Problem validating domain (TLD app)


#1

In the new TLD * .app it is not possible to access http, there is only https: // due to google HSTS.

How to solve this?

CMD: certbot --authenticator standalone --installer apache -d mydomain.app -d www.mydomain.app --pre-hook "service apache2 stop" --post-hook "service apache2 start"


<p", bolao.app (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from **http://mydomain.app/.well-known/acme-challenge/jb8fsTfnjo5SZhZNQKOsvzPkNvTcvABvfb08kduuy2o:** "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.mydomain.app
   Type:   unauthorized
   Detail: Invalid response from
   http://www.mydomain.app/.well-known/acme-challenge/FzvCH-DIYPs5_9fHbFHgb70pMqjcWzQ3jxor6LV4gl0:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p"

Cannot renew certs when redirecting http to https
#2

Hi @mobtexapp,

I’ve split your post to a new one.

LE doesn’t care whether your site uses STS Header or not, also, keep in mind that .app HSTS is preloaded in some browsers but as I said, LE doesn’t care.

Seems your domain is bolao.app, if that is the case your problem is the IPv6 address configured for your domain (LE prefers IPv6 over IPv4 and your domain is advertising AAAA records so LE will try to validate it using this IPv6 address).

Trying to access your site using IPv6 we see it is using an Apache Server 2.2.22 and it returns nothing:

$ curl -6ikL www.bolao.app
HTTP/1.1 200 OK
Date: Sat, 12 May 2018 13:42:18 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.45-0+deb7u11
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html

Using IPv4 your site answers correctly with your site and the Apache server is 2.4.10:

$ curl -4ikL www.bolao.app
HTTP/1.1 200 OK
Date: Sat, 12 May 2018 13:43:21 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: kohanasession=gtj0k2qu28sm8s51ccr7lksm14; expires=Sat, 12-May-2018 15:43:21 GMT; Max-Age=7200; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: kohanasession=gtj0k2qu28sm8s51ccr7lksm14; expires=Sat, 12-May-2018 15:43:21 GMT; Max-Age=7200; path=/
Set-Cookie: kohanasession_data=c2Vzc2lvbl9pZHxzOjI2OiJndGowazJxdTI4c204czUxY2NyN2xrc20xNCI7dG90YWxfaGl0c3xpOjE7X2tmX2ZsYXNoX3xhOjA6e311c2VyX2FnZW50fHM6MTE6ImN1cmwvNy41Mi4xIjtpcF9hZGRyZXNzfHM6MTM6IjE0NC43Ni43MS4yNDgiO2xhc3RfYWN0aXZpdHl8aToxNTI2MTMyNjAxO2NvdW50ZXJ8czo1OiIxMTUzMSI7; expires=Sat, 12-May-2018 15:43:21 GMT; Max-Age=7200; path=/
Vary: Accept-Encoding
Content-Length: 2169
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="pt-br">
    <head>
        <meta charset="utf-8">
        <meta http-equiv="X-UA-Compatible" content="IE=edge">
[...]

So seems your IPv6 address is not pointing to the same server… you need to fix your IPv6 issues or remove the AAAA records for your domains.

Why not use apache as authenticator too?. If you use apache as authenticator there is no need to stop/start your current Apache web server to issue the certificate.

Cheers,
sahsanu


#3

Thank you!
It had done that, but linode.com’s dns took a long time


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.