Letsencrypt webroot verification follows http to https redirect for self-signed cert?

eva2000 · September 17, 2016, 12:39am

With my acmetool.sh integration I auto generate the nginx vhost and then use @Neilpang’s acme.sh to issue letsencrypt ssl cert via webroot authentication.

But one of the options i have is to generate nginx vhost with https default so i redirect http to https. But i generate a https vhost with self-signed ssl cert first as a placeholder and then when acme.sh gets letsencrypt ssl certificate, i swap out the self-signed ssl cert for letsencrypt ssl cert. If letsencrypt verification fails, it automatically falls back to the self-signed ssl placeholder certs.

This works fine for non-https default issuances. But seems i ran into problem for http to https default redirects. The acme.sh and letsencrypt are reporting failure to connect to domain and i suspect it’s because letsencrypt doesn’t see my placeholder https default self-signed cert as valid ?

== Info: Connection #0 to host domain.com left intact
== Info: Issue another request to this URL: 'https://domain.com/.well-known/acme-challenge/MP7ezQ6O3BO9CJjpeyQh_j_gTDeyXhOP7c3xBT9S5_o'
== Info: About to connect() to domain.com port 443 (#1)
== Info:   Trying IPADDRESS... == Info: connected
== Info: Connected to domain.com (IPADDRESS) port 443 (#1)
== Info: Initializing NSS with certpath: sql:/etc/pki/nssdb
== Info:   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
== Info: Certificate is signed by an untrusted issuer: 'CN=domain.com,OU=domain.com,O=domain.com,L=Los Angeles,ST=California,C=US'
== Info: NSS error -8172
== Info: Closing connection #1
== Info: Peer certificate cannot be authenticated with known CA certificates
== Info: Closing connection #0
[Sat Sep 17 00:16:22 UTC 2016] ret='60'
[Sat Sep 17 00:16:22 UTC 2016] Debugging, skip removing: /home/nginx/domains/domain.com/public/.well-known
[Sat Sep 17 00:16:22 UTC 2016] pid
LECHECK = 1

Neilpang · September 17, 2016, 12:58am

Hi.
I suggest you add a rewrite rule that the .well-known folder is not redirected.

eva2000 · September 17, 2016, 1:00am

Thanks @Neilpang but that would work for initial issuance but renewals would fail then for https defaults ? i am going to try just disabling https redirect until after verification

Neilpang · September 17, 2016, 1:04am

I think you should add a permanent rule to nginx conf, that .well-known folder never get redirected.

On other hand, if you want some preparation before renewing, you should try --pre–hook .

pfg · September 17, 2016, 1:21am

This looks like it’s caused by the client rather than the CA server. Let’s Encrypt will happily accept self-signed, expired or otherwise invalid certificates for HTTPS redirects when using http-01 as long as they’re not weird enough to cause Go’s X509 library to choke (and the cipher suite is compatible).

eva2000 · September 17, 2016, 1:26am

@pfg that’s good news that letsencrypt will accept self-signed ssl certs…

the problem for my end user seems to only occur if site domain is behind cloudflare though - actual user post at https://community.centminmod.com/posts/36339/ ? I thought webroot authentication wouldn’t have issues with cloudflare

@Neilpang thanks, here’s the actual full debug log of the end users run https://gist.github.com/dyrer/187f7ab5e7e9b5fea9cae5e165fecd42 for further clues

Neilpang · September 17, 2016, 1:38am

I read the log. Please ignore the last a few ssl connection error. It’s just for debugging. I may hide the them later. It’s useless to you.

eva2000 · September 17, 2016, 1:43am

ok good to know…

just noticed in the log curl error 60 reported, could it be due to system CA-bundle being out of date ? curl 60 error which is from https://curl.haxx.se/libcurl/c/libcurl-errors.html

[QUOTE]CURLE_SSL_CACERT (60)

Peer certificate cannot be authenticated with known CA certificates.[/QUOTE]

might need to add a check in my acmetool.sh for system ca-certificates updates available

or that is related to self-signed ssl cert curl’d

Neilpang · September 17, 2016, 1:44am

From the log, the ca server reported : could not connect to your server.

