Invalid response use certbot in ubuntu


#1

My domain is:zen02.newnet.cf

I ran this command:

It produced this output:sudo certbot certonly -n --agree-tos --register-unsafely-without-email --standalone -d zen02.nwenet.cf

My web server is (include version):no web server

The operating system my web server runs on is (include version):ubuntu 16

My hosting provider, if applicable, is:huaweicloud

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):SecureCRT


#2

Thank you! I am here to ask for help.
I used a digital certificate for the first time, and now I have a problem and I don’t know how to solve it.
I registered two domain names, zen01.newnet.cf, zen02.newnet.cf, which are resolved to two IP addresses: 114.115.136.61 and 114.116.69.45. They are two cloud servers located in mainland China. The server does not open http. service.
I use the following command to get the certificate:

Sudo certbot certonly -n --agree-tos --register-unsafely-without-email --standalone -d zen02.newnet.cf

And on September 16th, the certificate has been successfully obtained. But then getting the certificate for ‘zen02.newnet.cf’ always fails. Even if the domain name is resolved to a server that has already succeeded, it fails. See the the error message:

zenops@zen02:~$ sudo certbot certonly -n --agree-tos --register-unsafely-without-email --standalone -d zen02.newnet.cf
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for zen.newnet.cf
Waiting for verification…

Exception happened during processing of request from (’::ffff:66.133.109.36’, 53236, 0, 0)
Traceback (most recent call last):
File “/usr/lib/python3.5/socketserver.py”, line 313, in _handle_request_noblock
self.process_request(request, client_address)
File “/usr/lib/python3.5/socketserver.py”, line 341, in process_request
self.finish_request(request, client_address)
File “/usr/lib/python3.5/socketserver.py”, line 354, in finish_request
self.RequestHandlerClass(request, client_address, self)
File “/usr/lib/python3/dist-packages/acme/standalone.py”, line 206, in init
BaseHTTPServer.BaseHTTPRequestHandler.init(self, *args, **kwargs)
File “/usr/lib/python3.5/socketserver.py”, line 681, in init
self.handle()
File “/usr/lib/python3/dist-packages/acme/standalone.py”, line 215, in handle
BaseHTTPServer.BaseHTTPRequestHandler.handle(self)
File “/usr/lib/python3.5/http/server.py”, line 422, in handle
self.handle_one_request()
File “/usr/lib/python3.5/http/server.py”, line 410, in handle_one_request
method()
File “/usr/lib/python3/dist-packages/acme/standalone.py”, line 221, in do_GET
self.handle_simple_http_resource()
File “/usr/lib/python3/dist-packages/acme/standalone.py”, line 246, in handle_simple_http_resource
self.end_headers()
File “/usr/lib/python3.5/http/server.py”, line 524, in end_headers
self.flush_headers()
File “/usr/lib/python3.5/http/server.py”, line 528, in flush_headers
self.wfile.write(b"".join(self._headers_buffer))
File “/usr/lib/python3.5/socket.py”, line 593, in write
return self._sock.send(b)
ConnectionResetError: [Errno 104] Connection reset by peer

Cleaning up challenges
Failed authorization procedure. zen02.newnet.cf (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://zen02.newnet.cf/.well-known/acme-challenge/L2rMm_426Z31acyJXzPzN5QA-Wb9znjLqZz1qV9b108:
q%!(EXTRA string=


body{background-color:#FFFFFF}</sty)

IMPORTANT NOTES:


#3

Hi @weixw

if you want to use http-01 - validation, your server must have an open port 80 / http. But http is closed, so this cannot work.

I see, you have a certificate zen01.newnet.cf created 2018-09-16.

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:zen01.newnet.cf&lu=cert_search

But I see two different ip-addresses:

D:\temp>nslookup zen01.newnet.cf.
Name:    zen01.newnet.cf
Address:  114.115.136.61

D:\temp>nslookup zen02.newnet.cf.
Name:    zen02.newnet.cf
Address:  114.116.69.45

Perhaps you may use dns-01 - validation.


