Invalid response from

bblana · 2019-02-05 13:08:36 UTC

Hi, I have a probleme with my ACME-challenge, so I get no certificate. I tried with:

certbot --apache -d www.urlaub-norden-norddeich.de -d urlaub-norden-norddeich.de

I got the answer:

Performing the following challenges:
http-01 challenge for urlaub-norden-norddeich.de
http-01 challenge for www.urlaub-norden-norddeich.de
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.urlaub-norden-norddeich.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.urlaub-norden-norddeich.de/.well-known/acme-challenge/SKYHO6ndWmyjzWQumImvdin7n1N0CGsPAzF3MiIzGU4: “\n\n404 Not Found\n\n

Not Found

\n<p”

nslookups for both URL’s are OK.
What could be the reason for that answer?

Bernd

rg305 · 2019-02-05 14:16:17 UTC

The method used has placed the authentication challenge response token in an incorrect location.
Why?
That is hard to say. But something may have changed (even just slightly).
Or the certbot plugin was updated and now doesn’t understand your config precisely.

You could troubleshoot it better by adding more detail to the logs and uploading them here (if needed):

certbot -vvv --apache -d www.urlaub-norden-norddeich.de -d urlaub-norden-norddeich.de

Or you could try removing the --apache plugin and replace it with --webroot -w /your/site/root

rg305 · 2019-02-05 14:21:36 UTC

Sorry, I thought you were having trouble renewing a cert.
But I see now that is your first one.

The --apache plugin can’t “understand” where to put the response token.

bblana · 2019-02-05 15:46:05 UTC

why it works with
urlaub-norden-norddeich.de
, and not with www.urlaub-norden-norddeich.de ? By the first url I get an “status”: “valid”,

rg305 · 2019-02-05 17:34:34 UTC

I would have to see the entire config to understand why it works with one and not the other.

JuergenAuer · 2019-02-05 17:59:54 UTC

Hi @bblana

you have a curious configuration ( https://check-your-website.server-daten.de/?q=urlaub-norden-norddeich.de ):

Domainname	Http-Status	redirect	Sec.	G
• http://urlaub-norden-norddeich.de/
5.9.174.92	301	http://www.urlaub-norden-norddeich.de/	0.063	D

• http://www.urlaub-norden-norddeich.de/
5.9.174.92	200		0.046	H

• https://urlaub-norden-norddeich.de/
5.9.174.92	-4		0.080	W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.

• https://www.urlaub-norden-norddeich.de/
5.9.174.92	-4		0.080	W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.

• http://urlaub-norden-norddeich.de:443/
5.9.174.92	200		0.047	Q

• http://www.urlaub-norden-norddeich.de:443/
5.9.174.92	200		0.043	Q

• http://urlaub-norden-norddeich.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
5.9.174.92	301	http://www.urlaub-norden-norddeich.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de	0.057	D

• http://www.urlaub-norden-norddeich.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
5.9.174.92	404		0.043	A
Not Found

Your non-www is redirected to www, your port 443 sends http content, not https.

So it looks that Certbot doesn’t understand your configuration. I don’t understand why non-www works, but www fails.

Share your Apache config file. And share the output of

certbot --version

schoen · 2019-02-05 18:03:36 UTC

One thing that @joohoi has recently determined is that in many cases where --apache fails to satisfy the HTTP-01 challenge, there are multiple Apache virtualhosts with overlapping coverage (in the sense that they potentially refer to the same hosts or paths). In this case Certbot doesn’t know for sure which one to use for the challenge, and it guesses one, which may be wrong.

This is a likely explanation for most recent cases of 404 errors with --apache. The behavior will be changed in an upcoming release of Certbot so that all potentially relevant virtualhosts are modified to be capable of passing the challenge, but I would agree that it’s potentially a symptom of an ambiguous Apache configuration in which the existing virtualhosts weren’t entirely as intended.

bblana · 2019-02-06 10:39:44 UTC

Here is the output:

certbot --version
certbot 0.28.0
And there are the apache2.conf, ssl.conf and the urlaub-norden-norddeich.de.conf files. If you need more, please let me know.

Bernd

apache2.conf.txt (7.1 KB)
ssl.conf.txt (6.3 KB)
urlaub-norden-norddeich.de.conf.txt (582 Bytes)

JuergenAuer · 2019-02-06 15:33:20 UTC

In your log, there is your DocumentRoot /var/www/urlaub-norden-norddeich.de

So use that:

certbot run -a webroot -i apache -w /var/www/urlaub-norden-norddeich.de -d urlaub-norden-norddeich.de -d www.urlaub-norden-norddeich.de

bblana · 2019-02-06 15:47:55 UTC

I tried that, but it comes the same error.

Bernd

bblana · 2019-02-06 15:54:24 UTC

I made the check with urlaub-norden-norddeich.de/.well-known/acme-challenge/test, but in this case with https:// in front. Both URL’s shows a

success

JuergenAuer · 2019-02-06 15:56:51 UTC

http + non www works

http + www doesn’t work.

But you have

    ServerName www.urlaub-norden-norddeich.de
    ServerAlias urlaub-norden-norddeich.de

so both should use the same config.

So it looks that you have another VirtualHost which is used instead.

bblana · 2019-02-06 16:11:30 UTC

I switched all server names to:

ServerName urlaub-norden-norddeich.de

and Alias to:

ServerAlias www.urlaub-norden-norddeich.de
and now it works, I have the certifikates.
Thanks
Bernd

rg305 · 2019-02-07 00:12:40 UTC

I believe the conflict may have been caused by also using:
ServerName www.urlaub-norden-norddeich.de
in the apache2.conf file.

The actual ServerName serves no real purpose there.
You could just as easily replace it with the Internet IP address or localhost.