Running Boulder Internally - DNS Configuration Means Certificates Aren't Issued

Chopi64 · May 8, 2017, 12:13pm

Hi, I ve been trying to solve this problem myself but I have found little success

I m using ubuntu trusty and apache and cant get the response from my server.
I get this message after using : sudo ./certbot-auto certonly --agree-tos --renew-by-default -d bye.com --server http://172.17.0.1:4000/directory --webroot -w /var/www/bye.com/html/ (this is where I have bye.html)

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for bye.com
Using the webroot path /var/www/bye.com/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. bye.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://bye.com/.well-known/acme-challenge/xDpsMOU5N1lTkvIhgQeO1gWZQX7kOk-l7p683SiNI2w: 404 not found

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: bye.com
Type: unauthorized
Detail: Invalid response from
http://bye.com/.well-known/acme-challenge/xDpsMOU5N1lTkvIhgQeO1gWZQX7kOk-l7p683SiNI2w:

404 not found

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.

I have access to files I place in ./well-known/acme-challenge using curl from other machines and have thos same directories with 755 permissions and chown myUser.
Any help is welcome

schoen · May 8, 2017, 9:09pm

Hi @Chopi64,

How did you choose --server http://172.17.01.1:4000/directory? That does not sound like the correct location of the Let’s Encrypt CA.

Apart from that, if you create a file /var/www/bye.com/html/test.txt, can you see its contents at http://bye.com/test.txt? If so, if you create a file at /var/www/bye.com/html/.well-known/acme-challenge/test2.txt, can you see its contents at http://bye.com/.well-known/acme-challenge/test2.txt?

Chopi64 · May 9, 2017, 6:48am

Thanks for the response @schoen!
I just tried to access test.txt and test2.txt at those locations and no problems visualizing the message.

About the --server http://172.17.0.1:4000/directory , I ve got a copy of Boulder CA running in 172.17.0.4 that can be accessed through 172.17.0.1 so I decided to add it here instead of changing my /etc/hosts.
As far as I m aware the problem shouldnt be in accessing the CA, as a tcpdump -i eth0 port 4000 in the CA VM returns me plenty of messages when launching ./certbot-auto from the other machine.
Btw, I have access to test.txt and test2.txt from 172.17.0.4 so I guess the problem is that somehow the CA cannot complete the challenge?

schoen · May 9, 2017, 4:28pm

Since you’re running your own copy of Boulder, is it possible that something is misconfigured in Boulder that prevents it from verifying HTTP-01 challenges, or that the version of bye.com that it sees is not the same version that you intended?

If you just wanted to experiment without running into rate limits, you can also use the Let’s Encrypt staging CA with --staging.

Chopi64 · May 10, 2017, 11:06am

Solved!!
I had forgotten to change the FAKE_DNS field in my Boulder server, certbot was doing all right

ahaw021 · May 10, 2017, 6:41pm

hi @Chopi64

Congrats on getting it to work. In future it would be a good idea to state that you are using boulder internally up front so people don’t have to deduce it

Andrei

system · June 9, 2017, 6:53pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.