HTTP-01 challenge failed

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: home.huggingface.co

I ran this command: We have our own ACME client implementation. We host many domains on behalf of our customers who own the domains. We use the HTTP challenge to renew their certs for them with our custom ACME client. We check for any needed renewals for any of our hosted domains and perform the HTTP challenge every 4 hours. This normally works fine and is still working fine for all but this one domain home.huggingface.co that is attempted every 4 hours and has been failing consistently every 4 hours since 1:47PM PST on Saturday, March 19, 2022.

It produced this output: We start the HTTP challenge process and store the key/value in our cache and trigger the challenge. We have the .well-known endpoint setup correctly and the Let's Encrypt requests do arrive at our reverse proxy and are forwarded on to our controller which pulls the value from our cache and responds correctly and promptly for all 4 of the requests received. I keep the cached value for 24 hours so I'm able to verify manually as well by hitting it in a browser and confirming the value returned is the same as what was given in the HTTP challenge.

My web server is (include version): I'm not using CertBot we have our own ACME client.implementation.

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I'm not using CertBot we have our own ACME client

2

Well, you should be getting an error message in your client from the Let's Encrypt server, with what the problem is.

But my guess is that the problem you're having is that the CAA record for huggingface.co specifically says that only amazon.com should be issuing certificates. If that domain intends for Let's Encrypt to issue certificates for it, then they should add letsencrypt.org or remove the CAA record.

https://dns.google/query?name=huggingface.co&rr_type=CAA&ecs=

6 Likes
3

Why would you perform a http-01 challenge every 4 hours, even if it's not necessary? :interrobang:

2 Likes
4

I'm going to assume the meaning of that is that they run the equivalent of certbot renew every four hours--scan for expiring certs and attempt to renew them. Could be clearer though.

5 Likes
5

Thanks petercooperjr! We do log errors but we don't see that in every attempt. I got that error in once in the past 11 attempts and didn't spot it until now. Thanks for the quick and helpful solution!

Danb35 is correct, we manage many domain certs and look for any that need renewal every 4 hours. Failed attempts are deauthorized and get picked up in the next run. My wording could have been clearer on that.

2 Likes
6

If a certificate is not due for renewal, there is no need to perform a challenge? I still don't understand your curious workflow..

2 Likes
7

Correct. From the OP:

In the context of the post, the "perform the HTTP challenge" would apply to "any needed renewals." So, if the cert is due for renewal, attempt to do so, using the HTTP challenge (as opposed to the DNS or TLS-ALPN challenges).

3 Likes
8

That's an assumption, not something I can clearly get from OP.

2 Likes
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.