Http-01 challenge problem: Error getting validation data

Hey folks, I’m trying to get a certificate but I get this error:

bitnami@ubuntu:/tmp/certbot$ ./certbot-auto certonly --webroot -w /opt/bitnami/apps/moodle/htdocs/ -d techacademy.dynu.net -d www.techacademy.dynu.net

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for techacademy.dynu.net
http-01 challenge for www.techacademy.dynu.net
Using the webroot path /opt/bitnami/apps/moodle/htdocs for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. techacademy.dynu.net (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: techacademy.dynu.net
    Type: connection
    Detail: Fetching
    Error getting validation data

    To fix these errors, please make sure that your domain name was

Firewall shouldn’t be dropping the challenges since I see a TCP FINs passing through the firewall (sourced from an outside address). One thing to notice is I’m using a DDNS that redirects the URI to my public IP on port 8080.

Thanks,
Frank

LE prefers IPv6 when available…
Name: techacademy.dynu.net
Addresses: 2001:470:1f19:4bf::198
207.38.69.198

I don’t think that’s the problem in this case because the IPv4 and IPv6 versions of that site both answer and both show the same redirect (to a different IPv4 server). I think the problem is something about the DNS, but I haven’t figured out what yet.

Hi @fstennet,

I took a look at the logs and it seems like there are a few things going on.

Some requests had started to fail because you were hitting the “Too many invalid authorizations recently” rate limit (you may want to change to using the staging environment to avoid this while you debug).

Some requests had timed-out waiting for headers from your server. I can reproduce this trying to run curl -I http://www.techacademy.dynu.net/.well-known/acme-challenge/1 from my own network.

Some requests failed after what looks like a redirect from techacademy.dynu.net:80 to 186.15.161.169:8080. I suspect this is the DDNS redirect that you mentioned. These redirects are failing because of a bug in Boulder that we’ve been discussing among the developers just this week. Redirects to ports other than 80/443 do not work. We will be updating the API to return a clearer error message in this case over the coming weeks.

Can you change the redirect to be to port 80 or 443? Alternatively you may have to look into using the DNS-01 challenge type.

Yikes, I feel like this is going to cause trouble for quite a few people who are dealing with support for multiple machines behind firewalls. We must have had a couple dozen people on this forum alone who needed to do a non-80/443 redirect because of firewalls. Are you sure that support for this really needs to be removed?

It was news to me but I learned this week that all non-80/443 redirects already fail because of our egress firewall rules. Unless I’m mistaken nobody could be relying on this working right now because it doesn’t :slight_smile: The status quo will remain the same but Boulder will tell you the reason it fails more accurately.

As I explain above I don’t think “remove” is the right verb here since it doesn’t work now, but I understand the sentiment :slight_smile: We talked about it fairly extensively and @jsha was firmly in favour of continuing to not allow non-80/443 redirects. I think it better matches the climate of things in the CABF w.r.t redirects for domain validation.

Also, leaving aside the port issue, as far as I know, boulder doesn’t follow ip redirections, at least not a few months ago when I tested it.

Edit: Here the test I performed on 31st May Certbot - TLS-SNI Apache Challenge Doesn't Pass - Alternatives

Thanks for the comments and explanation, getting a clear error message will definitely improve the user experience. I’ll give DNS-01 a try in a couple of days.

Thumbs up to the awesome support and great tool.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.