Redirect causes odd behaviour with certbot

My domain is: smhi.com, smhi.se, et.al.

My web server is (include version): Hitch-tls + Varnish + certbot

The operating system my web server runs on is (include version): RHEL7.7

I can login to a root shell on my machine (yes or no, or I don’t know): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.37.2

We have been running certbot for about a year without issue or change. Recently the certificate renewal has started to fail for one of the domains in the certificate.
We redirect the domain smhi.com to smhi.se/en and this causes a problem apparently. The thing that is odd in the log is the following

{
“identifier”: {
“type”: “dns”,
“value”: “smhi.com
},
“status”: “invalid”,
“expires”: “2020-04-24T11:37:15Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: "Invalid response from http://www.smhi.se/en [2001:67c:274:1313::43]: “\u003c!DOCTYPE html\u003e\n\u003chtml lang=\“en-US\”\u003e\n\u003chead\u003e\n\u003cmeta http-equiv=\“content-type\” content=\“text/html; charset=UTF-8\” /\u003e\n\u003cmeta name=\“rob””,
“status”: 403
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/4013528128/dNS-Xg”,
“token”: “1fD1MDNO-07vaU90M2gONhJ__-UCj4YD_SLGhtXdAXk”,
“validationRecord”: [
{
“url”: “http://smhi.com/.well-known/acme-challenge/1fD1MDNO-07vaU90M2gONhJ__-UCj4YD_SLGhtXdAXk”,
“hostname”: “smhi.com”,
“port”: “80”,
“addressesResolved”: [
“62.116.130.8”
],
“addressUsed”: “62.116.130.8”
},
{
“url”: “http://www.smhi.se/en”,
“hostname”: “www.smhi.se”,
“port”: “80”,
“addressesResolved”: [
“91.192.30.117”,
“2001:67c:274:1313::43”
],
“addressUsed”: “2001:67c:274:1313::43”
}
]
}
]
}

for the domain smhi.com it produces two validation records, and because the post-redirect record does not include the challenge url, the request is not diverted to certbot. I don’t understand why the second validationRecord is needed, nor how it is constructed.

The validation record just reflects the redirect chain that your webserver sent to the validation server:

$ curl -X GET -I http://smhi.com/.well-known/acme-challenge/1fD1MDNO-07vaU90M2gONhJ__-UCj4YD_SLGhtXdAXk
HTTP/1.1 301 Moved Permanently
Date: Fri, 17 Apr 2020 11:51:40 GMT
Server: Apache
Location: http://www.smhi.se/en
Content-Length: 0
Content-Type: text/html; charset=UTF-8
X-Varnish: 55677824 56167095
Age: 268
Via: 1.1 varnish-v4
X-redirector: MTk4MzEyMjYK
Connection: keep-alive

I’m guessing that you need to exclude /.well-known/acme-challenge from whatever HTTP-to-HTTPS redirect rule you have added recently, because it prevents the Certbot challenge response from being served.

Hi @samdaoud

that’s how the validation works.

If there is a redirect http + /.well-known/acme-challenge/random-filename to another port (80 or 443) or another domain, Letsencrypt follows that redirect.

That’s very good if you want to use a centralized solution, if you use load balancer and different servers etc.

Solution:

  • Run certbot with webroot, so the destination is used (or)
  • remove the redirect http + /.well-known/acme-challenge/random-filename

intriguing. I get an empty reponse when I curl that URL as I should. The certbot handling happens before any redirects, so when certbot is not running I’m expecting an empty reponse. I’ll have to examine why external requests are treated differently

Thanks for the valuable insight

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.