Invalid response from maddemon.free.nf

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: maddemon.free.nf

I ran this command: certbot certonly --manual -d maddemon.free.nf

It produced this output: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

fVZIayt3tvzoQ5aszdfkmHIlcd08f5dujKBwLn0n4Lo.o_-NlQ9qp1egiAVe5o9B3h76fbBPyagBfhUqB-sCLX0

And make it available on your web server at this URL:

http://maddemon.free.nf/.well-known/acme-challenge/fVZIayt3tvzoQ5aszdfkmHIlcd08f5dujKBwLn0n4Lo

Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: maddemon.free.nf
Type: unauthorized
Detail: 185.27.134.215: Invalid response from http://maddemon.free.nf/.well-known/acme-challenge/fVZIayt3tvzoQ5aszdfkmHIlcd08f5dujKBwLn0n4Lo: "<script type="text/javascript" src="/aes.js" >function toNumbers(d){var e=;d.replace(/(..)/g,func"

Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.

My web server is (include version): nginx

The operating system my web server runs on is (include version): idk

My hosting provider, if applicable, is: infinityfree

I can login to a root shell on my machine (yes or no, or I don't know): no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

Perhaps this test site explains what is happening? You can see in the error response the data that the Let's Encrypt server saw. It should have seen the value you placed in the challenge folder but instead saw "<script type="text/javascript" src="/aes.js" >function toNumbers(d){..."

Also, I can't reach that domain at all. I get an "Empty reply from server".

http://maddemon.free.nf/.well-known/acme-challenge/fVZIayt3tvzoQ5aszdfkmHIlcd08f5dujKBwLn0n4Lo

but this is working

http://maddemon.free.nf/

even the server

Not from the public Internet. Or at least from the locations I tested from or the Let's Encrypt servers. When you say it works are you testing it from a machine on the local network? If so, maybe try a cell phone with WiFi disabled so you use your carriers network

That Javascript may be part of some anti-bot or anti-scraping software that is in front of your website. Let's Encrypt is a bot, almost by definition.

I can load, in a browser, http://maddemon.free.nf/.well-known/acme-challenge/fVZIayt3tvzoQ5aszdfkmHIlcd08f5dujKBwLn0n4Lo

But if I use curl, I get disconnected.

That makes me think there's anti-scraping going on.

is there any way around it,
what can I do to fix it in infinitifree

This is what LE sees:
curl http://maddemon.free.nf/.well-known/acme-challenge/fVZIayt3tvzoQ5aszdfkmHIlcd08f5dujKBwLn0n4Lo -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

<html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("e972cd133ed8720dd2b4041d00461a69");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://maddemon.free.nf/.well-known/acme-challenge/fVZIayt3tvzoQ5aszdfkmHIlcd08f5dujKBwLn0n4Lo?i=1";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>

And even after manually following the augmented paths ... it doesn't return the expected string:

curl http://maddemon.free.nf/.well-known/acme-challenge/fVZIayt3tvzoQ5aszdfkmHIlcd08f5dujKBwLn0n4Lo?i=1 -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

<html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("e972cd133ed8720dd2b4041d00461a69");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://maddemon.free.nf/.well-known/acme-challenge/fVZIayt3tvzoQ5aszdfkmHIlcd08f5dujKBwLn0n4Lo?i=2";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></ht

curl http://maddemon.free.nf/.well-known/acme-challenge/fVZIayt3tvzoQ5aszdfkmHIlcd08f5dujKBwLn0n4Lo?i=2 "MozMozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

Warning: Ignores instruction to use SSLv2
curl: (52) Empty reply from server
curl: (3) URL using bad/illegal format or missing URL

You might try a DNS Challenge if you can update a TXT record in your DNS

But, even if you get a cert it looks like only clients that have Javascript enabled would work. And, maybe clients that meet other criteria as infinitree look to be taking care to block requests.

The best solution is to have infinitree allow URI's for ACME HTTP Challenges. ACME is an industry standard. They could just allow URI's with /.well-known/acme-challenge/

You could refer them to this forum for help

Or, consider a hosting service that already support free certificates.

I went to this page
https://dash.infinityfree.com/sslCertificates

It gave me an option for sslCertificates, I wrote my domain ( maddemon.free.nf ) under Domain Name and I clicked the advanced option after that, I selected Let'sEncrypt from the drop-down menu under SSL provider but it showed " The SSL provider Let's Encrypt does not support this domain name."

Which is a blatant lie. And also:

(this means you should look for a better hosting provider)

InfinityFree uses a DNS Challenge to get a wildcard cert from Let's Encrypt. But, you have not setup your DNS as they instruct

free.nf is their own domain with their own dns.

I registered and it really does not like Let's Encrypt.

It wants to give me a certificate from GTS, tho. I say it wants to because they still haven't triggered a validation.

let's see how long they make me wait.

image884×74 5.71 KB

So, are those docs I linked incorrect?

Because the first couple paragraphs say to use DNS Challenge even for custom names. And, only that their DNS servers are easier not that they are required.

Those docs also say you get to choose which CA. Doesn't it offer that?

They are correct but they don't (currently?) work if you want a Let's Encrypt certificate, they bring you literally where OP was told "The SSL provider Let's Encrypt does not support this domain name."

It does.

Ouch.

I also saw a post from a moderator in their forum saying they don't support intermediate certs. This is a major limitation.

Here are just a couple forum posts from "Owner of InfinityFree". I couldn't quickly find the one from the mod I saw earlier

I'm not sure I want to know what that means. They send the leaf certificate and that's it?

I think that's what they mean. The "owner" talked about not needing intermediates because browsers usually have them in cache ...

This sounds like a "Run, don't walk, and far away" kind of provider to me.