Invalid response from mydomain.net


#1

Hello everybody

I installed certbot on my root and I executed the webroot command

certbot certonly --webroot -w /var/www/ -d www.teamquantos.net -d teamquantos.net

and got this error:

Failed authorization procedure. teamquantos.net (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://teamquantos.net/.well-known/acme-challenge/2B8CqePO9gP25ndhrmDSJCSqqO12IeMmviWYrR9xDXY: "

404 Not Found

Not Found

<p", www.teamquantos.net (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.teamquantos.net/.well-known/acme-challenge/Mb7NcBw5EfBwplYpV1sON3S6rS7sJWcMh88Fe838cTQ: " 404 Not Found

Not Found

<p"

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: teamquantos.net
Type: unauthorized
Detail: Invalid response from
http://teamquantos.net/.well-known/acme-challenge/2B8CqePO9gP25ndhrmDSJCSqqO12IeMmviWYrR9xDXY:
"

404 Not Found

Not Found

<p"

Domain: www.teamquantos.net
Type: unauthorized
Detail: Invalid response from
http://www.teamquantos.net/.well-known/acme-challenge/Mb7NcBw5EfBwplYpV1sON3S6rS7sJWcMh88Fe838cTQ:
"

404 Not Found

Not Found

<p"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

I already tried creating a file in my .well-known directory named “test” and wrote in it “ok” and executed this command (stolen from another helping post from @serverco )

curl -I http://teamquantos.net/.well-known/test

this gave me this message:

302 Found

Found

The document has moved "https://teamquantos.net/.well-known/test/" here.

How do I continue now?

I am using apache2 on a debian 8 root.


#2

Hi @asdf1414, could you try a similar test in /.well-known/acme-challenge rather than just /.well-known?


#3

So I created the “acme-challenge” directory and put the “test” file in there and got this output
(executed command: curl -I http://teamquantos.net/.well-known/acme-challenge/test)

HTTP/1.1 302 Found
Date: Thu, 16 Feb 2017 22:51:06 GMT
Server: Apache/2.4.10 (Debian)
Location: https://teamquantos.net/.well-known/acme-challenge/test
Content-Type: text/html; charset=iso-8859-1


#4

What does curl -I https://teamquantos.net/.well-known/acme-challenge/test do?


#5

I posted that ouput in the upper post


#6

You posted the output of curl -I http://teamquantos.net/.well-known/acme-challenge/test, which responds with a redirect to https://teamquantos.net/.well-known/acme-challenge/test.

curl -I https://teamquantos.net/.well-known/acme-challenge/test gives a 404 Not Found error, as shown in Let’s Encrypt’s original error message.

It looks like you need to change your web server configuration in one of two ways:

  • Configure the HTTP vhosts not to redirect requests to /.well-known/acme-challenge/ to HTTPS.
  • Configure the HTTPS vhosts to serve files in /.well-known/acme-challenge/ from /var/www.

If you post your web server configuration, and which path you’d prefer to take, we should be able to help you configure it. :slight_smile:


#7

So which configuration from which path do you now actually want to see? because in /var/www/.well-known/acme-challenge is only this “test” file.

and “curl -I https://teamquantos.net/.well-known/acme-challenge/test” gives me

curl: (51) SSL: no alternative certificate subject name matches target host name ‘teamquantos.net


#8

With -k you can tell curl to ignore that. Let’s Encrypt will do so too :slight_smile: It even accepts self-signed certificates.

Anyway, the 404 error is legit. That’s because although you already have a redirect in place for teamquantos.net to HTTPS, your webserver currently isn’t “listening” on HTTPS for teamquantos.net, but for mail.teamquantos.net! And your “Mailcow” probably has a different webroot as the webroot you’re pointing certbot at.

So you’ve got a few options, just like @mnordhoff already said. You can:

  • Modify your current HTTP -> HTTPS redirect in Apache to ignore everything that begins with /.well-known/acme-challenge
  • Add a HTTPS <VirtualHost> configuration for teamquantos.net which points to the correct webroot;
  • Don’t use the webroot authenticator, but the apache authenticator which uses the tls-sni-01 challenge.

Which one you choose depends on how comfortable you are with manually configuring your Apache (for option 1 or 2) or if option 3 didn’t work for you in the past (perhaps we can fix that?)


#9

So for the first option. How can I configure this?


#10

First you need to identify where the current redirect code is. To know that, if you don’t know how or where to look, we’ll need more understanding about the architecture of your server… What OS is it? Is it a “standard” installation of Apache or custom? That sort of things…


#11

First I installed a mailserver and this installed apache2 aswell so idk if there was something special that mailcow installed with the mailserver. And I am using Debian 8 jessie


#12

You just followed the guide on https://mailcow.email/ from the How to install? section?


#13

Yes, I watched a Video and they made it the same as the “how to install” on the mailcow website


#14

OK, very interesting software. It takes care of all the installation and configuring.

Did you already add a configuration file to Apache and made a document root for the intended site for teamquantos.net?


#15

I didn’t add anything to the webserver


#16

Well, there’s your problem. Currently, the only thing on your webserver is Mailcow. And the Apache configuration file for the webmail has the redirect in place. But this redirect should be only for mail.teamquantos.net.

The reason you’re getting a redirect for teamquantos.net too is because you don’t have that hostname configured! The only thing currently configured on your webserver is mail.teamquantos.net. If you want to use the webroot plugin, you need to configure your Apache to actually have a site for teamquantos.net.

But I’m quite puzzled now… You want a certificate for teamquantos.net and www.teamquantos.net, but you don’t have a site configured for it? Why do you need the certificate if you don’t have a site which will use it?


#17

Well if I type in teamquantos.net in my browser, google chrome tells me this is not a safe website so I can’t check if there is a webserver configured for teamquantos.net or not but I think there is. Can I check that?

Should I try to install apache2 again or in another way?


#18

If you look at the error message closely, you’ll see why:

This server could not prove that it is teamquantos.net; its security certificate is from mail.teamquantos.net.

Did someone configure your Apache for you to add a site for teamquantos.net?

Anyway, to check the currently configured sites, you can run a2dissite:

echo $'\cc' | a2dissite

(The first bunch is so the program will quit by itself so you don’t have to manually press Ctrl-C…)

Reinstalling Apache won’t produce a site out of nothing I’m afraid :slight_smile:


#19

I ran the a2dissite command and got this output:

Your choices are: 000-0-mailcow 000-default
Which site(s) do you want to disable (wildcards ok)?
ERROR: Site does not exist!


#20

Hmm, interesting, don’t know where the 000-default comes from… Probably Debians default. I’m don’t have much experience with Debian (or distro’s based upon Debian), but what I can tell that doesn’t help you further… (Unless someone modified 000-default.conf.)

Looks like you don’t have a site for teamquantos.net set up!

Question remains though: if you don’t have a site set up for teamquantos.net, why do you want a TLS certificate for the hostname?

Because if you do want a site for those domain names, setting that up is probably beyond the scope of this forum.

But if you need the certificates for something else, we’ll be happy to help you with that :slight_smile: