Invalid response from wellknown request while it's working actually

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
masterway.cc

I ran this command:
certbot certonly --dry-run --installer=nginx -d masterway.cc

It produced this output:

[iZ2318zhx0tZ]/tmp # certbot certonly --dry-run --installer=nginx -d masterway.cc
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3
Plugins selected: Authenticator webroot, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for masterway.cc
Input the webroot for masterway.cc: (Enter 'c' to cancel): /var/www/letsencrypt/
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. masterway.cc (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://masterway.cc/.well-known/acme-challenge/E9Wl2Dm0_5JFPGuDY0OH8KkCo02olzwG0kSFFKLMVIQ [114.55.53.118]: "<html>\n<head>\n<meta http-equiv=\"Content-Type\" content=\"textml;charset=UTF-8\" />\n   <style>body{background-color:#FFFFFF}</style>"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: masterway.cc
   Type:   unauthorized
   Detail: Invalid response from
   http://masterway.cc/.well-known/acme-challenge/E9Wl2Dm0_5JFPGuDY0OH8KkCo02olzwG0kSFFKLMVIQ
   [114.55.53.118]: "<html>\n<head>\n<meta http-equiv=\"Content-Type\"
   content=\"textml;charset=UTF-8\" />\n
   <style>body{background-color:#FFFFFF}</style>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
nginx/1.8.1

The operating system my web server runs on is (include version):
Ubuntu 14.04

My hosting provider, if applicable, is:
aliyun

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

Detail:
I have tried all following ways, and no luck,
1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

actually, all I want is to renew the cert, and btw I can get data from the .wellknown like:

wget --no-check-certificate http://masterway.cc/.well-known/acme-challenge/hello.html

is there anything I have missed or any steps needed to be taken? any information is appreciated.

Hi @huangtao

checking your domain there is a http status 403 - Forbidden ( https://check-your-website.server-daten.de/?q=masterway.cc ):

Domainname Http-Status redirect Sec. G
http://masterway.cc/
114.55.53.118 403 0.470 M
Forbidden
http://www.masterway.cc/
114.55.53.118 403 0.467 M
Forbidden
https://masterway.cc/
114.55.53.118 200 2.410 N
Certificate error: RemoteCertificateChainErrors
https://www.masterway.cc/
114.55.53.118 502 2.426 N
Bad Gateway
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
http://masterway.cc/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
114.55.53.118 403 0.436 M
Forbidden
Visible Content:
http://www.masterway.cc/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
114.55.53.118 403 0.436 M
Forbidden

But checking your test page

and the own check

http://masterway.cc/.well-known/acme-challenge/unknown-file

manual there is a blocking result:


    该网站暂时无法访问

    尊敬的用户,您好

    很抱歉,该网站暂时无法访问,可能由以下原因导致:

    原因一:未备案或未接入;根据《非经营性互联网信息服务备案管理办法》,网站需要完成备案或接入。

    原因二:网站内容与备案信息不符或备案信息不准确;根据《非经营性互联网信息服务备案管理办法》,网站内容需要与备案信息一致,且备案信息需真实有效。建议网站管理员尽快修改网站信息。

    点此进入备案管理平台

The english version:


A Kindly Reminder

    The website is unable to access for the moment

    Sorry, the website is unable to access for the moment. According to the filing 
requirements of China's Ministry of Industry and Information Technology (MIIT), 
the website is accessible only if the ICP information is accurate and the 
ICP license is filed.Please contact the person in charge of the 
website for assisstance.

    Click here to get more details about ICP Filing.

Something you have to do before your website works.

You may use dns-01 validation, then you don’t need a running webserver.

1 Like

Thanks @JuergenAuer, I am busy on it.

Now, due to the paper-work-need reason, I actually want, now ,all my https would pass lets encrypt check or just ignore it and give out the blocking result to user, Is there any way I can do that?

By now, I have delete some letsencrypt files by

 certbot delete --cert-name masterway.cc

And restore my Nginx configure file to normal http, still got failed by CA check, is there some thing I should do with letsencrypt-side files?

Make a backup of your config files.

Then remove all symbolic links in /sites-enabled. Then restart your nginx.

I see only this A Kindly Reminder - text

PS: Sorry - remove only all symbolic links to https configurations. Not all.

1 Like

Thanks @JuergenAuer, for your reply, we have get cert succesfully renewed using dns-challenge as you advised, simple and effectively, and what a great work you guys have done on letsencrypt, thanks again, sincerely。

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.