Hello,
I can't validate cert if server is in google infrastructure. Manual GET challenge works.
I got an error message:
ERROR: Challenge is invalid! (returned: invalid) (result: {
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:acme:error:connection",
"detail": "Fetching xxxxx.com Error getting validation data",
"status": 400
},
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/qXBqOrQlZz1LdL7gROKLhwkldVGJBFETT7LZ3hP5goA/3297738636 ",
"token": "Pqe0QEmmiTukUQTfvSrwvgZpltcZnN0hkFy-U7i0IX4",
"keyAuthorization": "Pqe0QEmmiTukUQTfvSrwvgZpltcZnN0hkFy-U7i0IX4.DO6IvP4ptmSzQhJWpB3MVMgOhlWX0qrDalP-MP6ThgA",
"validationRecord": [
{
"url": "xxxxx.com ",
"hostname": "xxxxxxx.com ",
"port": "80",
"addressesResolved": [
"1.2.3.4"
],
"addressUsed": "1.2.3.4",
"addressesTried":
}
]
})
Problem is, that I can't see nothing in access.log (I use Nginx) It looks like broken connection somewhere between LE-google-server.
Server has normal traffic on 80 and 443 ports (20 req/s)
I tried remove http>https redirect, no effect (still nothing in log)
Server in Google has a static external IP adress which referers to IP adress in DNS (just for info)
I can to get challenge from browser/wget/curl (xxxxx.com ). I tried from different countries and regions. All request in access.log
Finally I tried to change DNS record of domain to server outside Google (Linode.com hosting), with exactly same configuration - and there it works!
So, my poin of view is that LE has problem to connect to servers in Google infrastructure (Google cloud platform)
Any idea?
Best regard,
Martin
I would ask you to provide your real domain name and IP address, but the https://acme-v01.api.letsencrypt.org/acme/challenge/ URL above actually reveals them. If it’s necessary, that can be redacted from your post, but it makes it difficult to help you.
In any case, i can’t access your site over HTTP either, either the ACME challenge URL or the homepage. It just delivers… 100 bytes of something I don’t recognize.
$ curl http://[redacted]/ | hd
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 114 0 114 0 0 525 0 --:--:-- --:--:-- --:--:-- 525
00000000 00 00 12 04 00 00 00 00 00 00 03 00 00 00 80 00 |................|
00000010 04 00 01 00 00 00 05 00 ff ff ff 00 00 04 08 00 |................|
00000020 00 00 00 00 7f ff 00 00 00 00 08 07 00 00 00 00 |................|
00000030 00 00 00 00 00 00 00 00 01 |.........|
00000039
Could that be raw HTTP/2? I’m not sure what it looks like on the wire, but it seems plausible?
HTTPS works, but HTTP-01 validation makes the initial connection over HTTP (though it will follow a redirect).
Looks like it:
$ nghttp http://<redacted>.com/
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.10.3</center>
</body>
</html>
Perhaps nginx is configured to serve h2 on port 80? (or h2c or whatever it's called)
1 Like
Thanks for checking! I don't think I have an HTTP HTTP/2 client installed. (I could fix that, of course...)
Yeah, that would be my guess.
@mates.dolda , what's the Nginx configuration? In particular, does it have "listen 80 http2;
" or similar?
By coincidence, someone else encountered this issue today, and @cpu filed a bug to improve the error message.
Presently when an HTTP-01 challenge request from the VA encounters an HTTP/2 server on port 80 (a misconfiguration, but one that...
area/va
help wanted
kind/docs
layer/api
2 Likes
I confirm, that problem was with missconf in nginx: listen 80 http2. I had http2 on another virtual nginx server. But setting one server to http2 in nginx affects all server configs, that was reason why I didn’t see bad config.
Finally I rewrite subject of this issue.
2 Likes
system
Closed
March 3, 2018, 4:56pm
7
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.