Invalid response

Help
1

Hi! I’ve been struggling getting a certificate for my website. I run sudo certbot --apache, and it returns invalid response. From what I understand, my website doesnt find the challenges sent by certbot, so it returns a 404. I made a test adding a directory in apache, and it could retrieve the files in there. Also, when I check apache’s access logs, it sometimes shows certbot request, but most of the time it doesnt, while the output it shows is from my website.

My domain is: datlas.io

I ran this command: sudo certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: datlas.io
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for datlas.io
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. datlas.io (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://datlas.io/.well-known/acme-challenge/IZcYUED5ryRJvfk5o0CIv51IOBXLfqGsxx4NABa0yus [184.168.131.241]: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\n   \"http://www.w3.org/TR/html4/strict.dtd\">\n<html>\n\n<head>\n  <title>Datlas</ti"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: datlas.io
   Type:   unauthorized
   Detail: Invalid response from
   http://datlas.io/.well-known/acme-challenge/IZcYUED5ryRJvfk5o0CIv51IOBXLfqGsxx4NABa0yus
   [184.168.131.241]: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML
   4.01//EN\"\n
   \"http://www.w3.org/TR/html4/strict.dtd\">\n<html>\n\n<head>\n
   <title>Datlas</ti"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Apache/2.4.29

The operating system my web server runs on is (include version): Ubuntu 18.04.2 LTS

My hosting provider, if applicable, is: GoDaddy

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Here’s my apache config, in case you need it:

<VirtualHost *:80>
        ServerName datlas.io
        ServerAdmin tecnologias@datlas.mx
        DocumentRoot /home/ubuntu/backend

        <Directory /home/ubuntu/backend>
                Options Indexes FollowSymLinks Includes ExecCGI
                AllowOverride All
                Require all granted
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        Alias /static /home/ubuntu/backend/static

        <Directory /home/ubuntu/backend/static>
                Require all granted
        </Directory>

        <Directory /home/ubuntu/backend/mysite>
                <Files wsgi.py>
                        Require all granted
                </Files>
        </Directory>
        WSGIDaemonProcess myproject python-path=/home/ubuntu/backend:/home/ubuntu/backend/venv/lib/python3.6/site-packages
        WSGIProcessGroup myproject
        WSGIScriptAlias / /home/ubuntu/backend/mysite/wsgi.py

        SetEnv DJANGO_SETTINGS_MODULE ${DJANGO_SETTINGS_MODULE}
        SetEnv SECRET_KEY ${SECRET_KEY}
        SetEnv Debug ${Debug}
        SetEnv Name ${Name}
        SetEnv RDS_DB_NAME ${RDS_DB_NAME}
        SetEnv RDS_HOSTNAME ${RDS_HOSTNAME}
        SetEnv RDS_PASSWORD ${RDS_PASSWORD}
        SetEnv RDS_PORT ${RDS_PORT}
        SetEnv RDS_USERNAME ${RDS_USERNAME}
</VirtualHost>

Lastly, here’s what i added to test if apache could retrieve files, which worked:
Alias “/.well-known” “/.well-known”
<Directory /.well-known>
Require all granted

2

Hi @alifelan

there is already a check of your domain - ~~6 hours old - https://check-your-website.server-daten.de/?q=datlas.io

There you see the problem.

Your ip configuration:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
datlas.io A 184.168.131.241 Scottsdale/Arizona/United States (US) - GoDaddy.com, LLC Hostname: ip-184-168-131-241.ip.secureserver.net yes 2 0
AAAA yes
www.datlas.io C datlas.io yes 1 0
A 184.168.131.241 Scottsdale/Arizona/United States (US) - GoDaddy.com, LLC Hostname: ip-184-168-131-241.ip.secureserver.net yes

That's a GoDaddy ip.secureserver.net ip address.

And the result: Checking http + /.well-known/acme-challenge/random-filename - there is a http status 200, not the expected result http status 404 - Not Found.

With a frameset:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <title>Datlas</title> <meta name="description" content="Transformando datos en decisiones inteligentes"> <meta name="keywords" content="Datlas, inteligencia, datos, analytics, Mexico"> </head> <frameset rows="100%,*" border="0"> <frame src="http://ec2-3-16-56-10.us-east-2.compute.amazonaws.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de" frameborder="0" /> </frameset> </html>

You have to use the ip of ec2-3-16-56-10.us-east-2.compute.amazonaws.com directly in your dns A entry.

Such a "frame redirect" doesn't work with Letsencrypt, because Letsencrypt checks the wrong server.

1 Like
3

It took me some time to understand it, but it makes sense. My ec2 server responds with a 404, while the godaddy returns a 200 with a framed 404. As far as i know, letsencrypt doesnt allow aws ec2 urls because they are ephemeral. I was completely lost on why that was happening. If you have an idea to help me, I’ll gladly take it, but I’ll dive into i. Thanks a lot!!

4

That's correct, but that's only a problem if you create a certificate with ec2-3-16-56-10.us-east-2.compute.amazonaws.com as domain name.

Not, if your datlas.mx has the ip of ec2-3-16-56-10.us-east-2.compute.amazonaws.com.

And now your basic configuration is ok.

Host T IP-Address is auth. ∑ Queries ∑ Timeout
datlas.mx A 13.59.136.187 Dublin/Ohio/United States (US) - Amazon.com, Inc. Hostname: ec2-13-59-136-187.us-east-2.compute.amazonaws.com yes 1 0
AAAA yes
www.datlas.mx A 13.59.136.187 Dublin/Ohio/United States (US) - Amazon.com, Inc. Hostname: ec2-13-59-136-187.us-east-2.compute.amazonaws.com yes 1 0
AAAA yes

One host with (may be) a lot of different domains.

So create a certificate with both domain names:

certbot -d datlas.mx -d www.datlas.mx
5

Now i got it. Im a new developer at the startup, so ive been working with deploying our new page to datlas.io, and datlas.mx has a letsencrypt certificate so i went with the same option. Turns out datlas.mx (or at least i understand from the table) is on amazon, while datlas.io is on godaddy, and godaddy frames the redirect. Ill have to talk with my boss for that, but thanks Juergen! You took me out of my two day problem

1 Like
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.