30446","AAAA:10.0.12.81:30446"]}
["validationRecord"] [{"url":"http://www.vpstest1.fnxtezt.ru/.well-known/acme-challenge/dfZI-I38gYdUIU3qF_ZURWaVKhdwnKLpbie-3z4jTLY","hostname":"www.vpstest1.fnxtezt.ru","port":"80","addressesResolved":["91.228.155.194"],"addressUsed":"91.228.155.194","resolverAddrs":["A:10.0.12.81:30446","AAAA:10.0.12.81:30446"]}]
["validated"] "2024-03-02T14:34:20Z")

MikeMcQ · March 2, 2024, 3:05pm

Which folder have you set for wellknown in dehydrated for the challenge token?

github.com

dehydrated-io/dehydrated/blob/master/docs/wellknown.md

# WELLKNOWN

With `http-01`-type verification (default in this script, there is also support for [dns based verification](dns-verification.md)) Let's Encrypt (or the ACME-protocol in general) is checking if you are in control of a domain by accessing a verification file on an URL similar to `http://example.org/.well-known/acme-challenge/m4g1C-t0k3n`.  
It will do that for any (sub-)domain you want to sign a certificate for.

At the moment you'll need to have that location available over normal HTTP on port 80 (redirect to HTTPS will work, but starting point is always HTTP!).

dehydrated has a config variable called `WELLKNOWN`, which corresponds to the directory which should be served under `/.well-known/acme-challenge` on your domain. So in the above example the token would have been saved as `$WELLKNOWN/m4g1C-t0k3n`.

If you only have one docroot on your server you could easily do something like `WELLKNOWN=/var/www/.well-known/acme-challenge`, for anything else look at the example below.

## Example Usage

If you have more than one docroot (or you are using your server as a reverse proxy / load balancer) the simple configuration mentioned above wouldn't work, but with just a few lines of webserver configuration this can be solved.

An example would be to create a directory `/var/www/dehydrated` and set `WELLKNOWN=/var/www/dehydrated` in the scripts config.

You'll need to configure aliases on your Webserver:

### Nginx example config

This file has been truncated. show original

darkshvein · March 2, 2024, 3:22pm

/etc/dehydrated/config
WELLKNOWN="/var/www/fnxtezt.ru/html/.well-known/acme-challenge/"

MikeMcQ · March 2, 2024, 3:28pm

I don't have dehydrated to test but I think this has to match your nginx

WELLKNOWN="/var/www/dehydrated"

and then in your nginx:

location /.well-known/acme-challenge {
    root /var/www/dehydrated;
}

darkshvein · March 2, 2024, 5:45pm

replaced, but still show error.

Responding to challenge for www.vpstest1.fnxtezt.ru authorization...
Cleaning challenge tokens...
Challenge validation has failed
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01"
["status"] "invalid"
["error","type"] "urn:ietf:params:acme:error:unauthorized"
["error","detail"] "91.228.155.194: Invalid response from http://www.vpstest1.fnxtezt.ru/.well-known/acme-challenge/syJOKQS00WTFFnbxcSG0rPVBbWVRd6wAhtTlNBEr_78: 404"
["error","status"] 403
["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"91.228.155.194: Invalid response from http://www.vpstest1.fnxtezt.ru/.well-known/acme-challenge/syJOKQS00WTFFnbxcSG0rPVBbWVRd6wAhtTlNBEr_78: 404","status":403}
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/321669285137/alrdWA"
["token"] "syJOKQS00WTFFnbxcSG0rPVBbWVRd6wAhtTlNBEr_78"
["validationRecord",0,"url"] "http://www.vpstest1.fnxtezt.ru/.well-known/acme-challenge/syJOKQS00WTFFnbxcSG0rPVBbWVRd6wAhtTlNBEr_78"
["validationRecord",0,"hostname"] "www.vpstest1.fnxtezt.ru"
["validationRecord",0,"port"] "80"
["validationRecord",0,"addressesResolved",0] "91.228.155.194"
["validationRecord",0,"addressesResolved"] ["91.228.155.194"]
["validationRecord",0,"addressUsed"] "91.228.155.194"
["validationRecord",0,"resolverAddrs",0] "A:10.1.12.87:22025"
["validationRecord",0,"resolverAddrs",1] "AAAA:10.1.12.82:20692"
["validationRecord",0,"resolverAddrs"] ["A:10.1.12.87:22025","AAAA:10.1.12.82:20692"]
["validationRecord",0] {"url":"http://www.vpstest1.fnxtezt.ru/.well-known/acme-challenge/syJOKQS00WTFFnbxcSG0rPVBbWVRd6wAhtTlNBEr_78","hostname":"www.vpstest1.fnxtezt.ru","port":"80","addressesResolved":["91.228.155.194"],"addressUsed":"91.228.155.194","resolverAddrs":["A:10.1.12.87:22025","AAAA:10.1.12.82:20692"]}
["validationRecord"] [{"url":"http://www.vpstest1.fnxtezt.ru/.well-known/acme-challenge/syJOKQS00WTFFnbxcSG0rPVBbWVRd6wAhtTlNBEr_78","hostname":"www.vpstest1.fnxtezt.ru","port":"80","addressesResolved":["91.228.155.194"],"addressUsed":"91.228.155.194","resolverAddrs":["A:10.1.12.87:22025","AAAA:10.1.12.82:20692"]}]
["validated"] "2024-03-02T17:44:15Z")

MikeMcQ · March 2, 2024, 5:51pm

That is a different domain name than earlier. This is the www subdomain of your earlier requests. Have you updated your nginx server block to include this name?

darkshvein · March 4, 2024, 7:16am

Good day. I tried remove www subdomain from dehydrated config and nginx:
dehydrated -c

INFO: Using main config file /etc/dehydrated/config

Processing vpstest1.fnxtezt.ru

Checking domain name(s) of existing cert... unchanged.
Checking expire date of existing cert...
Valid till May 31 13:34:10 2024 GMT (Longer than 30 days). Skipping renew!
Running automatic cleanup
============
I tried add www to both, and in this case, dehydrated show old error:
Challenge validation has failed
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01"
["status"] "invalid"
["error","type"] "urn:ietf:params:acme:error:unauthorized"
["error","detail"] "91.228.155.194: Invalid response from http://www.vpstest1.fnxtezt.ru/.well-known/acme-challenge/yRtgB92fDWeceFYuigJCIQ7D-vpJWJKZL98iQSxnBNU: 404"
["error","status"] 403
["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"91.228.155.194: Invalid response from http://www.vpstest1.fnxtezt.ru/.well-known/acme-challenge/yRtgB92fDWeceFYuigJCIQ7D-vpJWJKZL98iQSxnBNU: 404","status":403}
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/322260793107/Qsdo-w"
["token"] "yRtgB92fDWeceFYuigJCIQ7D-vpJWJKZL98iQSxnBNU"
["validationRecord",0,"url"] "http://www.vpstest1.fnxtezt.ru/.well-known/acme-challenge/yRtgB92fDWeceFYuigJCIQ7D-vpJWJKZL98iQSxnBNU"
["validationRecord",0,"hostname"] "www.vpstest1.fnxtezt.ru"
["validationRecord",0,"port"] "80"
["validationRecord",0,"addressesResolved",0] "91.228.155.194"
["validationRecord",0,"addressesResolved"] ["91.228.155.194"]
["validationRecord",0,"addressUsed"] "91.228.155.194"
["validationRecord",0,"resolverAddrs",0] "A:10.0.12.85:25640"
["validationRecord",0,"resolverAddrs",1] "AAAA:10.0.12.86:22132"
["validationRecord",0,"resolverAddrs"] ["A:10.0.12.85:25640","AAAA:10.0.12.86:22132"]
["validationRecord",0] {"url":"[http://www.vpstest1.fnxtezt.ru/.well-known/acme-challenge/yRtgB92fDWeceFYuigJCIQ7D-vpJWJKZL98iQSxnBNU","hostname":"www.vpstest1.fnxtezt.ru","port":"80","addressesResolved":["91.228.155.194"],"addressUsed":"91.228.155.194","resolverAddrs":["A:10.0.12.85:25640","AAAA:10.0.12.86:22132](http://www.vpstest1.fnxtezt.ru/.well-known/acme-challenge/yRtgB92fDWeceFYuigJCIQ7D-vpJWJKZL98iQSxnBNU","hostname":"www.vpstest1.fnxtezt.ru","port":"80","addressesResolved":["91.228.155.194"],"addressUsed":"91.228.155.194","resolverAddrs":["A:10.0.12.85:25640","AAAA:10.0.12.86:22132)"]}
["validationRecord"] [{"url":"[http://www.vpstest1.fnxtezt.ru/.well-known/acme-challenge/yRtgB92fDWeceFYuigJCIQ7D-vpJWJKZL98iQSxnBNU","hostname":"www.vpstest1.fnxtezt.ru","port":"80","addressesResolved":["91.228.155.194"],"addressUsed":"91.228.155.194","resolverAddrs":["A:10.0.12.85:25640","AAAA:10.0.12.86:22132](http://www.vpstest1.fnxtezt.ru/.well-known/acme-challenge/yRtgB92fDWeceFYuigJCIQ7D-vpJWJKZL98iQSxnBNU","hostname":"www.vpstest1.fnxtezt.ru","port":"80","addressesResolved":["91.228.155.194"],"addressUsed":"91.228.155.194","resolverAddrs":["A:10.0.12.85:25640","AAAA:10.0.12.86:22132)"]}]
["validated"] "2024-03-04T07:13:17Z")

system · April 3, 2024, 7:17am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
dehydrated/Apache - Challenge is invalid! (returned: invalid) Help	5	267	March 15, 2024
Validation failure using dehydrated client Client dev	12	6450	March 13, 2017
Unable to renew certificate using dehydrated Help	16	533	August 7, 2024
Dehydrated: curl returned with 35 Help	15	1196	May 7, 2022
ERROR: Problem connecting to server (get for https://acme-v01.api.letsencrypt.org/directory; curl returned with 60) Server	2	3407	October 22, 2016

Error with dehydrated and letsecrypt

INFO: Using main config file /etc/dehydrated/config

INFO: Using main config file /etc/dehydrated/config

Related topics