Invalid response

Help
1

This works: http://oakcloud.se/.well-known/acme-challenge/hej
But not when trying to generate certification via certbot.

My domain is:
oakcloud.se

I ran this command:
sudo certbot certonly --apache

It produced this output:
IMPORTANT NOTES:

My web server is (include version):
Apache/2.4.29 (Ubuntu)
Ubuntu 18.04LTS

I can login to a root shell on my machine

certbot 1.7.0

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1. Set the ‘ServerName’ directive globally to suppress this message
VirtualHost configuration:
*:80 oakcloud.se (/etc/apache2/sites-enabled/vhosts.conf:4)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

2

When I visit http://oakcloud.se, I see:

Screenshot_2020-09-07_19-49-27
Screenshot_2020-09-07_19-49-27937×335 10.2 KB

Traffic to your server is being blocked by Cloudflare.

I think that includes the traffic that Let’s Encrypt uses to validate your server, which results in your Certbot error.

My reasoning is that an actual 404 produced by your Apache server leads the response body with:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

However, in your Certbot error, we see that the response body leads with exactly the HTML of the Cloudflare “access denied” page.

As such, i don’t think this is a webroot error. Try reducing your Cloudflare WAF’s sensitivity …

3

Hi @TomasSj

then you have found the correct webroot. So use it with the webroot - parameter:

https://certbot.eff.org/docs/using.html

4

I’m enforcing HTTPS on everything but /.well-known/acme-challenge/*
Hence why the access denied. I suppose there’s something else I’m missing in the setup of CloudFlare.
Removed HTTPS-rewrite, handle it by page rules after the well-known page rule.
Allowing HTTP-traffic in the firewalls leading to http://oakcloud.se/.well-known/acme-challenge/hej actually working.

5

Same response:
sudo certbot certonly --webroot -w /var/www/oakcloud.se/current/public -d oakcloud.se

Is there something else I’m missing?
Been at it for a week without progress. I have the exact same setup as 2 other domains (almost, missing something).

6

What’s the absolute path of your test file?

7

There’s a pretty straightforward way to prove that it’s the WAF’s fault.

In your access log, you should see 4 requests to /.well-known/acme-challenge/xxxxxxxxxxxxxxxx every time you try to issue the certificates using Certbot.

If you don’t see four requests (from user-agent Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)), it means they’re being blocked by Cloudflare.

8

/var/www/oakcloud.se/current/public/.well-known/acme-challenge/hej

9

I see them:

GET /.well-known/acme-challenge/HJ3F5UzvJzlOAfYwKoXGClXWi_XuQY_snkyhJuxf_tI HTTP/1.1" 404 490 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”

10

That’s bizarre. For the record, I was the one who generated that certificate request with the challenge token HJ3F5UzvJzlOAfYwKoXGClXWi_XuQY_snkyhJuxf_tI.

On my side, the response was:

{
  "identifier": {
    "type": "dns",
    "value": "oakcloud.se"
  },
  "status": "invalid",
  "expires": "2020-09-14T10:02:27Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://oakcloud.se/.well-known/acme-challenge/HJ3F5UzvJzlOAfYwKoXGClXWi_XuQY_snkyhJuxf_tI [2606:4700:20::681a:524]: \"\u003c!DOCTYPE html\u003e\\n\u003c!--[if lt IE 7]\u00
3e \u003chtml class=\\\"no-js ie6 oldie\\\" lang=\\\"en-US\\\"\u003e \u003c![endif]--\u003e\\n\u003c!--[if IE 7]\u003e    \u003chtml class=\\\"no-js \"",
        "status": 403
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/107112657/FbvY2g",
      "token": "HJ3F5UzvJzlOAfYwKoXGClXWi_XuQY_snkyhJuxf_tI",
      "validationRecord": [
        {
          "url": "http://oakcloud.se/.well-known/acme-challenge/HJ3F5UzvJzlOAfYwKoXGClXWi_XuQY_snkyhJuxf_tI",
          "hostname": "oakcloud.se",
          "port": "80",
          "addressesResolved": [
            "104.26.5.36",
            "172.67.74.115",
            "104.26.4.36",
            "2606:4700:20::681a:524",
            "2606:4700:20::681a:424",
            "2606:4700:20::ac43:4a73"
          ],
          "addressUsed": "2606:4700:20::681a:524"
        }
      ]
    }
  ]
}

But pretty plainly, visiting that page on your server does not produce that HTML. I still think something’s up with Cloudflare.

What if you pause Cloudflare temporarily?

2 Likes
11

Checked your validation file you see a problem - https://check-your-website.server-daten.de/?q=oakcloud.se/.well-known/acme-challenge/hej#url-checks

The validation file is visible. But later there is a Cloudflare 403:

Forbidden
Visible Content: Please enable cookies. Error 1020 Ray ID: 5cefa931ccd1971e • 2020-09-07 10:14:06 UTC Access denied What happened? This website is using a security service to protect itself from online attacks. Cloudflare Ray ID: 5cefa931ccd1971e • Your IP : 85.215.2.227 • Performance & security by Cloudflare
Info: Html-Content with meta and/or script, may be a problem creating a Letsencrypt certificate using http-01 validation

2 Likes
12

Nice catch, both of you. @_az and @JuergenAuer
I had a typo in fw rule. Which led to the issue. I would never have solved this without your help.

THANK YOU!

2 Likes
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.