Problem updating ACME TLS-SNI-01 to alternative validation method


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.kreator.ch

I ran this command:
certbot-auto --apache certonly

It produced this output:

Domain: www.kreator.ch
Type: unauthorized

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
My web server is (include version):
Apache 2.4.0 Tomcat/7.0.56
The operating system my web server runs on is (include version):
Debian GNU/Linux 8.9 (jessie)
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
N/A
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.30.2


#2

What was the error message?


#3

Failed authorization procedure. www.kreator.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.kreator.ch/.well-known/acme-challenge/ZNG1IwZmlZg-AwWX5-2ofQ4X6gaRPY_C0umd7vSm4VM: “Apache Tomcat/7.0.56 (Debian) - Error report<!–H1 {font-family:Tahoma,Arial,sans-serif;color:”

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.kreator.ch
    Type: unauthorized
    Detail: Invalid response from
    http://www.kreator.ch/.well-known/acme-challenge/ZNG1IwZmlZg-AwWX5-2ofQ4X6gaRPY_C0umd7vSm4VM:
    “Apache Tomcat/7.0.56 (Debian) - Error
    report<!–H1
    {font-family:Tahoma,Arial,sans-serif;color:”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.


#4

Hi mnordhoff,
Shall I provide the letsencrypt.log file ?
Regards


#5

Further information:

The renewal process seems to be using the old cerbot version.
The file www.kreator.ch.conf in /etc/letsencrypt//renewal indicates Version = 0.10.2

I must be missing something.


#6

But you use already http-01 - validation, so it’s not a too big problem.

Can you find your DocumentRoot of your http port 80? Check your vHost - definition, there should be the DocumentRoot defined.

Your main config looks ok, checking /.well-known/acme-challenge/unknown-file there is a http status 404, that’s good.

So use

certbot run -a webroot -i apache -w YourDocumentRoot -d www.kreator.ch -d kreator.ch

to split authentication and installation.


#7

Can you kindly clarify how to find out what validation method is used by my Certbot installation? I did not install Certbot on our server.

I think Letsencrypt has left its users partly hanging here, with no pointer to figuring out if anything at all needs to be done, and incomplete instructions in case something needs to be done. Having said that, Letsencrypt/Certbot looks like a great idea, but important changes like this need better support to the users.


#8

Check your config file and your last log.

/var/log/letsencrypt/letsencrypt.log

There you can find your validation method.


#9

Hi Juergen,
Thanks a lot for your support.
My DocumentRoot is /var/www/kreator.ch/public_html
So I executed the command:
certbot run -a webroot -i apache -w /var/www/kreator.ch/public_html -d www.kreator.ch -d kreator.ch
And received the same error message as with certbot-auto --apache certonly
Failed authorization procedure. kreator.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://kreator.ch/.well-known/acme-challenge/jDFXP2qz5-9qbesIaGqK4BXSvARQ7HKq9OYwUxQ4SyQ: “Apache Tomcat/7.0.56 (Debian) - Error report<!–H1 {font-family:Tahoma,Arial,sans-serif;color:”, www.kreator.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.kreator.ch/.well-known/acme-challenge/UrBIhRsCf_dRBNYNdqAYMBaSSHAv6DvXRX4L9_yE_mE: “Apache Tomcat/7.0.56 (Debian) - Error report<!–H1 {font-family:Tahoma,Arial,sans-serif;color:”

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: kreator.ch
    Type: unauthorized

Kind regards


#10

I see a completely different result ( https://check-your-website.server-daten.de/?q=kreator.ch ):

You see: There are redirects http -> https. This is ok, Letsencrypt follows redirects and the redirects are ok (they add the complete path and filename). But your log says, that Letsencrypt tries to load the http - version, so Letsencrypt doesn’t get a redirect.

Why?

And the Server is always:

Server: Apache/2.4.10 (Debian)

not

Apache Tomcat/7.0.56 (Debian)

So it looks that there are different servers running and answering.


#11

Hallo Jurgen,
Thanks again.
My (only) server is Apache/2.4.10
apachectl -V
root@vserv2200.swisslink.ch:/etc/letsencrypt# apachectl -V
Server version: Apache/2.4.10 (Debian)
Server built: Jul 18 2017 18:32:16
Server’s Module Magic Number: 20120211:37
Server loaded: APR 1.5.1, APR-UTIL 1.5.4
Compiled using: APR 1.5.1, APR-UTIL 1.5.4
Architecture: 64-bit
etc…
“Apache Tomcat/7.0.56 (Debian)” was a copy/paste mistake, sorry about that.

Where should I go to find out why Letsencrypt tries to load the http-version ?

Regards


#12

I don’t understand that. Your earlier protocol:

There is http checked.

I see, you have rechecked your domain ( https://check-your-website.server-daten.de/?q=kreator.ch ). But again correct redirects, then a 404.

So to test:

Create the subfolders

/var/www/kreator.ch/public_html/.well-known/acme-challenge

there a file (file name 1234), then try to load this file with your browser:

http://kreator.ch/.well-known/acme-challenge/1234

If that works, we know, this is your correct webroot.

PS: Using an offline download tool I see the same: A (correct) redirect to https.

PS: Are your http- and your https-DocumentRoot the same?


#13

I do not have the folder .well-known/acme-chalenge.
Shall I create it manually ?

Regards


#14

Yes, create the subfolders


#15

Folders created.
What shall I do next ?


#16

I missunderstood the intial indications, sorry.
I copied there 1234.html and tried:
https://kreator.ch/public_html/.well-known/acme-challenge/1234.html
https://kreator.ch/.well-known/acme-challenge/1234.htm
Both gave error 404.
I tried as well:
http://kreator.ch/public_html/.well-known/acme-challenge/1234.html
http://kreator.ch/.well-known/acme-challenge/1234.html
They are redirected to https and error 404.


#17

This is the only relevant address. But remove the file extension .html, Certbot creates a file without extension.

So if you can’t load this address in your browser, your webroot / DocumentRoot is wrong.

Or you have additional internal redirects, so the location /.well-known/acme-challenge uses another directory, not the DocumentRoot.


#18

Hi Juergen,

Thanks for your help, but I’m lost.

My vhost config is:

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.

    ServerAdmin mathias.zajaczkowski@ubik.ch
    ServerName kreator.ch
    # stackoverflow.com/questions/4083221/how-to-redirect-all-http-requests-to-https/21798882#21798882
    Redirect / https://www.kreator.ch
    ServerAlias kreator.ch
    DocumentRoot /var/www/kreator.ch/public_html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

RewriteEngine on
RewriteCond %{SERVER_NAME} =kreator.ch
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
JkMount /* ajp13_worker

Is there anything obviously wrong in it ?

I can give you the acces to my server. You’ll probably find the problem lossing less time then responding my emails.

Regards


#19

You have a redirect to https (which is ok).

But then you have to check the DocumentRoot of your https vHost. Because your https vHosts sends the validation file.


#20

How do I check DocumentRoot ?
Can the problem be that I have Tomcat7 running too ?
It used to work