Failed authorization procedure for my domain

herveg · September 19, 2023, 11:21am

Veuillez remplir les champs ci-dessous pour que nous puissions vous aider. Remarque : vous devez fournir votre nom de domaine pour obtenir de l’aide. Les noms de domaine des certificats émis sont tous rendus publics dans les journaux de Transparence de Certificat (par exemple, crt.sh | example.com). Par conséquent, le fait de ne pas indiquer votre nom de domaine ici n’aide pas à le garder secret, mais rend plus difficile pour nous le fait de vous aider.

Je peux lire des réponses en Anglais : Oui

Mon nom de domaine est : demo.hologram.cd

J’ai exécuté cette commande : certbot --apache

Elle a produit cette sortie : Failed authorization procedure. demo.hologram.cd (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 74.208.121.66: Invalid response from http://demo.hologram.cd/.well-known/acme-challenge/thouXubiQGIRRL7y21Lsk3p4rWdtoiEsxPjTF-nsqb4: "<span style="color: #000000">\nthouXubiQGIRRL7y21Lsk3p4rWdtoiEsxPjTF-nsqb4.BMjxi89gqG5gj22TjAl_STRPehdGDLZCRir_gs-JjN4</spa"


Mon serveur Web est (inclure la version) : Apache2
Le système d’exploitation sur lequel mon serveur Web s’exécute est (version incluse) : Ubuntu 16.04
Mon hébergeur, le cas échéant, est : Infomaniak
Je peux me connecter à un shell root sur ma machine (oui ou non, ou je ne sais pas) : Oui
J’utilise un panneau de configuration pour gérer mon site (non, ou fournit le nom et la version du panneau de configuration) : Oui

Bruce5051 · September 19, 2023, 4:28pm

Bonjour @herveg, bienvenue dans la communauté Let's Encrypt.

Je vois cette réponse qui ne me semble pas typique. HTTP/1.1 503 Service Unavailable
Veuillez attendre l'aide de bénévoles plus compétents de la communauté Let's Encrypt.

$ curl -Ii http://demo.hologram.cd/.well-known/acme-challenge/sometestfile
HTTP/1.1 503 Service Unavailable
Date: Tue, 19 Sep 2023 16:03:43 GMT
Server: Apache/2.4.18 (Ubuntu)
Connection: close
Content-Type: text/html; charset=iso-8859-1

herveg · September 20, 2023, 2:11pm

curl -Ii http://demo.hologram.cd/
HTTP/1.1 200 OK
Date: Wed, 20 Sep 2023 13:50:34 GMT
Server: Payara Server 5.193 #badassfish
X-Powered-By: Servlet/4.0 JSP/2.3 (Payara Server 5.193 #badassfish Java/Ubuntu/11)
Accept-Ranges: bytes
ETag: W/"15845-1646817274000"
Last-Modified: Wed, 09 Mar 2022 09:14:34 GMT
Content-Length: 15845
Content-Type: text/html
X-Frame-Options: SAMEORIGIN

Bruce5051 · September 20, 2023, 7:46pm

$ curl -Ii http://demo.hologram.cd/.well-known/acme-challenge/sometestfile
HTTP/1.1 200 OK
Date: Wed, 20 Sep 2023 19:23:56 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=UTF-8

Ces résultats me semblent plus normaux pour un fichier non présent HTTP/1.1 404 Not Found.

$ curl -Ii http://demo.hologram.cd/.well-known/acme-challenge/sometestfile1
HTTP/1.1 404 Not Found
Date: Wed, 20 Sep 2023 19:23:58 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1

Utiliser l'outil en ligne Let's Debug donne ces résultats https://letsdebug.net/demo.hologram.cd/1617275 de OK.
Avez-vous toujours un problème ?

Bruce5051 · September 20, 2023, 7:51pm

@herveg
Le port 443 dessert HTTP au lieu de HTTPS.

$ curl -Ii https://demo.hologram.cd/
curl: (35) error:0A00010B:SSL routines::wrong version number

$ curl -Ii http://demo.hologram.cd:443/
HTTP/1.1 200 OK
Date: Wed, 20 Sep 2023 19:28:54 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=UTF-8

herveg · September 21, 2023, 7:21am

Comment alors m'y prendre pour configurer le port 443 sur HTTPS en lieu et place de desservir HTTP ? Merci de me guider pour une meilleure configuration si possible.

herveg · September 21, 2023, 7:57am

curl -v https://demo.hologram.cd/

Trying 74.208.121.66...
Connected to demo.hologram.cd (74.208.121.66) port 443 (#0)
found 129 certificates in /etc/ssl/certs/ca-certificates.crt
found 520 certificates in /etc/ssl/certs
ALPN, offering http/1.1
gnutls_handshake() failed: An unexpected TLS packet was received.
Closing connection 0
curl: (35) gnutls_handshake() failed: An unexpected TLS packet was received.

