Renewing none www version fails


#1

Hi,
We have a web site builder with thousands of websites.
We are using Greenlock-express.

When renewing ssl for a domain I succeed with the www version of the domain but get an error
for the none www version.

for example www.mybooks.co.il worked fine.
mybooks.co.il fails.

I get - Error: authorizations were not fetched

Thanks!!!


#2

There’s almost no chance of us figuring out what’s wrong with your Greenlock integration unless you can post a runnable application that exhibits the problem.


#3

Hi @shlomi_st

I don’t find a direct error. But checking your files there are http status 200, 404 are expected:

The last two - the file names are testnames, so they don’t exist. Checked with my own online-tool https://check-your-website.server-daten.de/?q=mybooks.co.il

I don’t use this client. Are there more error messages or a protocol?


#4

Thanks for the reply.
When trying to create the certificate for https://www.mybooks.co.il i get the following errors:

[acme-v2.js] authorizations were not fetched:
{ type: ‘urn:ietf:params:acme:error:malformed’,
detail: ‘JWS verification error’,
status: 400 }
[acme-v2] handled(?) rejection as errback:
Error: authorizations were not fetched
at /home/chderen/www/node_modules/acme-v2/node.js:588:31
at


#5

You have one certificate created today.

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:www.mybooks.co.il&lu=cert_search

But why does your webserver sends a 200 instead of a 404 when checking an non existent file like

http://www.mybooks.co.il/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

or

http://mybooks.co.il/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

This is an error of your webserver. So Letsencrypt tries to validate such a file and gets the wrong content, not the content expected.


#6

That’s an unusual error. Let’s Encrypt thinks the ACME client is sending some sort of invalid request.

Are you running the latest version of greenlock-express?

It seems to support extensive debug logging, including HTTP requests and responses. I’m not sure how to turn it on, or if it’s on by default.

Can you enable it – if necessary – and post a full log of what happened?


#7

Thanks for the reply.
I will check it


#8

Hi,
We’ve fixed the 404 issue. Still some of the domains without the www fail to create ssl Cerl.
For example - https://boozers.beer.

Any Idea?


#9

You have a certificate with the www-domainname, created today.

What’s the difference between your www- and your non-www version? (Server configuration)

www works, non-www has a SendFailure error.

But it’s not a https -> port 80 or http -> port 443 - error.


#10

Now checked with Ssllabs:

https://www.ssllabs.com/ssltest/analyze.html?d=boozers.beer&hideResults=on

Error: Failed to communicate with the secure server

Explantation:

Failed to communicate with the secure server - No secure protocol supported. Possibly this server only supports a draft version of TLS 1.3

So your Ssl-configuration of the non-www version looks broken.