Http challange doesn’t operate (Invalid response… )


#1

In our firm are several domains. Http challange operated well for more, but do not for some others.
For example:

My domain is: utravalo.emet.gov.hu
test url (it works): https://utravalo.emet.gov.hu/.well-known/acme-challenge/test
The key appears in /www/well-known/.well-known/acme-challenge.
I ran this command: certbot certonly --webroot -w /www/well-known -d utravalo.emet.gov.hu -vvvvv

It produced this output:
[root@job ~] # date #there is 2 hours time difference (see below)
Wed Jun 27 12:02:41 CEST 2018
[root@job ~] # certbot certonly --webroot -w /www/well-known -d utravalo.emet.gov.hu -vvvvv
Root logging level set at -30
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator webroot and installer None
Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f271c1d0da0>
Prep: True
Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f271c1d0da0> and installer None
Plugins selected: Authenticator webroot, Installer None
Picked account: <Account(RegistrationResource(uri=‘https://acme-v01.api.letsencrypt.org/acme/reg/29933283’, new_authzr_uri=‘https://acme-v01.api.letsencrypt.org/acme/new-authz’, body=Registration(status=‘valid’, contact=(‘mailto:mico@felvi.hu’,), terms_of_service_agreed=None, agreement=‘https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f2718b53860>)>)), terms_of_service=‘https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’), 2be4476cb27cb05947bb56fb0305e3fe, Meta(creation_dt=datetime.datetime(2018, 2, 22, 17, 46, 51, tzinfo=), creation_host=‘job.educatio.intra’))>
Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
https://acme-v01.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 658
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
Replay-Nonce: nNJU2qvE13F7ygWcEbL4Iw5BVo4PKtO789waDmur0NA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 27 Jun 2018 10:02:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 27 Jun 2018 10:02:49 GMT
Connection: keep-alive

b’{\n “VBSM0pOc_3c”: “Adding random entries to the directory”,\n “key-change”: “https://acme-v01.api.letsencrypt.org/acme/key-change”,\n “meta”: {\n “caaIdentities”: [\n “letsencrypt.org”\n ],\n “terms-of-service”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,\n “website”: “https://letsencrypt.org”\n },\n “new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”,\n “new-cert”: “https://acme-v01.api.letsencrypt.org/acme/new-cert”,\n “new-reg”: “https://acme-v01.api.letsencrypt.org/acme/new-reg”,\n “revoke-cert”: “https://acme-v01.api.letsencrypt.org/acme/revoke-cert”\n}’
Obtaining a new certificate
Generating key (2048 bits): /etc/letsencrypt/keys/0080_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0080_csr-certbot.pem
Requesting fresh nonce
Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
https://acme-v01.api.letsencrypt.org:443 “HEAD /acme/new-authz HTTP/1.1” 405 0
Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Replay-Nonce: _fT8fE7fPXLXKal_G-nU7UacxL0sGkcqTnAVppJjl5s
Expires: Wed, 27 Jun 2018 10:02:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 27 Jun 2018 10:02:49 GMT
Connection: keep-alive

