Invalid response from /.well-known/acme-challenge


#1

Hi,

My domain is: zerouk.me

I ran this command: /opt/letsencrypt/letsencrypt-auto

It produced this output:

Failed authorization procedure. www.zerouk.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.zerouk.com/.well-known/acme-challenge/pO5-WLZBGEfJ2GhaqyWokrkfluLgvn3yy8tnirvCmjE: “<!doctype html>\n\n<!–[if lt IE 7]> <html class=”", zerouk.me (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://zerouk.me/.well-known/acme-challenge/tZolPtMXRZ2ff9BPWkxdjYiAJO_NUc966TCp1yJwYhQ: “<!doctype html>\n\n\n \n <meta http-equiv=“Content-Type” content=“text/html; charset=utf-8”>\n <meta htt”

IMPORTANT NOTES:

My web server is (include version):apach2

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: soyoustart

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Additionnal info: domaine provider: godaddy.com

So basically I’ve been trying to install SSL for 2 days but every time I try I get this result. I tried a dozen different proposed solutions found on google with no succes and tried to completly reinstall my server 2 times, each time following a different tutorial. Didn’t get more succes. At this point I have no idea what I’m doing wrong.
http://zerouk.me works fine
Am I missing a configuration I should make in apache or didn’t create something I should have?
I found a lot of topics with a similar error but it was for the renewal of the certificate and not it’s creation.

Note: I’m a new beginner on linux so please be patient and indicate the command I must run. It’s also the first time I create a webserver so maybe I’im doing something wrong with the DNS A/AAAA records as lets’encrypt suggest it?

Thank’s a lot in advance for your help.


#2

Both of those domains have different IP addresses, and they’re both GoDaddy IP addresses, not from So you Start.

zerouk.com.      (insecure)  14172  A      97.74.234.72
www.zerouk.com.  (insecure)  14173  CNAME  zerouk.com.
zerouk.com.      (insecure)  14172  A      97.74.234.72

zerouk.me.       (insecure)  372    A      184.168.131.241
www.zerouk.me.   (insecure)  3373   CNAME  zerouk.me.
zerouk.me.       (insecure)  372    A      184.168.131.241

Is that correct?


#3

Which domain are you trying to get a certificate for? Both?

If you run just that command, certbot (which is the current name of the Let’s Encrypt official EFF client) would have asked you a lot of questions. What were the answers to those questions?

Alas, the software you’re running on your site seems to be the culprit. For example, for your .me domain:

osiris@desktop ~ $ curl -Lv http://www.zerouk.me/.well-known/acme-challenge/pO5-WLZBGEfJ2GhaqyWokrkfluLgvn3yy8tnirvCmjE
*   Trying 184.168.131.241...
* Connected to www.zerouk.me (184.168.131.241) port 80 (#0)
> GET /.well-known/acme-challenge/pO5-WLZBGEfJ2GhaqyWokrkfluLgvn3yy8tnirvCmjE HTTP/1.1
> Host: www.zerouk.me
> User-Agent: curl/7.49.0
> Accept: */*
> 
< HTTP/1.1 302 Found
< Connection: close
< Pragma: no-cache
< cache-control: no-cache
< Location: /OTcnZ/.well-known/acme-challenge/pO5-WLZBGEfJ2GhaqyWokrkfluLgvn3yy8tnirvCmjE
< 
* Closing connection 0
* Issue another request to this URL: 'http://www.zerouk.me/OTcnZ/.well-known/acme-challenge/pO5-WLZBGEfJ2GhaqyWokrkfluLgvn3yy8tnirvCmjE'
* Hostname www.zerouk.me was found in DNS cache
*   Trying 184.168.131.241...
* Connected to www.zerouk.me (184.168.131.241) port 80 (#1)
> GET /OTcnZ/.well-known/acme-challenge/pO5-WLZBGEfJ2GhaqyWokrkfluLgvn3yy8tnirvCmjE HTTP/1.1
> Host: www.zerouk.me
> User-Agent: curl/7.49.0
> Accept: */*
> 
< HTTP/1.1 302 Found
< Connection: close
< Pragma: no-cache
< cache-control: no-cache
< Location: /.well-known/acme-challenge/pO5-WLZBGEfJ2GhaqyWokrkfluLgvn3yy8tnirvCmjE
< 
* Closing connection 1
* Issue another request to this URL: 'http://www.zerouk.me/.well-known/acme-challenge/pO5-WLZBGEfJ2GhaqyWokrkfluLgvn3yy8tnirvCmjE'
* Hostname www.zerouk.me was found in DNS cache
*   Trying 184.168.131.241...
* Connected to www.zerouk.me (184.168.131.241) port 80 (#2)
> GET /.well-known/acme-challenge/pO5-WLZBGEfJ2GhaqyWokrkfluLgvn3yy8tnirvCmjE HTTP/1.1
> Host: www.zerouk.me
> User-Agent: curl/7.49.0
> Accept: */*
> 
< HTTP/1.1 404 Not Found
(...)
osiris@desktop ~ $