rg305 · September 21, 2023, 7:58am

What shows?:
sudo apachectl -t -D DUMP_VHOSTS

herveg · September 21, 2023, 7:59am

sudo apachectl -t -D DUMP_VHOSTS
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 74.208.121.66. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 demo.hologram.cd (/etc/apache2/sites-enabled/payaraSite.conf:1)

rg305 · September 21, 2023, 8:30am

How are you doing the NAT/port forwarding for HTTP and HTTPS?

herveg · September 21, 2023, 9:14am

No NAT/port forwarding for HTTP and HTTPS done.

rg305 · September 21, 2023, 9:15am

Then that doesn't explain how the config only shows port 80 and connections to ports 80 and 443 are being responded to.

How does port 443 reach Apache?

rg305 · September 21, 2023, 9:20am

Port 80 reaches a "Payara Server":

curl -Ii http://demo.hologram.cd/
HTTP/1.1 200 OK
Date: Thu, 21 Sep 2023 08:59:21 GMT
Server: Payara Server  5.193 #badassfish
X-Powered-By: Servlet/4.0 JSP/2.3 (Payara Server  5.193 #badassfish Java/Ubuntu/11)
Accept-Ranges: bytes
ETag: W/"15845-1646817274000"
Last-Modified: Wed, 09 Mar 2022 09:14:34 GMT
Content-Length: 15845
Content-Type: text/html
X-Frame-Options: SAMEORIGIN

Port 443 reaches Apache server:

curl -Ii http://demo.hologram.cd:443/
HTTP/1.1 200 OK
Date: Thu, 21 Sep 2023 08:59:25 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=UTF-8

herveg · September 21, 2023, 9:28am

Okay, let me explain. When I wanted to renew my LE certificate, I had encountered errors linked to an authorization problem. So I uninstalled LE completely and reinstalled it. When I reinstalled, I still got these errors:
certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?

1: demo.hologram.cd

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for demo.hologram.cd
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. demo.hologram.cd (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 74.208.121.66: Invalid response from http://demo.hologram. cd/.well-known/acme-challenge/WTmSKPj0zfh6CH5Nx3OgCig_D0REezX-DJq8JdEOG4I: "<span style="color: #000000">\nWTmSKPj0zfh6CH5Nx3OgCig_D0REezX-DJq8JdEOG4I. BMjxi89gqG5gj22TjAl_STRPehdGDLZCRir_gs-JjN4</spa"


IMPORTANT NOTES:


The following errors were reported by the server:
Domain: demo.hologram.cd

Type: unauthorized

Detail: 74.208.121.66: Invalid response from

http://demo.hologram.cd/.well-known/acme-challenge/WTmSKPj0zfh6CH5Nx3OgCig_D0REezX-DJq8JdEOG4I:

"<span style="color:

#000000">\nWTmSKPj0zfh6CH5Nx3OgCig_D0REezX-DJq8JdEOG4I.BMjxi89gqG5gj22TjAl_STRPehdGDLZCRir_gs-JjN4</spa"

To fix these errors, please make sure that your domain name was

entered correctly and the DNS A/AAAA record(s) for that domain

contain(s) the right IP address.

The SSL configuration file is automatically created and activated by Certbot when LE is installed. The SSL file no longer exists in /etc/apache2/sites-available/ because I deactivated and deleted it when I uninstalled LE. Now the file doesn't exist because the LE installation failed.

herveg · September 21, 2023, 9:31am

Apache has been configured for use as Payara's front-end server and reverse proxy. But before that, everything was working fine. The trouble started when the LE certificate was renewed.

rg305 · September 21, 2023, 9:33am

The problem, as I see it, is that LE can't reach Apache via port 80 [HTTP].
Which is required for ACME validation and obtain a certificate.

herveg · September 21, 2023, 9:42am

However, ports 80 and 443 are authorized by my firewall.

herveg · September 21, 2023, 9:45am

When you run accessibility tests on port 80 with the Curl command, it works fine though.

rg305 · September 21, 2023, 10:00am

It doesn't work fine.
Port 80 does NOT reach Apache:

curl -Ii http://demo.hologram.cd/
HTTP/1.1 200 OK
Date: Thu, 21 Sep 2023 09:41:26 GMT
Server: Payara Server  5.193 #badassfish
X-Powered-By: Servlet/4.0 JSP/2.3 (Payara Server  5.193 #badassfish Java/Ubuntu/11)
Accept-Ranges: bytes
ETag: W/"15845-1646817274000"
Last-Modified: Wed, 09 Mar 2022 09:14:34 GMT
Content-Length: 15845
Content-Type: text/html
X-Frame-Options: SAMEORIGIN

rg305 · September 21, 2023, 10:01am

Does the firewall do any NAT?