Help: http-01 authorization fails to connect, but works in webbrowser


#1

I would like an SSL/TLS certificate for various subdomains of the domain wotnext.org; I have set up a special letsencrypt.wotnext.org subdomain for http-01 verification.

So far so good, fetching a test challenge file and a second one with exactly the same permissions as the letsencrypt-auto client creates them, as the challenge files are visible for a second or two in this directory. So the client can write in that directory, retrieving test challenges using webbrowser works, then why can the LE server not “connect”?

Technical details about the setup: The DNS class A record for letsencrypt.wotnext.org points to a HTTP redirection server, which responds with status 302 Found and redirects to the actual server (different IP address) where the LE client runs, along with an Apache HTTP server (for testing, will be replaced later).

wget --debug for example outputs:

URI encoding = »UTF-8«
--2016-03-17 21:27:53--  http://letsencrypt.wotnext.org/.well-known/acme-challenge/test2
Resolving »letsencrypt.wotnext.org (letsencrypt.wotnext.org)«... 85.10.205.7
Caching letsencrypt.wotnext.org => 85.10.205.7
Connecting to letsencrypt.wotnext.org (letsencrypt.wotnext.org)|85.10.205.7|:80... connected.
Created socket 3.
Releasing 0x000055c9870d8120 (new refcount 1).

---request begin---
GET /.well-known/acme-challenge/test2 HTTP/1.1
User-Agent: Wget/1.16.1 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: letsencrypt.wotnext.org
Connection: Keep-Alive

---request end---
HTTP request sent, waiting for response...
---response begin---
HTTP/1.1 302 Found
Date: Thu, 17 Mar 2016 20:27:53 GMT
Server: Apache
Location: http://52.28.42.153/.well-known/acme-challenge/test2
Content-Length: 309
Connection: close
Content-Type: text/html; charset=iso-8859-1

---response end---
302 Found
URI content encoding = »iso-8859-1«
Location: http://52.28.42.153/.well-known/acme-challenge/test2 [following]
Closed fd 3
URI content encoding = None
--2016-03-17 21:27:53--  http://52.28.42.153/.well-known/acme-challenge/test2
Connecting to 52.28.42.153:80... connected.
Created socket 3.
Releasing 0x000055c9870d8740 (new refcount 0).
Deleting unused 0x000055c9870d8740.

---request begin---
GET /.well-known/acme-challenge/test2 HTTP/1.1
User-Agent: Wget/1.16.1 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 52.28.42.153
Connection: Keep-Alive

---request end---
HTTP request sent, waiting for response... 
---response begin---
HTTP/1.1 200 OK
Date: Thu, 17 Mar 2016 20:38:45 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Tue, 15 Mar 2016 19:44:45 GMT
ETag: "6-52e1ba11d8234"
Accept-Ranges: bytes
Content-Length: 6
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive

---response end---
200 OK
Registered socket 3 for persistent reuse.
Länge: 6
Save to »»STDOUT««.
yeah2
6 bytes written to standard output.

On the target server, in the Apache access_log and error_log I do not see any requests coming in for the challenges; I only see my own requests to the test and test2 challenges. So the ACME server does not even get (or want to get) through to the target server.

So, from my POV, this should work, does anybody have a an idea why?

Do I maybe have the redirect set up wrongly?

Client commandline I am using:

./letsencrypt-auto certonly --webroot -w /home/bitnami/public/ -d letsencrypt.wotnext.org

Please help.


#2

What’s the output of the client? I.e., the error et c.? Use -vv for more debugging info.


#3

@Osiris: The client output with the command-line mentioned in my previous post is:

Failed authorization procedure. letsencrypt.wotnext.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to http://letsencrypt.wotnext.org/.well-known/acme-challenge/VJAaNjinBNB8YoFt4JQS0rErgJ6krR5jpxwQ3Dzb0a4

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: letsencrypt.wotnext.org
Type: connection
Detail: Could not connect to http://letsencrypt.wotnext.org/.well-
known/acme-challenge/VJAaNjinBNB8YoFt4JQS0rErgJ6krR5jpxwQ3Dzb0a4

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

I am stumped as to why this does not work.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.