Renewal Issue Related To Prerouting redirect?


#1

My domain is:
moinmovement.net
www.moinmovement.net

I ran this command:

sudo certbot renew --dry-run

It produced this output:

Attempting to renew cert (moinmovement.net) from /etc/letsencrypt/renewal/moinmovement.net.conf produced an unexpected error: Failed authorization procedure. www.moinmovement.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.moinmovement.net/.well-known/acme-challenge/2DBrfjBqNEXqMcfKe4lCkX4rm8bnj9A2qqPOlLz6ZEU: "

Moin Movement League <link rel="styl", moinmovement.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://moinmovement.net/.well-known/acme-challenge/DKsHYgXpUFWTQ_WKpbi1-ULzygOLpHB0y0YAtBC9F8o: " Moin Movement League <link rel="styl". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/moinmovement.net/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/moinmovement.net/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version):
Express

The operating system my web server runs on is (include version):
Ubuntu 16.04.4

My hosting provider, if applicable, is:
Amazon Lightsail

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

Hello Let’s Encrypt community. This is my first time trying to renew a certificate and I am having some troubles. I am new to a lot of this and thought I might get some help here so I don’t mess anything up and cause myself more issue.

You can see from the error above invalid response. I think this is because I am redirecting all traffic from port 80 using PREROUTING iptables and so the response it is receiving a 301 redirect.

I placed a txt file @ www.moinmovement.net/.well-known/acme-challenge/test.txt to help with troubleshooting.

can someone help me think what my options are here? Thank you very much.


#2

Hi,

I think the options are relatively limited…

The easiest one is use an 301 redirect (upgrade to https), then exempt .well-known folders…

Thank you


#3

@stevenzhu, how do you know what the underlying problem is here?


#4

Hi Jookly

there is a strange thing:

D:\download http://www.moinmovement.net/.well-known/acme-challenge/test.txt -h
X-DNS-Prefetch-Control: off
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Vary: Accept
Connection: keep-alive
Content-Length: 63
Content-Type: text/plain; charset=utf-8
Date: Fri, 10 Aug 2018 17:03:19 GMT
Location: https://www.moinmovement.net/

Status: 301 MovedPermanently

Your location is the root, not

https://www.moinmovement.net/.well-known/acme-challenge/test.txt

And if you have such a redirect. Test, if it works with a file without extension.


#5

There is a kind of funny issue here that makes this much harder to debug:

http://www.moinmovement.net/.well-known/acme-challenge/test.txt

redirects to

https://www.moinmovement.net/

which sends an HSTS header telling the browser that www.moinmovement.net should be accessed by HTTPS only. Therefore, if you try a second time in a browser, the browser itself rewrites the request to

https://www.moinmovement.net/.well-known/acme-challenge/test.txt

which works (giving the illusion that the test file is set up properly, when it’s not).

Conclusion 1: test with curl, not with a browser, in order to see the test file the way that the certificate authority will see it. Because of HSTS, the browser can show misleading results!

Conclusion 2: you need to fix the redirect so that instead of going to the top level of the site, it redirects to the same URL (http://www.moinmovement.net/example needs to redirect to https://www.moinmovement.net/example, not to https://www.moinmovement.net/, as it currently does).


#6

Thanks so much for taking a look at it everyone. What you are saying makes sense.

I think with these responses I can work through the issue now and both fix my redirect which sounds like I am doing incorrectly and in process be able to renew my certificate. Again I really appreciate the help. I didn’t know about letsencrypt until recently it is very awesome piece of software and service.

I am going to try these suggestions and ideas now if I have extra trouble I might be back here. Thanks again.


#7

Because when he connects to port 80, the redirection rule just removed all query strings except the domain name, then it turned to the root domain (on https) for login pages. (however, visiting https links directly works)

At least thats when i saw the site…
The redirection from http to https homepage seems to be removed.


#8

I wanted to thank everyone once more now that I resolved my issue. I am not certain if I totally fixed my redirect issue but at least for now I know how to renew my certificate :slight_smile: . Thanks thanks thanks!


#9

Now it looks good:

D:>download http://www.moinmovement.net/.well-known/acme-challenge/test.txt -h
X-DNS-Prefetch-Control: off
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Connection: keep-alive
Accept-Ranges: bytes
Content-Length: 5
Cache-Control: public, max-age=0
Content-Type: text/plain; charset=UTF-8
Date: Fri, 10 Aug 2018 18:31:29 GMT
ETag: W/“5-16524b605a8”
Last-Modified: Fri, 10 Aug 2018 16:40:33 GMT

Status: 200 OK

The file under /.well-known/acme-challenge/ has no redirect.

D:>download http://www.moinmovement.net/ -h
X-DNS-Prefetch-Control: off
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Download-Options: noopen
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Connection: keep-alive
Content-Length: 0
Date: Fri, 10 Aug 2018 18:33:41 GMT
Location: https://moinmovement.net/

Status: 301 MovedPermanently

Your main page is redirected from http to https.

The only thing: This

Strict-Transport-Security: max-age=15552000; includeSubDomains

isn’t a http - header, only a https - header.


#10

According to the HSTS standard, HSTS has no effect when sent in an HTTP connection, only when sent in an HTTPS connection. This is meant to stop a malicious network from injecting false HSTS headers to persistently break sites that have no HTTPS support.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.