LE validation error if server has http2 on port 80

Hello,

I can’t validate cert if server is in google infrastructure. Manual GET challenge works.

I got an error message:

ERROR: Challenge is invalid! (returned: invalid) (result: {
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:connection”,
“detail”: “Fetching http://xxxxxxx.com/.well-known/acme-challenge/Pqe0QEmmiTukUQTfvSrwvgZpltcZnN0hkFy-U7i0IX4: Error getting validation data”,
“status”: 400
},
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/qXBqOrQlZz1LdL7gROKLhwkldVGJBFETT7LZ3hP5goA/3297738636”,
“token”: “Pqe0QEmmiTukUQTfvSrwvgZpltcZnN0hkFy-U7i0IX4”,
“keyAuthorization”: “Pqe0QEmmiTukUQTfvSrwvgZpltcZnN0hkFy-U7i0IX4.DO6IvP4ptmSzQhJWpB3MVMgOhlWX0qrDalP-MP6ThgA”,
“validationRecord”: [
{
“url”: “http://xxxxxxx.com/.well-known/acme-challenge/Pqe0QEmmiTukUQTfvSrwvgZpltcZnN0hkFy-U7i0IX4”,
“hostname”: “xxxxxxx.com”,
“port”: “80”,
“addressesResolved”: [
“1.2.3.4”
],
“addressUsed”: “1.2.3.4”,
“addressesTried”: []
}
]
})

  • Problem is, that I can’t see nothing in access.log (I use Nginx) It looks like broken connection somewhere between LE-google-server.
  • Server has normal traffic on 80 and 443 ports (20 req/s)
  • I tried remove http>https redirect, no effect (still nothing in log)
  • Server in Google has a static external IP adress which referers to IP adress in DNS (just for info)
  • I can to get challenge from browser/wget/curl (http://xxxxxxx.com/.well-known/acme-challenge/Pqe0QEmmiTukUQTfvSrwvgZpltcZnN0hkFy-U7i0IX4). I tried from different countries and regions. All request in access.log

Finally I tried to change DNS record of domain to server outside Google (Linode.com hosting), with exactly same configuration - and there it works!

So, my poin of view is that LE has problem to connect to servers in Google infrastructure (Google cloud platform)

Any idea?

Best regard,
Martin

I would ask you to provide your real domain name and IP address, but the https://acme-v01.api.letsencrypt.org/acme/challenge/ URL above actually reveals them. If it’s necessary, that can be redacted from your post, but it makes it difficult to help you.

In any case, i can’t access your site over HTTP either, either the ACME challenge URL or the homepage. It just delivers… 100 bytes of something I don’t recognize.

$ curl http://[redacted]/ | hd
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   114    0   114    0     0    525      0 --:--:-- --:--:-- --:--:--   525
00000000  00 00 12 04 00 00 00 00  00 00 03 00 00 00 80 00  |................|
00000010  04 00 01 00 00 00 05 00  ff ff ff 00 00 04 08 00  |................|
00000020  00 00 00 00 7f ff 00 00  00 00 08 07 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  01                       |.........|
00000039

Could that be raw HTTP/2? I’m not sure what it looks like on the wire, but it seems plausible?

HTTPS works, but HTTP-01 validation makes the initial connection over HTTP (though it will follow a redirect).

Looks like it:

$ nghttp http://<redacted>.com/
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.10.3</center>
</body>
</html>

Perhaps nginx is configured to serve h2 on port 80? (or h2c or whatever it's called)

1 Like

Thanks for checking! I don’t think I have an HTTP HTTP/2 client installed. (I could fix that, of course…)

Yeah, that would be my guess.

@mates.dolda, what’s the Nginx configuration? In particular, does it have “listen 80 http2;” or similar?

By coincidence, someone else encountered this issue today, and @cpu filed a bug to improve the error message.

2 Likes

I confirm, that problem was with missconf in nginx: listen 80 http2. I had http2 on another virtual nginx server. But setting one server to http2 in nginx affects all server configs, that was reason why I didn’t see bad config.

Finally I rewrite subject of this issue.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.