Invalid email issue while adding SSL


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: farmersdirect.net

I ran this command: I am trying to add SSL to this domain with this email id. Whereas Domain is added on our server properly and email is also verified. But I don’t know why am getting this error again and again. Here are logs of SSL server:

It produced this output: Domain is [ ‘farmersdirect.net’, ‘www.farmersdirect.net’ ] object
0|index | customEmail is mkr1279@hotmail.com
0|index | mmmiiinnn timeeee 7689600000
0|index | [acme-v2] (E_STATE_INVALID) challenge state: 'invalid’
0|index | [acme-v2] handled(?) rejection as errback:
0|index | Error: [acme-v2] [error] unacceptable challenge state ‘invalid’
0|index | at /var/www/storehippo/app/servers/ssl_certificate/node_modules/acme-v2/node.js:374:31
0|index | at
0|index | at process._tickDomainCallback (internal/process/next_tick.js:228:7)
0|index | { Error: socket hang up
0|index | at TLSSocket.onHangUp (_tls_wrap.js:1135:19)
0|index | at Object.onceWrapper (events.js:313:30)
0|index | at emitNone (events.js:111:20)
0|index | at TLSSocket.emit (events.js:208:7)
0|index | at endReadableNT (_stream_readable.js:1055:12)
0|index | at _combinedTickCallback (internal/process/next_tick.js:138:11)
0|index | at process._tickDomainCallback (internal/process/next_tick.js:218:9)
0|index | code: ‘ECONNRESET’,
0|index | path: null,
0|index | host: ‘localhost’,
0|index | port: 443,
0|index | localAddress: undefined } ‘respppppppp’ undefined
0|index | { Error: ENOENT: no such file or directory, open ‘/root/acme/etc/live/farmersdirect.net/fullchain.pem’

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

Hi,

What script are you using to obtain this certificate?

Thank you


#3

We are using NodeJs
And i am not able to send the all script here because the format of that script is automatically changed.


#4

‘use strict’;

var customEmail;
var customDomain = ;
var app = require(‘express’)();
var app1 = require(‘express’)();
var request = require(‘request’);
var fs = require(‘fs’);

// returns an instance of greenlock.js with additional helper methods
var glx = require(‘greenlock-express’).create({
server: ‘https://acme-v02.api.letsencrypt.org/directory
// Note: If at first you don’t succeed, stop and switch to staging:
// https://acme-staging-v02.api.letsencrypt.org/directory
, version: ‘draft-11’ // Let’s Encrypt v2 (ACME v2)

// If you wish to replace the default account and domain key storage plugin
, store: require(‘le-store-certbot’).create({
configDir: require(‘path’).join(require(‘os’).homedir(), ‘acme’, ‘etc’)
, webrootPath: ‘/tmp/acme-challenges’
})

, approveDomains: approveDomains
});

var http01 = require(‘le-challenge-fs’).create({ webrootPath: ‘/tmp/acme-challenges’ });
function approveDomains(opts, certs, cb) {
// This is where you check your database and associated
// email addresses with domains and agreements and such

// Opt-in to submit stats and get important updates
opts.communityMember = true;

// If you wish to replace the default challenge plugin, you may do so here
opts.challenges = { ‘http-01’: http01 };
opts.renewWithin = 892460601000; //maximum number
opts.renewBy = 902460601000;
// The domains being approved for the first time are listed in opts.domains
// Certs being renewed are listed in certs.altnames
console.log(“mmmiiinnn timeeee”, opts.renewWithin);
opts.domains = customDomain;
if (certs) {
opts.domains = certs.altnames;
}
else {
opts.email = customEmail;
opts.agreeTos = true;
}

// NOTE: you can also change other options such as challengeType and challenge
// opts.challengeType = ‘http-01’;
// opts.challenge = require(‘le-challenge-fs’).create({});

cb(null, { options: opts, certs: certs });
}

// handles acme-challenge and redirects to https
require(‘http’).createServer(glx.middleware(require(‘redirect-https’)())).listen(80, function () {
console.log(“Listening for ACME http-01 challenges on”, this.address());
});

// handles your app
require(‘https’).createServer(glx.httpsOptions, app).listen(443, function () {
console.log(“Listening for ACME tls-sni-01 challenges and serve app on”, this.address());
});

app1.use(function (req, res) {
console.log(“Req is>>>”, req.headers);
customDomain = ;
var cert = {}
customDomain.push(req.headers.domain);
if(req.headers.domain_www){
customDomain.push(req.headers.domain_www);
}
// customDomain = req.headers.domain;
customEmail = req.headers.email;
console.log("Domain is ", customDomain,typeof customDomain);
console.log("customEmail is ", customEmail);
// return res.send(401);
request(“https://localhost”, function (err, resp, body) {
console.log(err, “respppppppp”, body);
fs.readFile(’/root/acme/etc/live/’ + req.headers.domain + ‘/privkey.pem’, ‘utf8’, function (err, data) {
fs.readFile(’/root/acme/etc/live/’ + req.headers.domain + ‘/fullchain.pem’, ‘utf8’, function (err1, data1) {
console.log(err1, “this is fullchain data”, data1)
console.log(err, “this is privkey data”, data);
cert.fullchain = data1;
cert.privkey = data;
fs.unlink(’/root/acme/etc/live/’ + req.headers.domain + ‘/privkey.pem’);
fs.unlink(’/root/acme/etc/live/’ + req.headers.domain + ‘/fullchain.pem’);
// res.sendfile(’/root/letsencrypt/etc/live/’+customDomain+’/privkey.pem’);
res.send(cert);
})
})
})
});

app1.listen(4444);


