My domain is : pideya.for-some.biz:
Runnning on Ubuntu Linux :
~# python3 responder.py &
~# ./dehydrated -c -f config
And having this line on the config file:
CHALLENGETYPE=“tls-alpn-01”
It produced this output:
ERROR: Challenge is invalid! (returned: invalid) (result: {
“type”: “tls-alpn-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:tls”,
“detail”: “remote error: tls: handshake failure”,
“status”: 400
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/3744200891/gCKnQQ ”,
“token”: “AoB0DoK8CF-3DCbMUO7qvZQNBLVhsL-n58dz0q_x3-k”,
“validationRecord”: [
{
“hostname”: “pideya.for-some.biz”,
“port”: “443”,
“addressesResolved”: [
The version of dehydrated clien is:
Dehydrated version: 0.6.5
One of the problems i saw was that the FALLBACK_CERTIFICATE is one of the snakeoil certificates , i have several domains on the server, then the challenge can not be successful because of the other certificates, then i tried using an expired pideya.for-some.biz certificate but no luck.
Any help to address this issue, please?
1 Like
_az
April 3, 2020, 10:50pm
2
Well, I guess step one would be to verify that the responder works at all.
Do you see a fallback certificate if you run this on the server, while the responder is running?
openssl s_client -connect localhost:10443 -alpn acme-tls/1 -servername foo.org
The responder should also print:
Got request for foo.org
Thanx i got this using port 10443:
openssl s_client -connect localhost:10443 -alpn acme-tls/1 -servername foo.org
3072300800:error:0200206F:system library:connect:Connection refused:…/crypto/bio/b_sock2.c:110:
3072300800:error:2008A067:BIO routines:BIO_connect:connect error:…/crypto/bio/b_sock2.c:111:
3072300800:error:0200206F:system library:connect:Connection refused:…/crypto/bio/b_sock2.c:110:
3072300800:error:2008A067:BIO routines:BIO_connect:connect error:…/crypto/bio/b_sock2.c:111:
connect:errno=111
And using port 443
openssl s_client -connect localhost:443 -alpn acme-tls/1 -servername foo.org CONNECTED(00000003)
3072108288:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:…/ssl/record/rec_layer_s3.c:1544:SSL alert number 40
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 326 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Resumption PSK:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1585955281
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
Thank you!
_az
April 4, 2020, 12:02am
4
Did you change the port number in responder.py
or something?
Hi _az, i 'd changed port in responder.py to 443, returned it to 10443.
Yesterday i could renew www.openfactware.com domain using dns challange, but the domain i want to renew ,pideya.for-some.biz. is on dyndns where i can’t add TXT records, so thats the reason to try tls-alpn with no luck, hereis the new outputs i got::
For openssl:
openssl s_client -connect localhost:10443 -alpn acme-tls/1 -servername foo.org
CONNECTED(00000003)
Got request for foo.org
depth=0 CN = www.openfactware.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = www.openfactware.com
verify return:1
Server certificate
-----BEGIN CERTIFICATE-----
And for dehydrated:
Processing pideya.for-some.biz
Signing domains…
Generating private key…
Generating signing request…
Requesting new certificate order from CA…
Received 1 authorizations URLs from the CA
Handling authorization for pideya.for-some.biz
Generating ALPN certificate and key for pideya.for-some.biz…
1 pending challenge(s)
Deploying challenge tokens…
Responding to challenge for pideya.for-some.biz authorization…
Cleaning challenge tokens…
Challenge validation has failed
ERROR: Challenge is invalid! (returned: invalid) (result: {
“type”: “tls-alpn-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Connection refused”,
“status”: 400
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/3757328921/8Y_-Ew ”,
“token”: “Tp3jYFXB6Duu-JyFSY8N9-tNuMatfkz0RDVtpwwzrsc”,
“validationRecord”: [
{
“hostname”: “pideya.for-some.biz”,
“port”: “443”,
“addressesResolved”: [
Greetings…
1 Like
_az
April 4, 2020, 9:07pm
6
Okay, so the responder works, just apparently not when you had the port changed to 443.
Possibly a dumb question, but did you stop Apache before you started responder.py
(with the port set to 443)?
It might also be helpful to open two terminals and run responder.py
in the foreground (without the &
) in one of them, so you see all the output it generates.
1 Like
You could try ualpn , which is a proxying tls-alpn-01 responder. Even though it is part of uacme, it can be integrated with any client, including dehydrated. I can help if you’re willing to give it a go.
1 Like
good to know it worked for you.
1 Like
It didn’t work i have to change dns ip and host to work with certbot, still will be nice to have a guide to validate certificates using just 443 port.
Greetings.
1 Like
So why did you mark my earlier post as “Solution”? The link I posted is a tutorial to do exactly what you want.
Edit: I’ve made a Certbot plugin, see Bringing TLS-ALPN-01 authentication to Certbot
1 Like
using dehydrated i’m a little confuse when i check for the cli help
./dehydrated --help
that the challange parameter is fot http-01 and dns-01
–challenge (-t) http-01|dns-01 Which challenge should be used? Currently http-01 and dns-01 are supported
My dehydrated version is :
Dehydrated version: 0.6.5
system
Closed
June 15, 2020, 5:51pm
12
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.