Not from the public Internet. Or at least from the locations I tested from or the Let's Encrypt servers. When you say it works are you testing it from a machine on the local network? If so, maybe try a cell phone with WiFi disabled so you use your carriers network
4 Likes
That Javascript may be part of some anti-bot or anti-scraping software that is in front of your website. Let's Encrypt is a bot, almost by definition.
I can load, in a browser, http://maddemon.free.nf/.well-known/acme-challenge/fVZIayt3tvzoQ5aszdfkmHIlcd08f5dujKBwLn0n4Lo
But if I use curl, I get disconnected.
That makes me think there's anti-scraping going on.
5 Likes
is there any way around it,
what can I do to fix it in infinitifree
This is what LE sees:
curl http://maddemon.free.nf/.well-known/acme-challenge/fVZIayt3tvzoQ5aszdfkmHIlcd08f5dujKBwLn0n4Lo -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
<html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("e972cd133ed8720dd2b4041d00461a69");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://maddemon.free.nf/.well-known/acme-challenge/fVZIayt3tvzoQ5aszdfkmHIlcd08f5dujKBwLn0n4Lo?i=1";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>
3 Likes
And even after manually following the augmented paths ... it doesn't return the expected string:
curl http://maddemon.free.nf/.well-known/acme-challenge/fVZIayt3tvzoQ5aszdfkmHIlcd08f5dujKBwLn0n4Lo?i=1 -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
<html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("e972cd133ed8720dd2b4041d00461a69");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://maddemon.free.nf/.well-known/acme-challenge/fVZIayt3tvzoQ5aszdfkmHIlcd08f5dujKBwLn0n4Lo?i=2";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></ht
curl http://maddemon.free.nf/.well-known/acme-challenge/fVZIayt3tvzoQ5aszdfkmHIlcd08f5dujKBwLn0n4Lo?i=2 "MozMozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
Warning: Ignores instruction to use SSLv2
curl: (52) Empty reply from server
curl: (3) URL using bad/illegal format or missing URL
3 Likes
You might try a DNS Challenge if you can update a TXT record in your DNS
But, even if you get a cert it looks like only clients that have Javascript enabled would work. And, maybe clients that meet other criteria as infinitree look to be taking care to block requests.
The best solution is to have infinitree allow URI's for ACME HTTP Challenges. ACME is an industry standard. They could just allow URI's with /.well-known/acme-challenge/
You could refer them to this forum for help
Or, consider a hosting service that already support free certificates.
5 Likes
I went to this page
https://dash.infinityfree.com/sslCertificates
It gave me an option for sslCertificates, I wrote my domain ( maddemon.free.nf ) under Domain Name and I clicked the advanced option after that, I selected Let'sEncrypt from the drop-down menu under SSL provider but it showed " The SSL provider Let's Encrypt does not support this domain name."
Which is a blatant lie. And also:
(this means you should look for a better hosting provider)
3 Likes
InfinityFree uses a DNS Challenge to get a wildcard cert from Let's Encrypt. But, you have not setup your DNS as they instruct
4 Likes
free.nf is their own domain with their own dns.
I registered and it really does not like Let's Encrypt.
It wants to give me a certificate from GTS, tho. I say it wants to because they still haven't triggered a validation.
let's see how long they make me wait.
4 Likes
So, are those docs I linked incorrect?
Because the first couple paragraphs say to use DNS Challenge even for custom names. And, only that their DNS servers are easier not that they are required.
Those docs also say you get to choose which CA. Doesn't it offer that?
3 Likes
They are correct but they don't (currently?) work if you want a Let's Encrypt certificate, they bring you literally where OP was told "The SSL provider Let's Encrypt does not support this domain name."
It does.
4 Likes
Ouch.
I also saw a post from a moderator in their forum saying they don't support intermediate certs. This is a major limitation.
Here are just a couple forum posts from "Owner of InfinityFree". I couldn't quickly find the one from the mod I saw earlier
4 Likes
I'm not sure I want to know what that means. They send the leaf certificate and that's it?
5 Likes
I think that's what they mean. The "owner" talked about not needing intermediates because browsers usually have them in cache ...
4 Likes
This sounds like a "Run, don't walk, and far away" kind of provider to me.
4 Likes
@MadDemon eventually, it works, but you have to use GTS instead of Let's Encrypt.
It's all automatic but it takes a few hours and it wants you to hit buttons manually.
It still is messed up, tho. So look if you have alternatives. SSL Server Test: wordsoneafteranother.free.nf (Powered by Qualys SSL Labs)
4 Likes
I see that. This confirms they send only the leaf and no intermediates. Not good.
A quicker but less detailed check than SSL Labs
5 Likes
Thanks but I did it with went with another option, but I needed Let'sEncrypt 
2 Likes
Well I found a solution for adding Let'sEncrypt SSL manually in InfinityFree
Step 1.
Choose certbot DNS challenge
certbot certonly --manual --preferred-challenges dns -d "*.YourDomain"
Also, the subdomains work fine for Example: certbot certonly --manual --preferred-challenges dns -d "*.maddemon.free.nf"
output:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:
_acme-challenge.maddemon.free.nf.
with the following value:
M6DRvcOBx6_apw_CGHR7VgqHBRSgE3586Q1c-plEWU4
Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.maddemon.fr
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Step 2.
Login to your InfinityFree cpanel scroll to the bottom and click on the CNAME
Step 3.
In the "Record Name" box enter (_acme-challenge), in "Domains" let it be the default, and in the " Destination" box enter the value that certbot provided, for Example: "M6DRvcOBx6_apw_CGHR7VgqHBRSgE3586Q1c-plEWU4"
Step 4.
Don't click enter yet...
Check if the DNS has updated yet
nslookup -type=TXT _acme-challenge.maddemon.free.nf
cause the DNS usually takes 1 to 2 or more hours to update
Keep the certbot verification window open in the background