#4

There is an ambiguity about whether @weixw meant that the server doesn’t normally listen on port 80, or that the server isn’t allowed to listen on port 80. In the first case, that isn’t a problem because --standalone will listen on port 80 for you. In the second case, it is a problem because the inbound connections on port 80 from the CA won’t succeed.

Some Chinese ISPs restrict inbound connections on web ports by default because of government licensing regulations about the ability to run web sites. If this is so and your use of port 80 is being restricted, then @JuergenAuer’s reply is exactly right. You would have to use the DNS challenge method instead.


#5

Thank you for your answer!
Yes, the server does not have an http (apache) daemon, but the server firewall allows access to port 80.
I will change the domain name and try again.


#6

I tested several domain names. The same failed.


#7

How did you create this

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:zen01.newnet.cf&lu=cert_search

certificate with zen01.newnet.cf - created 2018-09-16?

Doesn’t the same work with other domains?


#8

Yes, the same operation.
I guess, it may be that the service provider prohibits access to all unfiled domains.
However, the successful one may be that the service provider fell asleep for a little while.:smile:
After the Mid-Autumn Festival, I will ask the service provider.
Because, when I installed Apache, the results of the visit are as follows:

After I change port to 90, access by ip address:


#9

Is there a link to an english version?

An older post had a similar picture. There may be a special permission required (political, not IT).


#10

I start up Apache now.
You can access the site to compare it in different ways:

http://znode01.newnet.cf.
or
http://114.116.69.45

Maybe only Chinese, you can use Google to translate into English.


#11

Yep - now I can read it.

Tips: The site is temporarily unavailable

Dear users, Hello:

Sorry, this site is temporarily unavailable and may be caused by the following reasons:
Reason one

Your website has not been filed. According to the “Administrative Measures for the Recording of Non-Operating Internet Information Services”, the website needs to be archived and accessed. The Ministry of Industry and Information Technology records the enquiry point to enter.
Reason two

The content of the website does not match the filing information or the filing information is inaccurate; according to the “Administrative Measures for the Recording of Non-operating Internet Information Services”, the content of the website needs to be consistent with the filing information, and the filing information needs to be true and effective. It is recommended that the webmaster modify the website information as soon as possible.
This page is the default prompt page. If the above problems exist on the website, please handle it in time. Please contact your service provider for website registration.

So if this is a public website, you have to fulfill these requirements.


#12

However, you can still get a certificate from Let’s Encrypt without registering with the government: you can use the DNS-01 challenge method, which involved creating DNS TXT records instead of creating a file on your web site. Ideally, your DNS provider would support an API which lets your client application create these records from software.

I guess it will be difficult to subsequently host the web site within China without complying with the registration law. :cry:


#13

Thank you!
How to do it? For example, how to install dns plugin using ‘certbot-dns-cloudxns’? Need to install docker first? It feels a bit complicated.


#14

Who is your DNS provider?

Right now only some methods of installing Certbot include DNS plugins. If yours doesn’t, you can use the Docker method or you can try using acme.sh instead of Certbot.


#15

I have installed ‘certbot’ before.
I changed DNS provider to the ‘cloudxns’ for DNS-01 now.


#16

您好,

您需要先进行网站备案才可以通过http-01进行验证…否则阿里云或者随便符合中国规范的云都会进行拦截

否则请您使用dns-01进行验证。

@schoen @JuergenAuer the issue is… China blocks almost every site that’s hosted on mainland server (without a proper ICP license), the OP currently does not have a ICP license for his domain name… and indeed the site was blocked (and replaced with the default ugly error page)