b’’
Storing nonce: _fT8fE7fPXLXKal_G-nU7UacxL0sGkcqTnAVppJjl5s
JWS payload:
b’{\n “resource”: “new-authz”,\n “identifier”: {\n “value”: “utravalo.emet.gov.hu”,\n “type”: “dns”\n }\n}’
Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
“payload”: “ewogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiLAogICJpZGVudGlmaWVyIjogewogICAgInZhbHVlIjogInV0cmF2YWxvLmVtZXQuZ292Lmh1IiwKICAgICJ0eXBlIjogImRucyIKICB9Cn0”,
“protected”: “eyJhbGciOiAiUlMyNTYiLCAibm9uY2UiOiAiX2ZUOGZFN2ZQWExYS2FsX0ctblU3VWFjeEwwc0drY3FUbkFWcHBKamw1cyIsICJqd2siOiB7Im4iOiAicWZNdnBoMFNNekhxdF91bzhiYTU5aHZEQ2huZUtNT1JDcFdyaDRiTmpDSnl0bHFJYUMybDVWSTg1bWxJaUJxUU5zNk9YRFFWTW9NTE9ENG92R2JfTE0xYWpPZ2lKLVB6WndfQVRqZUZmallHbDdFVE5PWHlMeklwU3ZDVENUR3dNc3NVckJBSy0zWmRTTWVrSUFzdHNwakJEcjNsRG9tNkswMmFWQWY2d21fQTFUTXlXbXp1Zm9pTV9fZ3hNYjh3R3F3dGR2bklCNm1hT09yeFNld3JzY1g1ck9ualV2YVhnaExCa1VVYWtQYjVZTHhvOC0tRXo3REtoX1JNYTRzRzBkVHU1bHp2dWZSci1hU3dRb1JkR29KSEZpdmJ2WllnV1ZuQ0hRcVRZMGtoSjVfYmQ4VkdqeElVRzY4RUxpQkhyZ3RkNWprTEFFZnhYMFdFQXltZHZRIiwgImt0eSI6ICJSU0EiLCAiZSI6ICJBUUFCIn19”,
“signature”: “Wm9FP_Nf3IOWj3UevVEMQUBv0toc3khCWfvlrLOL6ogrdH4D8HWNykh9VURhdHkGkaHvFMTBp2AjRh_0wj7XaPXI6vIkKTnZJppwGIFMbUh74JYNvdlhRHsTTIBRreTtiMbOZ850PZO8wHOysVlEtWp1ohi-z1x0M1IsmpJ6xxUa6qUA83CJ5HCNXqHHLJFYtWGdvH4n1nyD4GTL6dvs2bmqV0q21EOkjYQbwMTTjKoSUZbrJeJ1xl1Xt2d_i1sc6vH9qaj23T6LbVClsEk37xUk8gt8vcso7aTgAErCMXI4dZVxwHXcYAzsYzBuymtx44IkoaSXFEb0FsP_fifOYQ”
}
https://acme-v01.api.letsencrypt.org:443 “POST /acme/new-authz HTTP/1.1” 201 725
Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 725
Boulder-Requester: 29933283
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel=“next”
Location: https://acme-v01.api.letsencrypt.org/acme/authz/5La7eig58dPV0OYawFEPHhEDxxRT8y4DIBnJ-9b5ysk
Replay-Nonce: oIkK_sijdlVu4z9873nlrFu_49LTf3MzRsaj_e3VJyU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 27 Jun 2018 10:02:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 27 Jun 2018 10:02:49 GMT
Connection: keep-alive