It might be a connection problem.

Neilpang · September 17, 2016, 1:45am

No. just ignore the ssl error.
It nothing to do with this issue.

eva2000 · September 17, 2016, 1:45am

yeah that’s what i suspect though there’s not much more details on why

user says issue only happens behind cloudflare

Neilpang · September 17, 2016, 1:47am

I’m not at home now, I could have a try in a few hours when I get home.

pfg · September 17, 2016, 1:50am

I did some testing and I’m pretty sure that - based on the error details - this is unrelated to the redirect and rather a general connectivity error on port 80. The log contains this:

[Sat Sep 17 00:16:22 UTC 2016] original='{
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:connection",
    "detail": "Could not connect to armysafety.info",
    "status": 400
  },
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/5qI-SyoNDNvO5e4H6M-nN7ogN1IBDNYmQujekSSkrnU/266452464",
  "token": "MP7ezQ6O3BO9CJjpeyQh_j_gTDeyXhOP7c3xBT9S5_o",
  "keyAuthorization": "MP7ezQ6O3BO9CJjpeyQh_j_gTDeyXhOP7c3xBT9S5_o.2ynN5DtCYMsYQVKhquXhdTOF928k2D4m80WFqUN1J7U",
  "validationRecord": [
    {
      "url": "http://armysafety.info/.well-known/acme-challenge/MP7ezQ6O3BO9CJjpeyQh_j_gTDeyXhOP7c3xBT9S5_o",
      "hostname": "armysafety.info",
      "port": "80",
      "addressesResolved": [
        "104.27.133.137",
        "104.27.132.137"
      ],
      "addressUsed": "104.27.133.137"
    }
  ]
}'

Note the port being 80.

This is the log output when Let’s Encrypt fails to follow a HTTPS redirect to a non-functioning HTTPS server (I’m simply not listening on port 443):

    "validationRecord": [
        {
          "url": "http://debug.le.pf.vc/.well-known/acme-challenge/oR7jNUh2xk5E4nXKM_8VAtj374_MakE8M-M-1ivZV2c",
          "hostname": "debug.le.pf.vc",
          "port": "80",
          "addressesResolved": [
            "146.185.148.60"
          ],
          "addressUsed": "146.185.148.60"
        },
        {
          "url": "https://debug.le.pf.vc/.well-known/acme-challenge/oR7jNUh2xk5E4nXKM_8VAtj374_MakE8M-M-1ivZV2c",
          "hostname": "debug.le.pf.vc",
          "port": "443",
          "addressesResolved": [
            "146.185.148.60"
          ],
          "addressUsed": "146.185.148.60"
        }
      ]
```
Note the second validation record mentioning port 443.

Not entirely sure why the connection to CloudFlare is failing. Maybe some weird page rule (or something similar)?

FWIW, I can report that I've been using webroot (including a HTTPS redirect) on a CloudFlare-enabled domain successfully for quite some time.

eva2000 · September 17, 2016, 1:54am

cheers @pfg thanks for the confirmation and insight - could be something in my nginx vhost setups that are generated too

system · October 17, 2016, 1:55am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot - HTTP Challenge with NGINX and HTTP to HTTPS Redirects Help	4	4937	June 21, 2017
[Webroot] Only performs http-01 challenge which doesn't follow HTTP redirects to HTTPS site Help	28	22823	December 16, 2015
First run on server with http to https automatic redirection with nginx Server	19	4960	July 15, 2017
Generate cert for Node apps through Nginx reverse proxy? Server	6	3941	December 22, 2015
Letsencrypt Webroot Authentication Tested on Beta invited/whitelisted domain Issuance Tech	6	16231	December 2, 2015

Letsencrypt webroot verification follows http to https redirect for self-signed cert?

Related topics