Manual certificate problem

My domain is: diliver.all.net

I ran this command:

PER the manual:
If you’d like to obtain a certificate running certbot on a machine other than your target webserver or perform the steps for domain validation yourself, you can use the manual plugin. While hidden from the UI, you can use the plugin to obtain a certificate by specifying certonly and --manual on the command line. This requires you to copy and paste commands into another terminal session, which may be on a different computer.

The manual plugin can use either the http or the dns challenge. You can use the --preferred-challenges option to choose the challenge of your preference.

The http challenge will ask you to place a file with a specific name and specific content in the /.well-known/acme-challenge/ directory directly in the top-level directory (“web root”) containing the files served by your webserver. In essence it’s the same as the webroot plugin, but not automated.
======================= ACTUAL TRANSCRIPT:
It produced this output:

=======================

certbot certonly --manual

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): diliver.all.net
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for diliver.all.net


NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?


(Y)es/(N)o: Y


Create a file containing just this data:

hpeEqjxEwt0Sz0ytcGb7326oJEKwZ1szbC09bJLBzaE.KISF3d6LBdw-L_Z8ejIPrIWHfFjEUwI5AkzyAXgtrz4

And make it available on your web server at this URL:

http://diliver.all.net/.well-known/acme-challenge/hpeEqjxEwt0Sz0ytcGb7326oJEKwZ1szbC09bJLBzaE


Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. diliver.all.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://diliver.all.net/.well-known/acme-challenge/hpeEqjxEwt0Sz0ytcGb7326oJEKwZ1szbC09bJLBzaE: Error getting validation data

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: diliver.all.net
    Type: connection
    Detail: Fetching
    http://diliver.all.net/.well-known/acme-challenge/hpeEqjxEwt0Sz0ytcGb7326oJEKwZ1szbC09bJLBzaE:
    Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    ======================= WHEN I PULL FROM THE WEB SERVER USING A BROWSER USING THE URL IDENTIFIED:

hpeEqjxEwt0Sz0ytcGb7326oJEKwZ1szbC09bJLBzaE.KISF3d6LBdw-L_Z8ejIPrIWHfFjEUwI5AkzyAXgtrz4

======================= WHEN I LOOK AT THE SOURCE IT IS IDENTICAL

Note there is no newline after the hypnhen - it’s just an appearance from the form

Looks exactly right to me

My web server is (include version): A custom Web server - no name

The operating system my web server runs on is (include version): Linux - many variants

My hosting provider, if applicable, is: AWS - it’s a normal server instance

I can login to a root shell on my machine (yes or no, or I don’t know): Indeed. And if I stop my server, run the certbot where it provides the server, it works - then I restart my server and the SSL certificate works.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot --version
certbot 0.31.0

Hi @fcmanalyt.com

I see another answer ( https://check-your-website.server-daten.de/?q=diliver.all.net ):

Domainname Http-Status redirect Sec. G
http://diliver.all.net/
3.15.69.53 -11 0.260 S
ServerProtocolViolation - The server committed a protocol violation. Section=ResponseStatusLine
https://diliver.all.net/
3.15.69.53 -11 0.810 S
ServerProtocolViolation - The server committed a protocol violation. Section=ResponseStatusLine
http://diliver.all.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
3.15.69.53 -11 0.264 S
ServerProtocolViolation - The server committed a protocol violation. Section=ResponseStatusLine
Visible Content:

So that's bad.

Checking your url manual I have a bad message:

<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
	<TITLE>Bad URL</TITLE><meta http-equiv="Content-Style-Type" content="text/css">
	<link rel="icon" href="favico.gif" type="image/gif">
	<link type="text/css" rel="stylesheet" href="/style.css">
	</HEAD><body> <!script src="/include.js" type="text/javascript"> <!/script><center><font size=1><b>(Portions Pat. Pend. and TRADE SECRET) Hi there GET@82.119.1.133:56670 (running Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0 on diliver.all.net)! Bad URL</b></font></center><h1> Please don't try that kind of thing (/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de ) here. </h1>
<center><font size=1><b>Brought to you by all.net from TestBed</b></font></center></body></HTML>

Is that a spam bot detection? What's TestBed? Perhaps you should remove something.

