When trying to renew the certificate, the response check is performed only for one node from the list in the round-robin ns-record (balanced), and if the .well-known/acme-challenge/ node under test does not contain a response file, then 404 Not Found, as a result, obtaining the certificate is fails.
I have workaround - I stop keepalived on all proxies and all IP's migrate to a single host and after update certificate again - but this is ugly way - and this is need hands actions.
Expected: all IPs in round-robin ns-record is used for check response for acme-challenge before return error code if not found response.
My domain is: robofinist.ru
I ran this command: /usr/local/bin/dehydrated -c
It produced this output:
root@p01-proxy-corp:~# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
Processing robofinist.ru with alternative names: demo.robofinist.ru alpha.robofinist.ru
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till Aug 18 05:11:19 2021 GMT (Less than 30 days). Renewing!
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 3 authorizations URLs from the CA
+ Handling authorization for alpha.robofinist.ru
+ Handling authorization for demo.robofinist.ru
+ Handling authorization for robofinist.ru
+ 3 pending challenge(s)
+ Deploying challenge tokens...
+ Responding to challenge for alpha.robofinist.ru authorization...
+ Cleaning challenge tokens...
+ Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01"
["status"] "invalid"
["error","type"] "urn:ietf:params:acme:error:unauthorized"
["error","detail"] "Invalid response from http://alpha.robofinist.ru/.well-known/acme-challenge/JOwv7Cw7rYCQdxuDirvtcK7F1xYG7rYfNjuC9hP2KIk [185.129.96.83]: \"\u003chtml\u003e\\r\\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\\r\\n\u003cbody bgcolor=\\\"white\\\"\u003e\\r\\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\\r\\n\u003chr\u003e\u003ccenter\u003e\""
["error","status"] 403
["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"Invalid response from http://alpha.robofinist.ru/.well-known/acme-challenge/JOwv7Cw7rYCQdxuDirvtcK7F1xYG7rYfNjuC9hP2KIk [185.129.96.83]: \"\u003chtml\u003e\\r\\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\\r\\n\u003cbody bgcolor=\\\"white\\\"\u003e\\r\\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\\r\\n\u003chr\u003e\u003ccenter\u003e\"","status":403}
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/22906790310/iFCR1w"
["token"] "JOwv7Cw7rYCQdxuDirvtcK7F1xYG7rYfNjuC9hP2KIk"
["validationRecord",0,"url"] "http://alpha.robofinist.ru/.well-known/acme-challenge/JOwv7Cw7rYCQdxuDirvtcK7F1xYG7rYfNjuC9hP2KIk"
["validationRecord",0,"hostname"] "alpha.robofinist.ru"
["validationRecord",0,"port"] "80"
["validationRecord",0,"addressesResolved",0] "185.129.96.83"
["validationRecord",0,"addressesResolved",1] "185.129.96.84"
["validationRecord",0,"addressesResolved",2] "185.129.96.82"
["validationRecord",0,"addressesResolved"] ["185.129.96.83","185.129.96.84","185.129.96.82"]
["validationRecord",0,"addressUsed"] "185.129.96.83"
["validationRecord",0] {"url":"http://alpha.robofinist.ru/.well-known/acme-challenge/JOwv7Cw7rYCQdxuDirvtcK7F1xYG7rYfNjuC9hP2KIk","hostname":"alpha.robofinist.ru","port":"80","addressesResolved":["185.129.96.83","185.129.96.84","185.129.96.82"],"addressUsed":"185.129.96.83"}
["validationRecord"] [{"url":"http://alpha.robofinist.ru/.well-known/acme-challenge/JOwv7Cw7rYCQdxuDirvtcK7F1xYG7rYfNjuC9hP2KIk","hostname":"alpha.robofinist.ru","port":"80","addressesResolved":["185.129.96.83","185.129.96.84","185.129.96.82"],"addressUsed":"185.129.96.83"}]
["validated"] "2021-08-18T09:14:07Z")
My web server is (include version): nginx/1.14.1
The operating system my web server runs on is (include version): Debian GNU/Linux 9.13 (stretch)
I can login to a root shell on my machine (yes or no, or I don't know): yes
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot):
# dehydrated -v
# INFO: Using main config file /etc/dehydrated/config
Dehydrated by Lukas Schauer
https://dehydrated.io
Dehydrated version: 0.7.1
GIT-Revision: unknown
OS: Debian GNU/Linux 9 (stretch)
Used software:
bash: 4.4.12(1)-release
curl: 7.52.1
awk: mawk 1.3.3 Nov 1996, Copyright (C) Michael D. Brennan
sed: sed (GNU sed) 4.4
mktemp: mktemp (GNU coreutils) 8.26
grep: grep (GNU grep) 2.27
diff: diff (GNU diffutils) 3.5
openssl: OpenSSL 1.1.0l 10 Sep 2019