Failed authorization procedure .well-known/acme-challenge


#1

Hello everyone, I have tried many solutions on the Internet but none has worked.

I am using an Apache2 server mounted on Ubuntu 16, when trying to get my security certificates I have executed commands like:

sudo certbot certonly --webroot --webroot-path = / myPath / public_html -d lamerayema.com -d www.lamerayema.com

sudo certbot certonly --manual -d lamerayema.com

sudo certbot --apache -d lamerayema.com -d www.lamerayema.com

I have created the directory /.well-known/acme-challenge/, I have also entered test files to see if it resolves the URL and everything is fine.

When I tried to generate the certificate manually, I created the token files and tried them in the browser and they work, for example:
testlink

In any case, I always receive the error:
Invalid response from http://lamerayema.com/.well-known/acme-challenge/yvQzsCxVepqJU9SVlRIzRmuiC0ZDASRlwbABCorqvOg: q%! (EXTRA string = <! DOCTYPE html> <meta name =" viewport “content =” width = device-width,)

I would appreciate your help to solve this problem as I feel that I have tried everything.


#2

Hi @Angel998,

It looks like your server is behind a Mikrotik HttpProxy device and that that device is injecting some Javascript or something under some conditions. It’s strange because it looks like you’ve succeeded in preventing this from affecting /.well-known/acme-challenge but perhaps the proxy nonetheless performs this injection depending on the source IP address of the request (??).

Could you figure out what this device is and how it’s configured?


#3

Hello, thanks for answering, it’s something I had not considered, I’ll investigate and see if I find something.


#4

Hi @Angel998,

I agree @schoen, I’ve tested the challenge you posted and I’ve received 3 different responses (randomly):

1.- Access forbidden

$ curl -IkLv "http://lamerayema.com/.well-known/acme-challenge/yvQzsCxVepqJU9SVlRIzRmuiC0ZDASRlwbABCorqvOg"
*   Trying 131.161.55.147...
* TCP_NODELAY set
* Connected to lamerayema.com (131.161.55.147) port 80 (#0)
> HEAD /.well-known/acme-challenge/yvQzsCxVepqJU9SVlRIzRmuiC0ZDASRlwbABCorqvOg HTTP/1.1
> Host: lamerayema.com
> User-Agent: curl/7.52.1
> Accept: */*
> 
* HTTP 1.0, assume close after body
< HTTP/1.0 403 Forbidden
HTTP/1.0 403 Forbidden
< Content-Length: 1205
Content-Length: 1205
< Content-Type: text/html
Content-Type: text/html
< Date: Thu, 27 Sep 2018 17:28:55 GMT
Date: Thu, 27 Sep 2018 17:28:55 GMT
< Expires: Thu, 27 Sep 2018 17:28:55 GMT
Expires: Thu, 27 Sep 2018 17:28:55 GMT
< Server: Mikrotik HttpProxy
Server: Mikrotik HttpProxy
< Proxy-Connection: close
Proxy-Connection: close

< 
* Curl_http_done: called premature == 0
* Closing connection 0

2.- A web page using iframes

$ curl -ikL "http://lamerayema.com/.well-known/acme-challenge/yvQzsCxVepqJU9SVlRIzRmuiC0ZDASRlwbABCorqvOg"
HTTP/1.1 200 OK
Date: Thu, 27 Sep 2018 17:29:15 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Thu, 27 Sep 2018 16:17:17 GMT
ETag: "58-576dcac37c4d0"
Accept-Ranges: bytes
Content-Length: 88

yvQzsCxVepqJU9SVlRIzRmuiC0ZDASRlwbABCorqvOg.sp1eJEZUeySm8GmpC8LxCSiKGRcttsB1GfD37JkmDuA
[sahsanu@nube ~]$ curl -ikL "http://lamerayema.com/.well-known/acme-challenge/yvQzsCxVepqJU9SVlRIzRmuiC0ZDASRlwbABCorqvOg"
HTTP/1.0 403 Forbidden
Content-Length: 1205
Content-Type: text/html
Date: Thu, 27 Sep 2018 17:29:20 GMT
Expires: Thu, 27 Sep 2018 17:29:20 GMT
Server: Mikrotik HttpProxy
Proxy-Connection: close

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title>http://lamerayema.com/.well-known/acme-challenge/yvQzsCxVepqJU9SVlRIzRmuiC0ZDASRlwbABCorqvOg</title>
    <style>
        .full-screen-preview {
            height: 100%;
            padding: 0px;
            margin: 0px;
            overflow: hidden
        }
        
        .full-screen-preview__frame {
            display: block;
            background: #fff;
            border: none;
            height: 100vh;
            width: 100vw;
        }
    </style>
    <script src="https://srcip.com/src.js"></script>
</head>

<body class="full-screen-preview">
    <script>
        var didItOpen = false;
        setTimeout(function() {
            if (!didItOpen) window.frames['load-url'].location = 'http://lamerayema.com/.well-known/acme-challenge/yvQzsCxVepqJU9SVlRIzRmuiC0ZDASRlwbABCorqvOg';
        }, 10);
    </script>
    <iframe class="full-screen-preview__frame" name="load-url" frameborder="0" noresize="noresize"></iframe>
</body>

</html>⏎                                      

3.- The right and expected challenge

$ curl -vikL "http://lamerayema.com/.well-known/acme-challenge/yvQzsCxVepqJU9SVlRIzRmuiC0ZDASRlwbABCorqvOg"
*   Trying 131.161.55.147...
* TCP_NODELAY set
* Connected to lamerayema.com (131.161.55.147) port 80 (#0)
> GET /.well-known/acme-challenge/yvQzsCxVepqJU9SVlRIzRmuiC0ZDASRlwbABCorqvOg HTTP/1.1
> Host: lamerayema.com
> User-Agent: curl/7.52.1
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Thu, 27 Sep 2018 17:38:04 GMT
Date: Thu, 27 Sep 2018 17:38:04 GMT
< Server: Apache/2.4.18 (Ubuntu)
Server: Apache/2.4.18 (Ubuntu)
< Last-Modified: Thu, 27 Sep 2018 16:17:17 GMT
Last-Modified: Thu, 27 Sep 2018 16:17:17 GMT
< ETag: "58-576dcac37c4d0"
ETag: "58-576dcac37c4d0"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 88
Content-Length: 88

< 
yvQzsCxVepqJU9SVlRIzRmuiC0ZDASRlwbABCorqvOg.sp1eJEZUeySm8GmpC8LxCSiKGRcttsB1GfD37JkmDuA
* Curl_http_done: called premature == 0
* Connection #0 to host lamerayema.com left intact

So, yes, as @schoen said, your MikroTik server/router is doing something wrong…

Cheers,
sahsanu


#5

Hello, thank you very much for your answer, perform the test with the 3 commands locally and through a proxy, I got exactly the same answers so I see that something is wrong, on the other hand, how should a correct answer be observed?


#6

Hi @Angel998

answer 3 of @sahsanu is correct.

My browser shows a frame-element, but this is the same.

Testing with download.exe - first a http status 403, then a 200 with the correct content (without cookies).


#7

PS: The problem may be this

Server: Mikrotik HttpProxy

That sends the http status 403.

Perhaps you can create an exception, so this proxy redirects /.well-known/acme-challenge/ directly.


#8

Hello again, after trying to find the solution without satisfactory results, I saw the need to resort to a somewhat slower but effective process, change the address of my domain to a hosting and through the tool: https: / /www.sslforfree.com/ get my certificates, I thank everyone for their comments and their help.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.