SNAPT.NET - Error Validating Certification


#1

I am using a snapt.net server and they have a module that has integrated Let’s Encrypt.

The process is to add a domain that you would like an ssl for, then download and install this ssl to a location on the server, then click verify. All of this has been done properly as I can browse the token. But on validation, the process fails with this error:

Error: Please check http://calc.opencollect.com/.well-known/acme-challenge/Pfep8C2leHfNQZYaEx66BAA5P1lc8YR7Qtz77xfBszU - token not available -

Now my server is configured to redirect all traffic http to https - could this be the issue? If you browse http://calc.opencollect.com/.well-known/acme-challenge/Pfep8C2leHfNQZYaEx66BAA5P1lc8YR7Qtz77xfBszU it redirects to https://calc.opencollect.com/.well-known/acme-challenge/Pfep8C2leHfNQZYaEx66BAA5P1lc8YR7Qtz77xfBszU and downloads fine???


#2

Visiting that URL gives me a 403 rather than the challenge token:

curl -v https://calc.opencollect.com/.well-known/acme-challenge/Pfep8C2leHfNQZYaEx66BAA5P1lc8YR7Qtz77xfBszU
*   Trying 45.33.123.94...
* Connected to calc.opencollect.com (45.33.123.94) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_RC4_128_SHA
* Server certificate: *.opencollect.com
* Server certificate: Go Daddy Secure Certificate Authority - G2
* Server certificate: Go Daddy Root Certificate Authority - G2
> GET /.well-known/acme-challenge/Pfep8C2leHfNQZYaEx66BAA5P1lc8YR7Qtz77xfBszU HTTP/1.1
> Host: calc.opencollect.com
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Server: nginx
< Date: Tue, 08 Nov 2016 21:40:43 GMT
< Content-Type: text/html
< Content-Length: 162
< Connection: keep-alive
<
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>

Do you have access rules based on IPs or something like that? You’d have to add an exception for /.well-known/acme-challenge/* in that case - Let’s Encrypt’s validation process requires that the validation file is publicly browseable.


#3

Now I feel like a boneead - yes, I also only allow whitelisted ip addresses access the services. Is there an IP or Range that you are aware of to whitelist for the Let’s encrypt Service?


#4

The assumption for validation requests should be that they could come from any IP address, as these may be sent from multiple geographic regions and possibly even through something like Tor in the future. In other words, you’d want to make /.well-known/acme-challenge/* available for everyone.

If that’s a concern, the dns-01 challenge type might be a better fit for you, as it doesn’t rely on exposing any ports to the internet. This requires that you have a way to dynamically add TXT records to your domain (and your ACME client, which I assume comes bundled with snapt.net, will need to have support for this challenge type as well).


#5

Thank you very much…


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.