Thanks. Of course it works on all Web servers and not so much manual tries like this because it looks for the protocol elements of the servers. I will add the manual functionality back in - and get lots more spam bots of course… FC

Now testing with:

telnet diliver.all.net 80
Trying 3.15.69.53…
Connected to diliver.all.net.
Escape character is ‘^]’.
GET /.well-known/acme-challenge/hpeEqjxEwt0Sz0ytcGb7326oJEKwZ1szbC09bJLBzaE HTTP/1.1
HOST: diliver.all.net

hpeEqjxEwt0Sz0ytcGb7326oJEKwZ1szbC09bJLBzaE.KISF3d6LBdw-L_Z8ejIPrIWHfFjEUwI5AkzyAXgtrz4
Connection closed by foreign host.
========================== THIS SHOULD WORK - YES?

However:
The Web Browser and the manual versions both work.
BUT

certbot certonly --manual

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): diliver.all.net
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for diliver.all.net


NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?


(Y)es/(N)o: y


Create a file containing just this data:

lkCz9HQWy9CeraSX4QyhBIa6YN30xD4IlGmi69wrr5A.KISF3d6LBdw-L_Z8ejIPrIWHfFjEUwI5AkzyAXgtrz4

And make it available on your web server at this URL:

http://diliver.all.net/.well-known/acme-challenge/lkCz9HQWy9CeraSX4QyhBIa6YN30xD4IlGmi69wrr5A


Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. diliver.all.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://diliver.all.net/.well-known/acme-challenge/lkCz9HQWy9CeraSX4QyhBIa6YN30xD4IlGmi69wrr5A: Error getting validation data

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: diliver.all.net
    Type: connection
    Detail: Fetching
    http://diliver.all.net/.well-known/acme-challenge/lkCz9HQWy9CeraSX4QyhBIa6YN30xD4IlGmi69wrr5A:
    Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

There is the same error - https://check-your-website.server-daten.de/?q=diliver.all.net

Domainname Http-Status redirect Sec. G
http://diliver.all.net/
3.15.69.53 -11 0.270 S
ServerProtocolViolation - The server committed a protocol violation. Section=ResponseStatusLine
https://diliver.all.net/
3.15.69.53 -11 0.530 S
ServerProtocolViolation - The server committed a protocol violation. Section=ResponseStatusLine
http://diliver.all.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
3.15.69.53 -11 0.267 S
ServerProtocolViolation - The server committed a protocol violation. Section=ResponseStatusLine

Your server sends a buggy answer.

That’s not very informative.
Can you tell what this “buggy answer” is?
I dont see anything that fails manually, or from Web browsers.
I should also note that the request is itself a violation of the protocol as it requests with protocol 1.1, not HTTP/1.1
As far as I am aware, the proper syntax for a request requires the protocol name then a / then the version and subversion…
Just saying… nobody’s perfect.

FC

The raw answer doesn't have a correct http format. So the online tool can't find a regular http status, instead there is a connection error -> negative value.

Browsers accept a lot of errors.

That's a normal HTTP/1.1 request. If your webserver sees another query, that may be part of the problem. Some spam detection systems (sample) send headers back with an included Char(0) or Char(1).

Browsers accept that, programs or bots are crashing.

I am having problems understanding you.
The specification says to return exactly what the byte sequence provided is.
Are you saying I need to add before the string and after the string?
Or am I supposed to return some other stuff? Like this?
HTTP/1.1 200 OK
Date: Sun, 09 Jun 2019 18:33:24 GMT
Server: Apache
Last-Modified: Mon, 17 Oct 2016 18:34:52 GMT
ETag: “a5e256a-5b-53f13d4eb5c31-gzip”
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 97
Keep-Alive: timeout=5
Connection: Keep-Alive

1 Like

Bingo!
I just added HTTP/1.1 200 OK to the beginning of the response and it worked fine...
Seems like an unnecessary restriction - but now that I know what it wants I will provide automation so the certbot will run...

1 Like

You create the http response manual? Then you may have some errors.

Checking your server offline there is the same error the online tool reports:

Error (1): Der Server hat eine Protokollverletzung ausgeführt.. Section=ResponseStatusLine
ServerProtocolViolation

Your answer isn't a correct http answer.

PS:

HTTP/1.1 200 OK
Server: Apache/1.3.29 (Unix) PHP/4.3.4
Content-Length: 123456
Content-Language: de
Connection: close
Content-Type: text/html

then two Returns (NChar 13 + NChar 10) must follow, then the content of the file.

As a heads up, only the first line (with two sets of CRLF) are required for letsencrypt

Now your header is correct:

D:\temp>download http://diliver.all.net/.well-known/acme-challenge/hpeEqjxEwt0Sz0ytcGb7326oJEKwZ1szbC09bJLBzaE -h

Status: 200 OK

That’s standard .NET-code. So a server shouldn’t produce such error messages.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.