It redirects to a whole other directory: Location: /OTcnZ/.well-known/acme-challenge/...

And for your .com domain, the redirect is to HTTPS, no matter what the request was:

osiris@desktop ~ $ curl -Lv http://www.zerouk.com/.well-known/acme-challenge/pO5-WLZBGEfJ2GhaqyWokrkfluLgvn3yy8tnirvCmjE
*   Trying 97.74.234.72...
* Connected to www.zerouk.com (97.74.234.72) port 80 (#0)
> GET /.well-known/acme-challenge/pO5-WLZBGEfJ2GhaqyWokrkfluLgvn3yy8tnirvCmjE HTTP/1.1
> Host: www.zerouk.com
> User-Agent: curl/7.49.0
> Accept: */*
> 
< HTTP/1.1 302 Moved Temporarily
< Date: Sat, 27 Oct 2018 16:38:48 GMT
< Server: Apache/2.4.18 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4
< X-Powered-By: PHP/5.5.32
< Location: https://zerouk.com/
< Cache-Control: max-age=31536000
< Expires: Sun, 27 Oct 2019 16:38:48 GMT
< Vary: User-Agent
< Connection: keep-alive
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< 
* Connection #0 to host www.zerouk.com left intact
osiris@desktop ~ $ 

See that Location header? Without the /.well-known/acme-challenge/ part? Looks like a broken redirect. Your redirect location should also include the request path. Unless this is on purpose. If so, you should exclude the /.well-known/acme-challenge/ path from that redirect.


#4

Oups! My bad. I maide a mistake in the virtualhost It’s not www.zerouk.com but www.zerouk.me. Corrected it.
@mnordhoff sorry just mixed up. I’m renting a server at soyoustart and I bought the domaine name at godaddy.

I don’t know what you mean there. What should I do?

It just asked one question. This is what came out after the command, just before what I posted in the first message:

root@Zerouk:~# /opt/letsencrypt/letsencrypt-auto
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: zerouk.me
2: www.zerouk.me
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.zerouk.me
http-01 challenge for zerouk.me
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges

Should I have gone for zerouk.me only? www.zerouk.me is only a serveralias in the virtualhost.


#5

Still, zerouk.me and www.zerouk.me also point at a GoDaddy IP address. Not a So you Start server.

(Some?) GoDaddy sites use a web server that sends weird HTTP redirects, and blocks some requests. Yours is one of them. It interferes with Let’s Encrypt HTTP validation.


#6

so how what should I do?


#7

Just thougt about one thing. If I remove the forwarding of my domain in the godaddy manager and ad the domain in the secondary DNS manager by soyoustart would that resolve the problem?


#8

The tools you’re using expect the DNS records to be pointed directly at the web server, not at a GoDaddy forwarding service, so making this happen would be a useful first step.


#9

Thank’s for your help. Since the problem seems to be godaddy I bought another domaine by ovh. I made it with this one and it works perfectly. Will keep this one.
Again thank’s a lot for your time and help.