Invalid response from https://kohanyim.com/.well-known/acme-challenge

nasheayahu · May 3, 2022, 12:24am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

Using pfSense to create the Cert. for pfSense's webConfigurator.
Setup: Services > Acme > Certificates > Domain SAN list: kohanyim.com | Standalone HTTP server

My domain is:
kohanyim.com

I ran this command:
Issue/Renew for the first time and

It produced this output:
[Mon May 2 17:42:15 MDT 2022] kohanyim.com:Verify error: 67.0.88.50: Invalid response from https://kohanyim.com/.well-known/acme-challenge/3z4Osr9gbvNB4tYPWbgTYoKM5iFhFJ2-3SCU0YNLYHo: 404

My hosting provider, if applicable, is:
NOIP

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
pfSense 2.6.0-RELEASE (amd64)
built on Mon Jan 31 19:57:53 UTC 2022
FreeBSD 12.3-STABLE

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): not installed

I don't have this /.well-known folder, my directory folder is /var/www/html/kohanyim-com/

<VirtualHost *:80>
    DocumentRoot /var/www/html/kohanyim-com
    ServerName kohanyim.com
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>

and

<VirtualHost _default_:443>
DocumentRoot "/var/www/html/kohanyim-com"
ServerName kohanyim.com:443
...
..
.
</VirtualHost>

My home network domain is kohanyim.net, I already have a Cert for my public domain kohanyim.com and using noip to point to my home server. I want to use your Cert for pfSense's webConfigurator.

So how do I correct this in order to complete the cert?

MikeMcQ · May 3, 2022, 1:45am

Is this page of Netgate docs helpful?
https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html#ssl-tls-certificate

rg305 · May 3, 2022, 3:01am

I'd remove the port from that.
[might not change anything at all - but it looks like it could (someday) wreak havoc]

Rip · May 3, 2022, 6:49pm

I suppose this a bit of a side topic, but since you mentioned it:

So your pfSense is "kohanyim.net" ?
You'd have to configure DNS in order to do that... and then your webConfigurator would be exposed to the public. NOT recommended.

Do you have a intranet with services, or just some workstations, IOT and TV's behind the router?

If you have (or want ) a private intranetwork, Consider using kohanyim.com on your intranet as well and use the pfSense ACME Certificate Service with DNS validation for a wildcard solution to be deployed globally. It is easy to script distribution to your internal network.

BUT use a strong self signed cert for the configurator and keep it out of public space.

If I misunderstood your comment, please correct me. As to the main issue in your posted title, I'll leave that to the experts.

nasheayahu · May 3, 2022, 11:13pm

Yes, but webConfigurator will stay private within the intranet. I only want kohanyim.com available for both public and private.

In addition to using kohanyin.com as my intranet serving different Dept's, I also will have a dedicated server for the public, and already have bought a single and wildcard certs from NOIP. I just recently began trying to use Let's Encrypted, but watching / searching for a NOIP solution is basically no where to be found.

So will using my NOIP Cert accomplish securing a kohanyim.com public / private web service?

Well do...