谢谢


#17

Thanks.
Now using the DNS-01 method, the following error occurs again:

zenops@hwsafe03:~$ sudo .acme.sh/acme.sh --issue --dns dns_cx -d zen02.newnet.cf --debug
[Sun Sep 23 17:03:17 CST 2018] Lets find script dir.
[Sun Sep 23 17:03:17 CST 2018] SCRIPT=’.acme.sh/acme.sh’
[Sun Sep 23 17:03:17 CST 2018] _script=’/home/zenops/.acme.sh/acme.sh’
[Sun Sep 23 17:03:17 CST 2018] _script_home=’/home/zenops/.acme.sh’
[Sun Sep 23 17:03:17 CST 2018] Using default home:/home/zenops/.acme.sh
[Sun Sep 23 17:03:17 CST 2018] Using config home:/home/zenops/.acme.sh


v2.8.0
[Sun Sep 23 17:03:17 CST 2018] _main_domain=‘zen02.newnet.cf’
[Sun Sep 23 17:03:17 CST 2018] _alt_domains=‘no’
[Sun Sep 23 17:03:17 CST 2018] Using config home:/home/zenops/.acme.sh
[Sun Sep 23 17:03:17 CST 2018] ACME_DIRECTORY=‘https://acme-v01.api.letsencrypt.org/directory
[Sun Sep 23 17:03:17 CST 2018] DOMAIN_PATH=’/home/zenops/.acme.sh/zen02.newnet.cf’
[Sun Sep 23 17:03:17 CST 2018] Using ACME_DIRECTORY: https://acme-v01.api.letsencrypt.org/directory
[Sun Sep 23 17:03:17 CST 2018] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Sun Sep 23 17:03:17 CST 2018] GET
[Sun Sep 23 17:03:17 CST 2018] url=‘https://acme-v01.api.letsencrypt.org/directory
[Sun Sep 23 17:03:17 CST 2018] timeout=
[Sun Sep 23 17:03:17 CST 2018] _CURL=‘curl -L --silent --dump-header /home/zenops/.acme.sh/http.header -g ’
[Sun Sep 23 17:03:18 CST 2018] ret=‘0’
[Sun Sep 23 17:03:18 CST 2018] ACME_KEY_CHANGE=‘https://acme-v01.api.letsencrypt.org/acme/key-change
[Sun Sep 23 17:03:18 CST 2018] ACME_NEW_AUTHZ=‘https://acme-v01.api.letsencrypt.org/acme/new-authz
[Sun Sep 23 17:03:18 CST 2018] ACME_NEW_ORDER=‘https://acme-v01.api.letsencrypt.org/acme/new-cert
[Sun Sep 23 17:03:18 CST 2018] ACME_NEW_ACCOUNT=‘https://acme-v01.api.letsencrypt.org/acme/new-reg
[Sun Sep 23 17:03:18 CST 2018] ACME_REVOKE_CERT=‘https://acme-v01.api.letsencrypt.org/acme/revoke-cert
[Sun Sep 23 17:03:18 CST 2018] ACME_AGREEMENT=‘https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
[Sun Sep 23 17:03:18 CST 2018] ACME_NEW_NONCE
[Sun Sep 23 17:03:18 CST 2018] ACME_VERSION
[Sun Sep 23 17:03:18 CST 2018] _on_before_issue
[Sun Sep 23 17:03:18 CST 2018] _chk_main_domain=‘zen02.newnet.cf’
[Sun Sep 23 17:03:18 CST 2018] _chk_alt_domains
[Sun Sep 23 17:03:18 CST 2018] Le_LocalAddress
[Sun Sep 23 17:03:18 CST 2018] d=‘zen02.newnet.cf’
[Sun Sep 23 17:03:18 CST 2018] Check for domain=‘zen02.newnet.cf’
[Sun Sep 23 17:03:18 CST 2018] _currentRoot=‘dns_cx’