#5

Hi,

Is that a customized script? (That aren’t downloaded from GitHub?)

Thank you

P.S. you could use a pastebin / text services to paste the content, just share us the link… (For future reference)


#6


we are using this. So please customised this according to our platform


#7

Hi,

I see that the version of this software is lagging behind (on GitHub).

Do you mind to try to update the client to the latest version (you might need to re-customize it…) and try again?

https://git.coolaj86.com/coolaj86/greenlock.js

P.S. if there are any logs generated on the last run (the error run), could you please upload it to pastebin and share us the link?

Thank you


#8

How can we update the client to the latest version?


#9

Hi,

I’m not sure…
How did you downloaded it the first place?

Thank you


#10

Please find the logs

  1. access-control-allow-headers:

Origin, X-Requested-With, Content-Type, Accept, ajax, access-key,backend,app_request,frontend, token,device,location

  1. access-control-allow-methods:

POST,HEAD,GET,PUT,DELETE,OPTIONS

  1. access-control-allow-origin:

  2. Cache-Control:

no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0

  1. Connection:

keep-alive

  1. Content-Length:

150

  1. Content-Type:

application/json; charset=utf-8

  1. Date:

Thu, 15 Nov 2018 08:01:56 GMT

  1. mode:

block

  1. ms-messages:

[{“name”:“ms.msg.add_freessl_error”,“level”:“error”,“key”:“ms.msg.add_freessl_error”,“message”:“pls put valid mail_id & related domain name”}]

  1. ms-messages-old:

[“Please put valid domain and related mail-id”]

  1. Server:

nginx

  1. server-group:

trial

  1. X-Content-Type-Options:

nosniff

  1. X-Response-Time:

4041ms

  1. X-XSS-Protection:

1


#11

Hi There,
we trying to add SSL for “farmersdirect.net” and we put wrong email id that is provided by the client so due to this the domain got locked. Because we have tried lot of time. So let me know how can we unlocked that domain and then try with valid email id.


#12

What do you mean by get locked? Do you have other specific error message?

Thank you


#13

How man attempts are allowed to add SSL certificate?
We have done more than 10 attempts in three days with different different email. If this is not successful in first three steps, then we can try more after 72 hours, as per our developers


#14

Hi @Shubham1

I don’t understand this. There are rate limits:

We also have a Duplicate Certificate limit of 5 certificates per week.

But “first three steps” are unknown.


#15

For what it’s worth, email addresses are a setting on ACME accounts, not individual certificates or certificate orders.

(Email addresses are optional, too.)

It’s possible to change an account’s associated email address, but some ACME clients may not implement it.


#16

I’m not familiar with Node or this client but this email makes it seem like a challenge failed and is unrelated to your email address.


#18

Yes But this is email is totally valid as we check from the client side. We can successfully add the SSL of other domains, but not able to add with this domain " My domain is: farmersdirect.net"


#19

Hi @shubham1,

The problem isn’t caused by your email address. The problem appears to be related to failing the HTTP-01 domain validation challenge.

Thanks for sharing! I looked at the server-side Let’s Encrypt validation logs and was able to confirm that the problem is not your email address.

It looks like farmersdirect.net has an IPv6 address in a AAAA record in its DNS, but the webserver listening on that address is sending the wrong response to the HTTP-01 challenge (it’s sending an HTML document):

“Error”:“unauthorized :: Invalid response from http://farmersdirect.net/.well-known/acme-challenge/ODjEOf9q6rabfsHzUjc8CzNw9UB9hNEYSpEfFbqKOFQ: “\u003c!DOCTYPE HTML PUBLIC \”-//IETF//DTD HTML 2.0//EN\”\u003e\n\u003chtml\u003e\u003chead\u003e\n\u003ctitle\u003e300 Multiple

I would recommend that you investigate your server’s IPv6 configuration and make sure the node application you’re running to solve the HTTP-01 challenge is accessible through the IPv6 address.

Alternatively, you could remove the AAAA record from your DNS and Let’s Encrypt will use the IPv4 address instead.


#20

That’s really Work!! :slight_smile:
Appreciate for your help @cpu


#21

@Shubham1 Awesome! Very glad to hear you were able to get things working :slight_smile: