Http-01 challenge change every time

Hello,
I am using a Synology NAS version DSM 5.2-5967 Update 9. Unfortunately, it is impossible for me to install certbot on it. So I’m trying to get my certificate from another computer. But I have a problem with the “http challenge”. I have access to the files in the “http://maison.ilp-web.net/.well-known/acme-challenge/” folder, but I can’t figure out which file to create and with what content before the challenge is completed. And this one changes with each of my attempts. Anyone have a solution so I can create the file before?
Thank you.

My domain is: maison.ilp-web.net

I ran this command: sudo certbot certonly --standalone -d maison.ilp-web.net --preferred-challenges http

It produced this output:

Some challenges have failed.

IMPORTANT NOTES:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.36.0

1 Like

Hi @ILP

your setup is a little bit curious. And the challenge file changes, that's required. New order -> new token -> new file.

Add

--debug-challenges

to your command, then Certbot waits. So you can copy the validation file.

See

https://certbot.eff.org/docs/using.html

1 Like

Hello,
I already tried the command:
sudo certbot certonly --standalone -d maison.ilp-web.net --preferred-challenges http --debug-challenge --verbose
I can find the name of the file, but the text it should contain is not found :face_with_raised_eyebrow:.

Here what I have before the challenge:

{
"identifier": {
"type": "dns",
"value": "maison.ilp-web.net"
},
"status": "pending",
"expires": "2019-12-15T16:58:38Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/1619802109/5s6big",
"token": "0jKcu-xNJfLHd8f-C0QoD1IzLlfC-S4ecwEW1TSxBUk"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/1619802109/jZNTjw",
"token": "0jKcu-xNJfLHd8f-C0QoD1IzLlfC-S4ecwEW1TSxBUk"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/1619802109/_gbJXQ",
"token": "0jKcu-xNJfLHd8f-C0QoD1IzLlfC-S4ecwEW1TSxBUk"
}
]
}

And here the reply with the error:

{
"identifier": {
"type": "dns",
"value": "maison.ilp-web.net"
},
"status": "invalid",
"expires": "2019-12-15T16:58:38Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "The key authorization file from the server did not match this challenge \"0jKcu-xNJfLHd8f-C0QoD1IzLlfC-S4ecwEW1TSxBUk.4z4CyH7RILpeWPcbx3sRJpzr5hrC1PWObZKO-CUa72k\" != \"0jKcu-xNJfLHd8f-C0QoD1IzLlfC-S4ecwEW1TSxBUk\"",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/1619802109/5s6big",
"token": "0jKcu-xNJfLHd8f-C0QoD1IzLlfC-S4ecwEW1TSxBUk",
"validationRecord": [
{
"url": "http://maison.ilp-web.net/.well-known/acme-challenge/0jKcu-xNJfLHd8f-C0QoD1IzLlfC-S4ecwEW1TSxBUk",
"hostname": "maison.ilp-web.net",
"port": "80",
"addressesResolved": [
"176.154.189.221"
],
"addressUsed": "176.154.189.221"
}
]
},
{
"type": "dns-01",
"status": "invalid",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/1619802109/jZNTjw",
"token": "0jKcu-xNJfLHd8f-C0QoD1IzLlfC-S4ecwEW1TSxBUk"
},
{
"type": "tls-alpn-01",
"status": "invalid",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/1619802109/_gbJXQ",
"token": "0jKcu-xNJfLHd8f-C0QoD1IzLlfC-S4ecwEW1TSxBUk"
}
]
}
Storing nonce: 0101INUPC3tmpEDF9yHW_-OkQVFbftq4u8qkcu4oi8k-A1w
Challenge failed for domain maison.ilp-web.net

Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: maison.ilp-web.net
    Type: unauthorized
    Detail: The key authorization file from the server did not match
    this challenge
    "0jKcu-xNJfLHd8f-C0QoD1IzLlfC-S4ecwEW1TSxBUk.4z4CyH7RILpeWPcbx3sRJpzr5hrC1PWObZKO-CUa72k"
    != "0jKcu-xNJfLHd8f-C0QoD1IzLlfC-S4ecwEW1TSxBUk"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

1 Like

Why do you create the file manual? Copy it.

There you see the required result:

0jKcu-xNJfLHd8f-C0QoD1IzLlfC-S4ecwEW1TSxBUk.4z4CyH7RILpeWPcbx3sRJpzr5hrC1PWObZKO-CUa72k

First part is the token. Followed by a dot. Then follows a hash value of your account key. That's always the same, so you can re-use that part.

.4z4CyH7RILpeWPcbx3sRJpzr5hrC1PWObZKO-CUa72k

2 Likes

Thank you for your reply. It work! :blush:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.