b’{\n “identifier”: {\n “type”: “dns”,\n “value”: “utravalo.emet.gov.hu”\n },\n “status”: “pending”,\n “expires”: “2018-07-04T10:02:49Z”,\n “challenges”: [\n {\n “type”: “dns-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/5La7eig58dPV0OYawFEPHhEDxxRT8y4DIBnJ-9b5ysk/5328591134”,\n “token”: “eWDogC1Gp0EU4km7OE6G73CxNa5PQCvQwCj_Ok8o3jY”\n },\n {\n “type”: “http-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/5La7eig58dPV0OYawFEPHhEDxxRT8y4DIBnJ-9b5ysk/5328591135”,\n “token”: “8zqDFrR8MZDwFm0T1XdEdEGPokr2hCfC1o6s7uyyJvE”\n }\n ],\n “combinations”: [\n [\n 1\n ],\n [\n 0\n ]\n ]\n}’
Storing nonce: oIkK_sijdlVu4z9873nlrFu_49LTf3MzRsaj_e3VJyU
Performing the following challenges:
http-01 challenge for utravalo.emet.gov.hu
Using the webroot path /www/well-known for all unmatched domains.
Creating root challenges validation dir at /www/well-known/.well-known/acme-challenge
Attempting to save validation to /www/well-known/.well-known/acme-challenge/8zqDFrR8MZDwFm0T1XdEdEGPokr2hCfC1o6s7uyyJvE
Waiting for verification…
JWS payload:
b’{\n “keyAuthorization”: “8zqDFrR8MZDwFm0T1XdEdEGPokr2hCfC1o6s7uyyJvE.gi4z_Og_zP-jdGZtVqn5ZC6L_UNv7Y0GRDQW7ss7A0g”,\n “resource”: “challenge”,\n “type”: “http-01”\n}’
Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/5La7eig58dPV0OYawFEPHhEDxxRT8y4DIBnJ-9b5ysk/5328591135:
{
“payload”: “ewogICJrZXlBdXRob3JpemF0aW9uIjogIjh6cURGclI4TVpEd0ZtMFQxWGRFZEVHUG9rcjJoQ2ZDMW82czd1eXlKdkUuZ2k0el9PZ196UC1qZEdadFZxbjVaQzZMX1VOdjdZMEdSRFFXN3NzN0EwZyIsCiAgInJlc291cmNlIjogImNoYWxsZW5nZSIsCiAgInR5cGUiOiAiaHR0cC0wMSIKfQ”,
“protected”: “eyJhbGciOiAiUlMyNTYiLCAibm9uY2UiOiAib0lrS19zaWpkbFZ1NHo5ODczbmxyRnVfNDlMVGYzTXpSc2FqX2UzVkp5VSIsICJqd2siOiB7Im4iOiAicWZNdnBoMFNNekhxdF91bzhiYTU5aHZEQ2huZUtNT1JDcFdyaDRiTmpDSnl0bHFJYUMybDVWSTg1bWxJaUJxUU5zNk9YRFFWTW9NTE9ENG92R2JfTE0xYWpPZ2lKLVB6WndfQVRqZUZmallHbDdFVE5PWHlMeklwU3ZDVENUR3dNc3NVckJBSy0zWmRTTWVrSUFzdHNwakJEcjNsRG9tNkswMmFWQWY2d21fQTFUTXlXbXp1Zm9pTV9fZ3hNYjh3R3F3dGR2bklCNm1hT09yeFNld3JzY1g1ck9ualV2YVhnaExCa1VVYWtQYjVZTHhvOC0tRXo3REtoX1JNYTRzRzBkVHU1bHp2dWZSci1hU3dRb1JkR29KSEZpdmJ2WllnV1ZuQ0hRcVRZMGtoSjVfYmQ4VkdqeElVRzY4RUxpQkhyZ3RkNWprTEFFZnhYMFdFQXltZHZRIiwgImt0eSI6ICJSU0EiLCAiZSI6ICJBUUFCIn19”,
“signature”: “Hztk35yZbCJGdYwcNbw1Wim84CpOuV9J8WZqdCHhv6aam1C72q-ciP3-LQwDKqImJoEUaktzol-PxogSSN0_-lRUegns0bTc3fVr6AgSiG87IKP92cgrYMiAy08ZII6GUISEXJTS8QTLVuioKCQCGysRV9bAk4z7z0UNTOvKzejon6JMYZCeXwm7RTNI2J7_XjC4qfmMvTlXIl0H1dpKCEVvNc25Qel1fAE5xRgcPmN1aoIUy1a1hEy2AXjTNp_mSl2A1n_1fUKE747PJVzyk_nSbObBq-zFw9TEUkd9E25QTDZ3f84d-2K3qjnTgFXZMkkBSRvQ8QRN5NleYdYWvQ”
}
https://acme-v01.api.letsencrypt.org:443 “POST /acme/challenge/5La7eig58dPV0OYawFEPHhEDxxRT8y4DIBnJ-9b5ysk/5328591135 HTTP/1.1” 202 336
Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 336
Boulder-Requester: 29933283
Link: https://acme-v01.api.letsencrypt.org/acme/authz/5La7eig58dPV0OYawFEPHhEDxxRT8y4DIBnJ-9b5ysk;rel=“up”
Location: https://acme-v01.api.letsencrypt.org/acme/challenge/5La7eig58dPV0OYawFEPHhEDxxRT8y4DIBnJ-9b5ysk/5328591135
Replay-Nonce: evsjls-gCkK01YCjjZsLDQREcAcHLjsMMxd1XHI2tc8
Expires: Wed, 27 Jun 2018 10:02:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 27 Jun 2018 10:02:49 GMT
Connection: keep-alive

b’{\n “type”: “http-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/5La7eig58dPV0OYawFEPHhEDxxRT8y4DIBnJ-9b5ysk/5328591135”,\n “token”: “8zqDFrR8MZDwFm0T1XdEdEGPokr2hCfC1o6s7uyyJvE”,\n “keyAuthorization”: “8zqDFrR8MZDwFm0T1XdEdEGPokr2hCfC1o6s7uyyJvE.gi4z_Og_zP-jdGZtVqn5ZC6L_UNv7Y0GRDQW7ss7A0g”\n}’
Storing nonce: evsjls-gCkK01YCjjZsLDQREcAcHLjsMMxd1XHI2tc8
Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/5La7eig58dPV0OYawFEPHhEDxxRT8y4DIBnJ-9b5ysk.
https://acme-v01.api.letsencrypt.org:443 “GET /acme/authz/5La7eig58dPV0OYawFEPHhEDxxRT8y4DIBnJ-9b5ysk HTTP/1.1” 200 1848
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1848
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel=“next”
Replay-Nonce: DC8ATa3XUh-RX02rBDyVLVHv4-JTTMdPYY7PoodaPW4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 27 Jun 2018 10:02:53 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 27 Jun 2018 10:02:53 GMT
Connection: keep-alive

