Manual: I have a problem with the requests, not sure from where

noobprogammier · May 6, 2022, 7:31pm

My domain is:

sipistoverdi.viewdns.net

It produced this output:

My web server is (include version):
I created my own WS. It is configured ONLY for my service. The whole service is written on Python.
So, I'd say that my service's version is sipistoverdi 1.5.
The operating system my web server runs on is (include version):
Windows 10 Home Edition.
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
No.
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No. I haven't made it yet. I'm still working on it.
The version of my client is: certbot 1.24.0

Also, I'm using that command: certbot certonly --manual -d sipistoverdi.viewdns.net --rsa-key-size 4096 --debug --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 -O" --debug

(I'm having a problem with the user-agents that are being sent BY the actual client).
Also, I'm using HTTP/1.1, which is synchronous. Is that the problem, though?
(CURL request(I've also created a request from CURL in order to see on a debug level, what's really going on with my actual service.) D:>curl -v http://sipistoverdi.viewdns.net/.well-known/acme-challenge/Qi9c-pXnyR6YDL87pAGIcqa1f8tTPruJFtoCOlrub24 -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 -O" --trace-time -D debug.txt
22:28:32.717372 * Trying 85.130.21.168:80...
22:28:32.728123 * Connected to sipistoverdi.viewdns.net (85.130.21.168) port 80 (#0)
22:28:32.737732 > GET /.well-known/acme-challenge/Qi9c-pXnyR6YDL87pAGIcqa1f8tTPruJFtoCOlrub24 HTTP/1.1
22:28:32.737732 > Host: sipistoverdi.viewdns.net
22:28:32.737732 > User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 -O
22:28:32.737732 > Accept: /
22:28:32.737732 >
22:28:32.777145 * Mark bundle as not supporting multiuse
22:28:32.782699 < HTTP/1.1 200 OK
22:28:32.786826 < Location: /.well-known/acme-challenge/Qi9c-pXnyR6YDL87pAGIcqa1f8tTPruJFtoCOlrub24
22:28:32.795117 < Content-Type: text/plain
22:28:32.799834 < X-Frame-Options: ALLOW-FROM http://sipistoverdi.viewdns.net
22:28:32.807027 < Vary: Sec-Fetch-Dest, Sec-Fetch-Site
22:28:32.812467 < Pragma: no-cache
22:28:32.816681 < Expires: Wed, 02 Feb 2000 00:00:00 GMT
22:28:32.822333 < Date: Fri, 6 May 2022 22:28:32 GMT
22:28:32.827637 < Server: sipistoverdi
22:28:32.831941 < X-ua-compatible: IE=edge
22:28:32.836064 < Viewport-Width, Width0
22:28:32.840994 < Connection: close
22:28:32.844653 <
Qi9c-pXnyR6YDL87pAGIcqa1f8tTPruJFtoCOlrub24.blablablathethumbprint
22:28:32.848622 * Closing connection 0)

And that's the output of CERTBOT.
certbot certonly --manual -d sipistoverdi.viewdns.net --rsa-key-size 4096 --debug --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 -O" --debug
Saving debug log to C:\Certbot\log\letsencrypt.log
Requesting a certificate for sipistoverdi.viewdns.net

Create a file containing just this data:

Qi9c-pXnyR6YDL87pAGIcqa1f8tTPruJFtoCOlrub24.blablablathethumbprint

And make it available on your web server at this URL:

http://sipistoverdi.viewdns.net/.well-known/acme-challenge/Qi9c-pXnyR6YDL87pAGIcqa1f8tTPruJFtoCOlrub24

Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: sipistoverdi.viewdns.net
Type: connection
Detail: 85.130.21.168: Fetching Just a moment. . . Error getting validation data

Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.

Exiting abnormally:
Traceback (most recent call last):
File "runpy.py", line 197, in _run_module_as_main
File "runpy.py", line 87, in run_code
File "C:\Program Files (x86)\Certbot\bin\certbot.exe_main.py", line 29, in
sys.exit(main())
File "C:\Program Files (x86)\Certbot\pkgs\certbot\main.py", line 19, in main
return internal_main.main(cli_args)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\main.py", line 1679, in main
return config.func(config, plugins)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\main.py", line 1538, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\main.py", line 139, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\client.py", line 513, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\client.py", line 441, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\client.py", line 493, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\auth_handler.py", line 106, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\auth_handler.py", line 206, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

MikeMcQ · May 6, 2022, 8:04pm

First, you cannot control the user-agent used by the Let's Encrypt server to your server. The --user-agent you set with certbot only sets the user-agent sent from certbot to the Let's Encrypt server. And, you should not change that anyway so best to remove that option.

Since you wrote your own server you should be able to see the user-agent sent to you by the LE Server. I assume you are trying to limit inbound requests. But, allowing requests for the /.well-known/acme-challenge/ path should do well enough if that's your purpose.

You need to process the requests as they arrive from LE Server. You currently respond to valid requests with an empty reply. And, if you try to reject too much it makes it difficult for us to help.

noobprogammier · May 6, 2022, 8:12pm

Thank you!

That was the problem, though. . .
So, on each client's request my service sends a response (an empty one. For many clients (like CURL (I fixed it for CURL, though) & other) the response is empty. I should fix it).

MikeMcQ · May 6, 2022, 8:20pm

I don't quite understand but maybe this will help:

The ACME client (in this case certbot) starts the cert request and then signals the Let's Encrypt Server (the ACME server).

The LE Server will then make multiple requests to your server to validate you control that domain name. You need to respond correctly to each request. Currently there are 4 requests from various parts of the world (this can change).

You should also let thru similar acme challenge requests (regardless of user-agent). We often use various tools to help people with problems. You want our test cases to respond the same as the Let's Encrypt server requests. One example tool is the Let's Debug site.

system · June 5, 2022, 8:21pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.