Issue renewing certificate


#1

Hi !
I’m trying to renew my certificate for s01.porttosuccess.com. Certbot never worked for me so I tried acme-tiny client which did the job:
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/letsencrypt/ROOT/ > ./signed_chain.csr --disable-check

However on renewing I’m getting this error:

Verifying s01.porttosuccess.com
Traceback (most recent call last):
File “acme_tiny.py”, line 198, in
main(sys.argv[1:])
File “acme_tiny.py”, line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File “acme_tiny.py”, line 150, in get_crt
raise ValueError(“Challenge did not pass for {0}: {1}”.format(domain, authorization))
ValueError: Challenge did not pass for s01.porttosuccess.com: {u’status’: u’invalid’, u’challenges’: [{u’status’: u’invalid’, u’validationRecord’: [{u’url’: u’http://s01.porttosuccess.com/.well-known/acme-challenge/Odnvmir_UpIFvdhfrxDNYaH6ErmAVtbYUAlXe3uK6ZY’, u’hostname’: u’s01.porttosuccess.com’, u’addressUsed’: u’185.140.140.40’, u’port’: u’80’, u’addressesResolved’: [u’185.140.140.40’]}, {u’url’: u’https://s01.porttosuccess.com/.well-known/acme-challenge/Odnvmir_UpIFvdhfrxDNYaH6ErmAVtbYUAlXe3uK6ZY’, u’hostname’: u’s01.porttosuccess.com’, u’addressUsed’: u’185.140.140.40’, u’port’: u’443’, u’addressesResolved’: [u’185.140.140.40’]}, {u’url’: u’https://s01.porttosuccess.com/’, u’hostname’: u’s01.porttosuccess.com’, u’addressUsed’: u’185.140.140.40’, u’port’: u’443’, u’addressesResolved’: [u’185.140.140.40’]}], u’url’: u’https://acme-v02.api.letsencrypt.org/acme/challenge/owUcJnMHd1jryNz1yfJsJ8s69SVtVuW5Kx0aGZq9y4o/13109107164’, u’token’: u’Odnvmir_UpIFvdhfrxDNYaH6ErmAVtbYUAlXe3uK6ZY’, u’error’: {u’status’: 403, u’type’: u’urn:ietf:params:acme:error:unauthorized’, u’detail’: u’Invalid response from https://s01.porttosuccess.com/ [185.140.140.40]: “\r\n\r\n\r\nPTS - Login\r\n<meta charset=\“utf-8\” />\r\n<meta http-equiv=\“X-UA-Compatible\” conten”’}, u’type’: u’http-01’}, {u’status’: u’invalid’, u’url’: u’https://acme-v02.api.letsencrypt.org/acme/challenge/owUcJnMHd1jryNz1yfJsJ8s69SVtVuW5Kx0aGZq9y4o/13109107165’, u’token’: u’ZvWnJNGvcqwYun0cxu6Qaefg2z8X1GsezI1k5dFTN1U’, u’type’: u’tls-alpn-01’}, {u’status’: u’invalid’, u’url’: u’https://acme-v02.api.letsencrypt.org/acme/challenge/owUcJnMHd1jryNz1yfJsJ8s69SVtVuW5Kx0aGZq9y4o/13109107166’, u’token’: u’tOKdXjS0qiRO1JGs2VbXJFRrqMJCwykdIuUwH1rXboY’, u’type’: u’dns-01’}], u’identifier’: {u’type’: u’dns’, u’value’: u’s01.porttosuccess.com’}, u’expires’: u’2019-03-08T05:44:15Z’}

Trying the link http://s01.porttosuccess.com/.well-known/acme-challenge/Odnvmir_UpIFvdhfrxDNYaH6ErmAVtbYUAlXe3uK6ZY works and takes me to the login page. So the response stated in the error is actually correct.

It’s runnning on a virtual server Oracle Linux 7.5, w/Java, Tomcat & nginx as a proxy.

I can provide more information if necessary.

Thanks in advance


#2

Well, how is your nginx setup up?

Is it actually serving /.well-known/acme-challenge/ from /var/www/letsencrypt/ROOT ?


#3

Yes, at least it’s attempting to.

server {
listen 443 ssl;
server_name s01.porttosuccess.com porttosuccess.com;

    ssl_certificate ....
    ssl_certificate_key ...;
    ssl_session_timeout 5m;
    ssl_protocols ...;
    ssl_ciphers ...;
    ssl_session_cache ...;
    ssl_dhparam ...;
    ssl_prefer_server_ciphers on;

    location / {
            proxy_pass http://127.0.0.1:8080;

            ### Set headers ####
            proxy_set_header        Host            $host;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Proto $scheme;
    }

}

server {
listen 80;
server_name s01.porttosuccess.com;

    location /.well-known/acme-challenge/ {
            alias /var/www/letsencrypt/ROOT/;
            try_files $uri =404;
    }

    location / {
            proxy_pass http://127.0.0.1:8080;

            ### Set headers ####
            proxy_set_header        Host            $host;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Proto $scheme;
    }

    return 301 https://$server_name$request_uri;

}


#4

You need to hoist this into the location / { } block right above it, or else it overriddes everything else.


#5

like this ?

server {
listen 80;
server_name s01.porttosuccess.com;


    location /.well-known/acme-challenge/ {
            alias /var/www/letsencrypt/ROOT/;
            try_files $uri =404;
    }

    location / {
            proxy_pass http://127.0.0.1:8080;

            ### Set headers ####
            proxy_set_header        Host            $host;
            proxy_set_header        X-Real-IP       $remote_addr;
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Proto $scheme;

           return 301 https://$server_name$request_uri;
    }

unfortunately it returns the same error.


#6

Do you know where this HTTP 302 redirect comes from?

$ curl -X GET -I http://s01.porttosuccess.com/.well-known/acme-challenge/
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.14.1
<snip>
Location: http://s01.porttosuccess.com/.well-known/acme-challenge/

According to your above configuration, there shouldn’t be any redirect.

I think it’s preventing your configuration from succeeding.


#7

Currently, there’s no redirect and when I wget the challenge file, I’m actually getting the token.

So, try again and I’m pretty sure it’ll succeed this time.


#8

Yes I really had a wrong redirect in there and it worked now ! Thanks so so much for your help!


#9

Don’t forget to match the names in both ports (80 & 443):


closed #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.