b’{\n “identifier”: {\n “type”: “dns”,\n “value”: “utravalo.emet.gov.hu”\n },\n “status”: “invalid”,\n “expires”: “2018-07-04T10:02:49Z”,\n “challenges”: [\n {\n “type”: “dns-01”,\n “status”: “invalid”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/5La7eig58dPV0OYawFEPHhEDxxRT8y4DIBnJ-9b5ysk/5328591134”,\n “token”: “eWDogC1Gp0EU4km7OE6G73CxNa5PQCvQwCj_Ok8o3jY”\n },\n {\n “type”: “http-01”,\n “status”: “invalid”,\n “error”: {\n “type”: “urn:acme:error:unauthorized”,\n “detail”: “Invalid response from http://utravalo.emet.gov.hu/.well-known/acme-challenge/8zqDFrR8MZDwFm0T1XdEdEGPokr2hCfC1o6s7uyyJvE: \”\u003c!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \“http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"\u003e\r\n\u003chtml\"”,\n “status”: 403\n },\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/5La7eig58dPV0OYawFEPHhEDxxRT8y4DIBnJ-9b5ysk/5328591135”,\n “token”: “8zqDFrR8MZDwFm0T1XdEdEGPokr2hCfC1o6s7uyyJvE”,\n “keyAuthorization”: “8zqDFrR8MZDwFm0T1XdEdEGPokr2hCfC1o6s7uyyJvE.gi4z_Og_zP-jdGZtVqn5ZC6L_UNv7Y0GRDQW7ss7A0g”,\n “validationRecord”: [\n {\n “url”: “http://utravalo.emet.gov.hu/.well-known/acme-challenge/8zqDFrR8MZDwFm0T1XdEdEGPokr2hCfC1o6s7uyyJvE”,\n “hostname”: “utravalo.emet.gov.hu”,\n “port”: “80”,\n “addressesResolved”: [\n “193.6.241.85”\n ],\n “addressUsed”: “193.6.241.85”\n },\n {\n “url”: “https://utravalo.emet.gov.hu/”,\n “hostname”: “utravalo.emet.gov.hu”,\n “port”: “443”,\n “addressesResolved”: [\n “193.6.241.85”\n ],\n “addressUsed”: “193.6.241.85”\n }\n ]\n }\n ],\n “combinations”: [\n [\n 1\n ],\n [\n 0\n ]\n ]\n}’
Reporting to user: The following errors were reported by the server:

Domain: utravalo.emet.gov.hu
Type: unauthorized
Detail: Invalid response from http://utravalo.emet.gov.hu/.well-known/acme-challenge/8zqDFrR8MZDwFm0T1XdEdEGPokr2hCfC1o6s7uyyJvE: "
<html"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Cleaning up challenges
Removing /www/well-known/.well-known/acme-challenge/8zqDFrR8MZDwFm0T1XdEdEGPokr2hCfC1o6s7uyyJvE
All challenges cleaned up
Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.22.2’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1266, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1157, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 118, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 350, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 294, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 330, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 79, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 154, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 220, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. utravalo.emet.gov.hu (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://utravalo.emet.gov.hu/.well-known/acme-challenge/8zqDFrR8MZDwFm0T1XdEdEGPokr2hCfC1o6s7uyyJvE: "
<html"
Failed authorization procedure. utravalo.emet.gov.hu (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://utravalo.emet.gov.hu/.well-known/acme-challenge/8zqDFrR8MZDwFm0T1XdEdEGPokr2hCfC1o6s7uyyJvE: "
<html"

IMPORTANT NOTES:

The operating system my web server runs on is (include version): Ubuntu 14.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no


#2

That test URL works, but the issue is that Let’s Encrypt makes the initial validation request over HTTP.

http://utravalo.emet.gov.hu/.well-known/acme-challenge/test redirects to https://utravalo.emet.gov.hu/, not https://utravalo.emet.gov.hu/.well-known/acme-challenge/test, so Let’s Encrypt follows the redirect, and downloads the homepage, which of course isn’t the validation token it expects.

Can you change the redirect to preserve the path, or exclude /.well-known/acme-challenge/ from being redirected?

E.g.:

return 301 https://utravalo.emet.gov.hu$request_uri;

#3

mnordhoff, you are great, this solved the problem, thank you


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.