Lighttpd http-01 validation failures

Please fill out the fields below so we can help you better.

My domain is: natron.fr

I ran this command: letsencrypt-auto certonly --webroot -w /var/www/natron.fr -d natron.fr -d www.natron.fr -d downloads.natron.fr -d forum.natron.fr -d support.natron.fr

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for natron.fr
http-01 challenge for www.natron.fr
http-01 challenge for downloads.natron.fr
http-01 challenge for forum.natron.fr
http-01 challenge for support.natron.fr
Using the webroot path /var/www/natron.fr for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. forum.natron.fr (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://forum.natron.fr/.well-known/acme-challenge/QzLr7x8dKAXMZ3ugbysdQSd9iLgoFnhP6_ArV6jojic: "

Natron forum <meta name="description" conten"

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: forum.natron.fr
Type: unauthorized
Detail: Invalid response from
http://forum.natron.fr/.well-known/acme-challenge/QzLr7x8dKAXMZ3ugbysdQSd9iLgoFnhP6_ArV6jojic:
"

Natron forum <meta name="description" conten"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): lighttpd/1.4.45 (ssl)

The operating system my web server runs on is (include version): centos 6.4

My hosting provider, if applicable, is: ovh

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): I use a shell

With the –staging command line parameter, I get a successful output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for natron.fr
http-01 challenge for www.natron.fr
http-01 challenge for downloads.natron.fr
http-01 challenge for forum.natron.fr
http-01 challenge for support.natron.fr
Using the webroot path /var/www/natron.fr for all unmatched domains.
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/natron.fr/fullchain.pem. Your cert will
    expire on 2017-10-08. To obtain a new or tweaked version of this
    certificate in the future, simply run letsencrypt-auto again. To
    non-interactively renew all of your certificates, run
    "letsencrypt-auto renew"

In my lighttpd.conf configuration of the server, I explicitly allowed the server to give access to the well-known directory:

$HTTP["url"] =~ "^/.well-known/" {
    server.document-root = "/var/www/natron.fr/.well-known/"
    alias.url = ( "/.well-known/" => "/var/www/natron.fr/.well-known/" )
    dir-listing.activate = "enable"
}

Does anybody has any idea on what’s going on when I remove the --staging flag ?

It looks to me like your account had previously validated the domains in question in the staging environment. Those validations have a lifetime in which they will be reused without performing additional challenges if your account asks to issue for the same names. The current lifetime for valid authorizations is 30 days. I suspect this is hiding a validation failure from you (because no validation is being done in staging).

You can test this theory by creating a new account in the staging environment and trying again. I suspect that will fail the same way as prod because there won’t be cached authorizations to reuse and the full validation process will occur.

Looking at this failure it appears the Let’s Encrypt server connected to 176.31.174.181 and received back an HTML document instead of the ACME challenge response that was expected. I’m not familiar with LightHTTP but I will update the title of the thread to emphasize this problem and hopefully someone with more experience can help guide you.

I checked some of the other recent validation failures for “forum.natron.fr” and the most recent is showing a different failure:

dial tcp 176.31.174.181:80: getsockopt: connection refused

I’m not able to reach this address from my test machine either.

Hopefully this gives you some places to start! Good luck!

If each of these sites has different content, which is likely, then each one probably has a different webroot. In that case you need to specify the correct webroot for each site.

You can do this by adding an additional -w option before each -d. For example, if the forum content is served from /var/www/forum.natron.fr or something, you could add -w /var/www/forum.natron.fr before the -d forum.natron.fr.

If the web server is configured to redirect all requests to a web application rather than serving files from the filesystem, you need to make an exception to that redirection so that files under /.well-known/acme-challenge can be served from a directory in the filesystem instead of by communicating with web application software.

1 Like

Thank you @cpu and @schoen for you quick reply!

forum.natron.fr is indeed a redirection to a discourse instance (on the same server).

But it should not matter, because I explicitly requested lighted to serve from /var/www/natron.fr/.well-known/
for any url request containing /.well-known/

I switched to the --standalone version to make it work for now, I’ll investigate more on the webroot method when I get time

Thank you again for your time

That does seem like the right approach. When you have more time, maybe you could check by making sample text files and then accessing them from a browser.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.