My domain is: envisual.eu
We've got a Plesk server running several dozen domains, many of which use Let's Encrypt via the Plesk integration. However, when we added the above domain and tried to set up the usual cert, we got the following error:
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/4839859361.
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: Fetching http://www.envisual.eu/.well-known/acme-challenge/73y6RW6zvZ-3Qz0787YBqY2LfQxaNmI37Kpj-J-ErTc: Error getting validation data
Looking at the site's access_log I saw the following:
18.196.96.172 - - [27/May/2020:09:24:58 +0200] "GET /.well-known/acme-challenge/73y6RW6zvZ-3Qz0787YBqY2LfQxaNmI37Kpj-J-ErTc HTTP/1.1" 301 639 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
52.15.254.228 - - [27/May/2020:09:24:58 +0200] "GET /.well-known/acme-challenge/73y6RW6zvZ-3Qz0787YBqY2LfQxaNmI37Kpj-J-ErTc HTTP/1.1" 301 639 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [27/May/2020:09:24:58 +0200] "GET /.well-known/acme-challenge/73y6RW6zvZ-3Qz0787YBqY2LfQxaNmI37Kpj-J-ErTc HTTP/1.1" 301 639 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.209.232.166 - - [27/May/2020:09:24:58 +0200] "GET /.well-known/acme-challenge/73y6RW6zvZ-3Qz0787YBqY2LfQxaNmI37Kpj-J-ErTc HTTP/1.1" 301 639 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
The '301' code indicates that it sent a redirect, so I fired up tcpdump/wireshark to see what it was redirecting to and it seemed to be redirecting to itself:
GET /.well-known/acme-challenge/IzNuEvCUckHes7evHcwUVgn2WBPZ0c0XXCRySrNsA1k HTTP/1.1
Host: envisual.eu
User-Agent: Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)
Accept: /
Accept-Encoding: gzip
Connection: closeHTTP/1.1 301 Moved Permanently
Date: Wed, 27 May 2020 07:30:17 GMT
Server: Apache
Location: http://www.envisual.eu/.well-known/acme-challenge/IzNuEvCUckHes7evHcwUVgn2WBPZ0c0XXCRySrNsA1k
Content-Length: 362
Connection: close
Content-Type: text/html; charset=iso-8859-1
Even deleting the entire contents of the site didn't change the behavior; other sites on the same server work fine.
What's even more confounding is that attempting a manual download of the challenge using wget yields the file just fine, even if I set the certbot values as user-agent string:
89.20.64.133 - - [27/May/2020:09:37:08 +0200] "GET /.well-known/acme-challenge/73y6RW6zvZ-3Qz0787YBqY2LfQxaNmI37Kpj-J-ErTc HTTP/1.1" 200 353 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
83.162.2.112 - - [27/May/2020:09:37:42 +0200] "GET /.well-known/acme-challenge/73y6RW6zvZ-3Qz0787YBqY2LfQxaNmI37Kpj-J-ErTc HTTP/1.1" 200 353 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
I'm completely out of ideas at this point. If there's anything anyone thinks I could have overlooked, I'd love to hear it.