[Sun Sep 23 17:03:18 CST 2018] d
[Sun Sep 23 17:03:18 CST 2018] config file is empty, can not read CA_KEY_HASH
[Sun Sep 23 17:03:18 CST 2018] Using config home:/home/zenops/.acme.sh
[Sun Sep 23 17:03:18 CST 2018] ACME_DIRECTORY=‘https://acme-v01.api.letsencrypt.org/directory
[Sun Sep 23 17:03:18 CST 2018] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Sun Sep 23 17:03:18 CST 2018] Use default length 2048
[Sun Sep 23 17:03:18 CST 2018] length=‘2048’
[Sun Sep 23 17:03:18 CST 2018] Using config home:/home/zenops/.acme.sh
[Sun Sep 23 17:03:18 CST 2018] ACME_DIRECTORY=‘https://acme-v01.api.letsencrypt.org/directory
[Sun Sep 23 17:03:18 CST 2018] Use length 2048
[Sun Sep 23 17:03:18 CST 2018] Using RSA: 2048
[Sun Sep 23 17:03:19 CST 2018] RSA key
[Sun Sep 23 17:03:19 CST 2018] Registering account
[Sun Sep 23 17:03:19 CST 2018] url=‘https://acme-v01.api.letsencrypt.org/acme/new-reg
[Sun Sep 23 17:03:19 CST 2018] payload=’{“resource”: “new-reg”, “terms-of-service-agreed”: true, “agreement”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”}’
[Sun Sep 23 17:03:19 CST 2018] GET
[Sun Sep 23 17:03:19 CST 2018] url=‘https://acme-v01.api.letsencrypt.org/directory
[Sun Sep 23 17:03:19 CST 2018] timeout=
[Sun Sep 23 17:03:19 CST 2018] _CURL=‘curl -L --silent --dump-header /home/zenops/.acme.sh/http.header -g ’
[Sun Sep 23 17:03:19 CST 2018] ret=‘0’
[Sun Sep 23 17:03:19 CST 2018] POST
[Sun Sep 23 17:03:19 CST 2018] _post_url=‘https://acme-v01.api.letsencrypt.org/acme/new-reg
[Sun Sep 23 17:03:19 CST 2018] _CURL=‘curl -L --silent --dump-header /home/zenops/.acme.sh/http.header -g ’
[Sun Sep 23 17:03:21 CST 2018] _ret=‘0’
[Sun Sep 23 17:03:21 CST 2018] code=‘201’
[Sun Sep 23 17:03:21 CST 2018] Registered
[Sun Sep 23 17:03:21 CST 2018] _accUri=‘https://acme-v01.api.letsencrypt.org/acme/reg/42608138
[Sun Sep 23 17:03:21 CST 2018] Calc CA_KEY_HASH=‘CTrTJLe4fri71yZuIbE4zNkzc8qc2nLBeszAjEYR0H4=’
[Sun Sep 23 17:03:21 CST 2018] ACCOUNT_THUMBPRINT=‘3XBwyNz5JzZgDMnfqAWw97tVCJeQTzDPIbPlSbyKXyg’
[Sun Sep 23 17:03:21 CST 2018] Read key length:
[Sun Sep 23 17:03:21 CST 2018] Creating domain key
[Sun Sep 23 17:03:21 CST 2018] Use DEFAULT_DOMAIN_KEY_LENGTH=2048
[Sun Sep 23 17:03:21 CST 2018] Using config home:/home/zenops/.acme.sh
[Sun Sep 23 17:03:21 CST 2018] ACME_DIRECTORY=‘https://acme-v01.api.letsencrypt.org/directory
[Sun Sep 23 17:03:21 CST 2018] Use length 2048
[Sun Sep 23 17:03:21 CST 2018] Using RSA: 2048
[Sun Sep 23 17:03:21 CST 2018] The domain key is here: /home/zenops/.acme.sh/zen02.newnet.cf/zen02.newnet.cf.key
