Invalid response acme challenge


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.boltcorp.com

I ran this command: sudo certbot certonly --webroot --agree-tos --email your-email-address -d mail.boltcorp.com -w /var/www/html/

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.boltcorp.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mail.boltcorp.com (http-01): urn:ietf:params:acme:erro r:unauthorized :: The client lacks sufficient authorization :: Invalid response from h ttp://mail.boltcorp.com/.well-known/acme-challenge/G5GCwtj_u6SM0NryadZ1fcZ-uG1nFSFOBGO OnmRoZig: “<html lang=“en” data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSw AwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWX”

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mail.boltcorp.com
    Type: unauthorized
    Detail: Invalid response from
    http://mail.boltcorp.com/.well-known/acme-challenge/G5GCwtj_u6SM0NryadZ1fcZ-uG1nFSF OBGOOnmRoZig:
    “<html lang=“en”
    data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdF lb6TdQhxb9RXWX”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version):
nginx version: nginx/1.10.3

The operating system my web server runs on is (include version): ubuntu 16.04 LTS

My hosting provider, if applicable, is:
Microsoft Azure Cloud

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes, I can login as Root.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
iRedmail


#2

Hi @bandidopabs

checking your /.well-known/acme-challenge - directory, there is something curious:

Your server sends a http status 200, not the expected 404 / not found - status.

So it looks like there are wrong redirects or a wrong configuration.

Try to create a file named 1234 (without extension) under /.well-known/acme-challenge, so you can load this file via browser:

http://mail.boltcorp.com/.well-known/acme-challenge/1234

#3

Hi JuergenAuer,

I appreciate you taking time to responde to me but how do I access the /.well-know/acme-challenge directory? I’ve tried using cd /.well-known/acme-challenge but nothing comes out.


#4

You use this

/var/www/html/

as your webroot. So first

cd /var/http/html

then create the two directories.


#5

Ok JuergenAuer, I’ve created both directories and created the file 1234. Awaiting your orders.


#6

There is a Sedo-parking domain. You can’t get a certificate if the domain is parked.


#7

Does that mean I mean I need to purchase the domain or am I good to go once I create a website for it? I’m trying to set this up locally in the Azure cloud.


#8

To use the webroot method, there should already be a DNS record pointing the name in question at the server where you’re running Certbot. In this parking situation, the DNS A record points to a registrar parking site instead of to your server, so it’s premature to request the certificate using the webroot method.


#9

Are you owner of mail.boltcorp.com? If not, you can’t get a certificate with this domain name.

You need a public / global / worldwide visible unique domain name. Then you can get a certificate with this name.


#10

Hey Schoen, is there a way to have it point to my server? I have the A record pointing to the IP address of my virtual machine and as I mentioned in an earlier post I’m just trying to set up the mailserver for a local network.


#11

JuergenAuer,

I am not the owner of mail.boltcorp.com. I don’t have it registered it to any of hosting services. I’m still a little green and I appreciate your patience with me but is there a way to this internally so I can have the internal users of my network accessing web page with no security issues?


#12

No, this isn’t possible. If you want to have a public / global trusted certificate, you need a public visible domain name. And you must prove, that you are able to manage this domain (creating a text file in the folder /.well-known/acme-challenge or a dns entry with a special value).

A private network without a public name can’t get a certificate of a public Certificate Authority.