Parked domains http challenge verification support

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: oktalogin.happeosupport.com

I ran this command: We are trying to renew a certificate for our customer for this parked domain oktalogin.happeosupport.com using acme client. Http challenge was obtained but we see Let's Encrypt was not able to verify.

It produced this output: We see Let's Encrypt attempting to reach /.well-known/acme-challenge/{token} but failed with a 421 error so the certificate was not able to be renewed.

We're just wondering if Let's Encrypt supports verifying http challenges to parked domains or would Let's Encrypt block these requests?

The "421" is the reply from your domain server to Let's Encrypt. To satisfy the HTTP Challenge you must reply with the challenge token.

"Parked" means different things to different people. But, as long as the HTTP Challenge request is replied to properly you will get the cert.

If that is not possible anymore you could look at using the DNS Challenge

Doing a quick search:

• oktalogin.happeosupport.com looks to be CNAMED onto an Okta domain, and resolving to 2 Amazon IPs
• happeosupport.com looks to be parked at godaddy, but resolves to 2 other amazon IPs. (they migrated a bunch of their network to AWS a while back)

If you are with Okta, you should be able to fix the 421 error and get a cert for the oktalogin.happeosupport.com subdomain.

I don't think it would be possible to get a cert via HTTP-01 for happeosupport.com. That would require DNS-01, or the involvement of GoDaddy.

You can test the visibility of the challenge token before triggering the authorization attempt.

Those are two AWS Global Accelerator IPs. GoDaddy uses that service for their "Domain Forwarding" feature.

Normally, that has to be disabled and replaced with the public IP for the domain's server.

Oddly, this is the 3rd time today the issue with GoDaddy Domain Forwarding has come up

@jvanasco thanks for your reply. How can we check if the url was parked at godaddy?
the domain is owned by the customer and Okta uses lets encrypt to generate certificates for customer's domains and uses http challenge to verify the domain ownership.
Can Okta fix the issue or do we need to reach out to customer asking them to recategorize their domain?
When you say "happeosupport.com looks to be parked at godaddy" - can this cause the http challenge verifications requests to be blocked?

How can we check if the url was parked at godaddy?

So a few things here:

1- Visiting happeosupport.com (the registered domain) shows a godaddy page.
2- Running dig happeosupport.com shows the IP resolution
3- Popping the IPs into whois.arin.net shows the network allocation

Can Okta fix the issue or do we need to reach out to customer asking them to recategorize their domain?

oktalogin.happeosupport.com is hosted on the okta network. unless you have admin access to that machine, only okta will be able to answer a HTTP-01 challenge. you could conceivably run a DNS-01 challenge. The thing I don't understand here, is why you seem to be trying to get a certificate for that domain, as okta is handling it and they could/should conceivably handle all this automatically - and how do you expect to install the certificate on that machine?

can this cause the http challenge verifications requests to be blocked?

I don't see any evidence of challenges being blocked.

Challenges for happeosupport.com are being sent to the godaddy server that domain is hosted on.

Challenges for oktalogin.happeosupport.com are being sent to the okta server that subdomain is hosted on.

What machine / ip-address are you running the acme client on?

It is possible that Okta and/or Godaddy have their own network systems that consume all the inbound /.well-known/acme-challenge requests. Some SAAS/PAAS systems do that.

Pretty sure I've seen exactly that. I think GoDaddy were auto answering http challenges a while ago, which affected people who used domain forwarding.

I'd suggest delegating DNS challenges by pointing _acme-challenge.oktalogin.happeosupport.com as a CNAME to a corresponding TXT record in a DNS zone you control, then configure your acme client to use DNS domain validation and update that instead.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.