[Sun Sep 23 17:03:21 CST 2018] _createcsr
[Sun Sep 23 17:03:21 CST 2018] Single domain=‘zen02.newnet.cf’
[Sun Sep 23 17:03:21 CST 2018] Getting domain auth token for each domain
[Sun Sep 23 17:03:21 CST 2018] d=‘zen02.newnet.cf’
[Sun Sep 23 17:03:21 CST 2018] Getting webroot for domain=‘zen02.newnet.cf’
[Sun Sep 23 17:03:21 CST 2018] _w=‘dns_cx’
[Sun Sep 23 17:03:21 CST 2018] _currentRoot=‘dns_cx’
[Sun Sep 23 17:03:21 CST 2018] Getting new-authz for domain=‘zen02.newnet.cf’
[Sun Sep 23 17:03:21 CST 2018] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Sun Sep 23 17:03:21 CST 2018] Try new-authz for the 0 time.
[Sun Sep 23 17:03:21 CST 2018] url=‘https://acme-v01.api.letsencrypt.org/acme/new-authz
[Sun Sep 23 17:03:21 CST 2018] payload=’{“resource”: “new-authz”, “identifier”: {“type”: “dns”, “value”: “zen02.newnet.cf”}}’
[Sun Sep 23 17:03:21 CST 2018] POST
[Sun Sep 23 17:03:21 CST 2018] _post_url=‘https://acme-v01.api.letsencrypt.org/acme/new-authz
[Sun Sep 23 17:03:21 CST 2018] _CURL=‘curl -L --silent --dump-header /home/zenops/.acme.sh/http.header -g ’
[Sun Sep 23 17:03:22 CST 2018] _ret=‘0’
[Sun Sep 23 17:03:22 CST 2018] code=‘201’
[Sun Sep 23 17:03:22 CST 2018] The new-authz request is ok.
[Sun Sep 23 17:03:22 CST 2018] entry=’“type”:“dns-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/-sc7GfkC6A3nQ0KnOgaLi9HB4GWSwhkYLLFerQduZLE/7597565311",“token”:"NFQ0yw0jKRwCmDfUdqc5O-cUWlGy16QyxXx3WHYDXTo”’
[Sun Sep 23 17:03:22 CST 2018] token=‘NFQ0yw0jKRwCmDfUdqc5O-cUWlGy16QyxXx3WHYDXTo’
[Sun Sep 23 17:03:22 CST 2018] uri=‘https://acme-v01.api.letsencrypt.org/acme/challenge/-sc7GfkC6A3nQ0KnOgaLi9HB4GWSwhkYLLFerQduZLE/7597565311
[Sun Sep 23 17:03:22 CST 2018] keyauthorization=‘NFQ0yw0jKRwCmDfUdqc5O-cUWlGy16QyxXx3WHYDXTo.3XBwyNz5JzZgDMnfqAWw97tVCJeQTzDPIbPlSbyKXyg’
[Sun Sep 23 17:03:22 CST 2018] dvlist=‘zen02.newnet.cf#NFQ0yw0jKRwCmDfUdqc5O-cUWlGy16QyxXx3WHYDXTo.3XBwyNz5JzZgDMnfqAWw97tVCJeQTzDPIbPlSbyKXyg#https://acme-v01.api.letsencrypt.org/acme/challenge/-sc7GfkC6A3nQ0KnOgaLi9HB4GWSwhkYLLFerQduZLE/7597565311#dns-01#dns_cx
[Sun Sep 23 17:03:22 CST 2018] d
[Sun Sep 23 17:03:22 CST 2018] vlist=‘zen02.newnet.cf#NFQ0yw0jKRwCmDfUdqc5O-cUWlGy16QyxXx3WHYDXTo.3XBwyNz5JzZgDMnfqAWw97tVCJeQTzDPIbPlSbyKXyg#https://acme-v01.api.letsencrypt.org/acme/challenge/-sc7GfkC6A3nQ0KnOgaLi9HB4GWSwhkYLLFerQduZLE/7597565311#dns-01#dns_cx,’
[Sun Sep 23 17:03:22 CST 2018] d=‘zen02.newnet.cf’
[Sun Sep 23 17:03:22 CST 2018] _d_alias
