Http-01 fails even with acme-challenge file accessible


#1

Currently running an Apache reverse proxy for Jenkins, and I have an exception for the /.well-known/ directory. When I put a test.txt file in /.well-known/acme-challenge/ I can see it in a browser. Also, I can see Certbot generate the file in the same place as test.txt.

I can’t seem to figure out how to get the http-01 challenge to pass. I’m running Apache 2.4 on OSX 10.11 El Capitan.

Command: sudo certbot certonly --webroot -w /Users/Shared/Jenkins/Sites/ -d jenkins.metropia.com

Log file: https://gist.github.com/anonymous/52d4c9e00a1a8f54b4b03271783184ac


#2

Is your exception working correctly ? when I try a curl, the response I get isn’t a nice plain text response of the token file.

$ curl -i http://jenkins.metropia.com/.well-known/acme-challenge/oG0D9MpFsRvEqNtPyazCc-jfAyrGqmOsD3yx1eJBG3s
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 27 Aug 2016 06:33:35 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">
<html>
<head>
<meta http-equiv='content-type' content='text/html; charset=UTF-8'>
<meta name="VERSION" content="">
<meta name="DATA" content="fwdnode6-bl.web-hosting.com (162.255.119.3)">
<link href=" " rel="shortcut icon" type="image/x-icon">
<title></title>
</head>
<frameset rows='100%, *' frameborder=no framespacing=0 border=0>
<frame src="http://70.184.89.42:9090/.well-known/acme-challenge/oG0D9MpFsRvEqNtPyazCc-jfAyrGqmOsD3yx1eJBG3s" name=mainwindow frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
</frameset>
<noframes><h2>Your browser does not support frames. We recommend upgrading your browser.</h2><br><br>
<center>Click <a href="http://70.184.89.42:9090/.well-known/acme-challenge/oG0D9MpFsRvEqNtPyazCc-jfAyrGqmOsD3yx1eJBG3s" >here</a> to enter the site.</center>
</noframes>
</html>

#3

That’s odd, I placed a test.txt file in acme-challenge to test as well and cURL isn’t clean either.

C:\WINDOWS\system32>curl -i http://jenkins.metropia.com/.well-known/acme-challenge/test
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 28 Aug 2016 18:21:15 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">
<html>
<head>
<meta http-equiv='content-type' content='text/html; charset=UTF-8'>
<meta name="VERSION" content="">
<meta name="DATA" content="fwdnode7-bl.web-hosting.com (162.255.119.4)">
<link href=" " rel="shortcut icon" type="image/x-icon">
<title></title>
</head>
<frameset rows='100%, *' frameborder=no framespacing=0 border=0>
<frame src="http://70.184.89.42:9090/.well-known/acme-challenge/test" name=mainwindow frameborder=no framespacing=0 marginheight=0 marginwidth=0></frame>
</frameset>
<noframes><h2>Your browser does not support frames. We recommend upgrading your browser.</h2><br><br>
<center>Click <a href="http://70.184.89.42:9090/.well-known/acme-challenge/test" >here</a> to enter the site.</center>
</noframes>
</html>

However, when I try to access http://jenkins.metropia.com/.well-known/acme-challenge/test through a browser I get:

Hello, world!

This is how I have the config file make a /.well-known exception:

ServerName jenkins.metropia.com
ProxyPass /.well-known !
ProxyPass / http://localhost:XXXX/ nocanon
ProxyPassReverse / http://localhost:XXXX/

#4

It works through a browser, because your browser follows the instructions, and does support frames. However the Let’s Encrypt requires a pure text response ( hence the check via curl).


#5

It seems that you are with Namecheap and it’s likely that you are using their “masked” URL redirect feature that causes those iframes. Try disabling it or make it “unmasked”.


#6

Thanks to your help we were able to figure it out. We changed the VirtualHost to *:80 and added “Listen 80” in the httpd.conf. Then we were able to get a clean response from curl, and from there it was pretty easy to integrate the certificate and set up a redirect for http -> https.

Thanks for your help!


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.