[Sun Sep 23 17:03:22 CST 2018] txtdomain=’_acme-challenge.zen02.newnet.cf’
[Sun Sep 23 17:03:22 CST 2018] txt=‘OSSJ6IqI3PqjsestIpyIWApGySirKQQbOJIeQK-4jSw’
[Sun Sep 23 17:03:22 CST 2018] d_api=’/home/zenops/.acme.sh/dnsapi/dns_cx.sh’
[Sun Sep 23 17:03:22 CST 2018] Found domain api file: /home/zenops/.acme.sh/dnsapi/dns_cx.sh
[Sun Sep 23 17:03:22 CST 2018] First detect the root zone
[Sun Sep 23 17:03:22 CST 2018] ep=‘domain’
[Sun Sep 23 17:03:22 CST 2018] url=‘https://www.cloudxns.net/api2/domain
[Sun Sep 23 17:03:22 CST 2018] cdate=‘2018-09-23 09:03:22 UTC’
[Sun Sep 23 17:03:22 CST 2018] data
‘ttps://www.cloudxns.net/api2/domain2018-09-23 09:03:22 UTCaefa8233b182092f
[Sun Sep 23 17:03:22 CST 2018] hmac=‘ed875caedbca31b2912fabddd7a853d0’
[Sun Sep 23 17:03:22 CST 2018] GET
[Sun Sep 23 17:03:22 CST 2018] url=‘https://www.cloudxns.net/api2/domain
[Sun Sep 23 17:03:22 CST 2018] timeout=
[Sun Sep 23 17:03:23 CST 2018] _CURL=‘curl -L --silent --dump-header /home/zenops/.acme.sh/http.header -g ’
[Sun Sep 23 17:03:23 CST 2018] ret=‘0’
[Sun Sep 23 17:03:23 CST 2018] invalid domain
[Sun Sep 23 17:03:23 CST 2018] Error add txt for domain:_acme-challenge.zen02.newnet.cf
[Sun Sep 23 17:03:23 CST 2018] pid
[Sun Sep 23 17:03:23 CST 2018] No need to restore nginx, skip.
[Sun Sep 23 17:03:23 CST 2018] _clearupdns
[Sun Sep 23 17:03:23 CST 2018] skip dns.
[Sun Sep 23 17:03:23 CST 2018] _on_issue_err
[Sun Sep 23 17:03:23 CST 2018] Please add ‘–debug’ or ‘–log’ to check more details.
[Sun Sep 23 17:03:23 CST 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Sun Sep 23 17:03:23 CST 2018] url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/-sc7GfkC6A3nQ0KnOgaLi9HB4GWSwhkYLLFerQduZLE/7597565311
[Sun Sep 23 17:03:23 CST 2018] payload=’{“resource”: “challenge”, “keyAuthorization”: “NFQ0yw0jKRwCmDfUdqc5O-cUWlGy16QyxXx3WHYDXTo.3XBwyNz5JzZgDMnfqAWw97tVCJeQTzDPIbPlSbyKXyg”}’
[Sun Sep 23 17:03:23 CST 2018] POST
[Sun Sep 23 17:03:23 CST 2018] _post_url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/-sc7GfkC6A3nQ0KnOgaLi9HB4GWSwhkYLLFerQduZLE/7597565311
[Sun Sep 23 17:03:23 CST 2018] _CURL='curl -L --silent --dump-header /home/zenops/.acme.sh/http.header -g ’
[Sun Sep 23 17:03:24 CST 2018] _ret=‘0’
[Sun Sep 23 17:03:24 CST 2018] code=‘202’
[Sun Sep 23 17:03:24 CST 2018] Diagnosis versions:
openssl:openssl
OpenSSL 1.0.2g 1 Mar 2016
apache:
apache doesn’t exists.
nginx:
nginx doesn’t exists.
socat:


#18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.