[SOLVED] Could not connect to http://schoner.hanse.de/.well-known/acme-challenge/sEWE-


#1

I have an Apache 2.4 host with about 15 VHosts. All but one hostnames work fine, but schoner.hanse.de is being rejected with the error below. Since it’s the same host, and all names are CNAMEs for schoner.hanse.de, I’m at a loss what the issue might be. If I put a file into the acme-challenge dir manually, I can retrieve it without issue: http://schoner.hanse.de/.well-known/acme-challenge//foo

 - The following errors were reported by the server:

   Domain: schoner.hanse.de
   Type:   connection
   Detail: Could not connect to http://schoner.hanse.de/.well-known
   /acme-challenge/sEWE-U180leuXxB-OG3NRq4lwaLGVaVD_zbwOfVBcBY

2016-02-28 11:03:10,569:DEBUG:letsencrypt.cli:Root logging level set at 30
2016-02-28 11:03:10,571:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-02-28 11:03:10,571:DEBUG:letsencrypt.cli:letsencrypt version: 0.4.0
2016-02-28 11:03:10,571:DEBUG:letsencrypt.cli:Arguments: ['-a', 'webroot', '-w', '/usr/local/www/letsencrypt', '-d', 'www.hanse.de', '
-d', 'ftp.hanse.de', '-d', 'lists.hanse.de', '-d', 'schoner.hanse.de', '-d', 'www.astloch.hanse.de', '-d', 'www.baty.hanse.de', '-d', 
'www.dda.hanse.de', '-d', 'www.eagle.hanse.de', '-d', 'www.filterhh.hanse.de', '-d', 'www.floppysheep.hanse.de', '-d', 'www.fusebox.ha
nse.de', '-d', 'www.mcshh.hanse.de', '-d', 'www.minerva.hanse.de', '-d', 'www.ranahh.hanse.de', '-d', 'www.samhh.hanse.de', '-d', 'www
.signal.hanse.de', '-d', 'www.transit.hanse.de', '-d', 'www.wavehh.hanse.de']
2016-02-28 11:03:10,572:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,Plugi
nEntryPoint#manual,PluginEntryPoint#standalone)
2016-02-28 11:03:10,578:DEBUG:letsencrypt.cli:Requested authenticator webroot and installer None
2016-02-28 11:03:10,584:DEBUG:letsencrypt.plugins.webroot:Creating root challenges validation dir at /usr/local/www/letsencrypt/.well-
known/acme-challenge

016-02-28 11:03:15,275:DEBUG:letsencrypt.client:CSR: CSR(file='/usr/local/etc/letsencrypt/csr/0005_csr-letsencrypt.pem', data='0\x82\x03\xed0\x82\x02\xd5\x02\x01\x000\x171\x150\x13\x06\x03U\x04\x03\x0c\x0cwww.hanse.de0\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\x94\xf2,\xdf5\xfb\xec\x95~c4\x9f#\xf9i\xe9y,\xa3\x86\xa4;yw!\xa2C\xcd\xf4\xb2\xff\xd0\xd2\xe0D\xbb\xdfUo\x03\xb8\xc4C\x13jB\xc6\x1f(.KX\n<\xf1\xa4\xf1\xed3\t\xe1\xe8\xbc:TD\t\x90\xeeeA\xb3\xd7\xdaJ\x96\x98\x91z\x9d\x98\x10=G\x1b\xee\xb2\x10\xd4\x1c\xc7u\xa3jV\xbf{4\x86\xf5\x7f\xa7\xe5t:\xa8X\x1a\xbdC\xdew\xaah\x9e^\x99\xc9"\x1e\xf3\xf2\xdfX\xb9\xf6’\xa3\x1ec-P\x96l\xbeVF\x1f%\xef\x06\xcfeH\xbeq\x8b1\xb1\x1e\xd1\x0e\xfd\x8d\xfd\xdfX\xfb\xbfE\xa5\x1e\xb7\x0fd\xda\xa3a\x86S\xdf\x18\xb6\xcf\rE\xb1(\xba\x8bN\x1cW\xfb\xa5\x1eI\x94 \xd8%\x91\xb4p\x1d^\xd3\xb0r;\xed\x80-\xdcs\xcd1\x08\x16^\x94\xeb\x86\x88S\xb7bD\x9foy\xab*\xce\x92\xaba\xd4\x16(A\xb9N\xb3\xf6\xf33\x1f(oz4W\xb7\xcf}\x00*\:\xc5\x11\xff\xd4i\x02\x03\x01\x00\x01\xa0\x82\x01\x8f0\x82\x01\x8b\x06\t*\x86H\x86\xf7\r\x01\t\x0e1\x82\x01|0\x82\x01x0\x82\x01t\x06\x03U\x1d\x11\x04\x82\x01k0\x82\x01g\x82\x0cwww.hanse.de\x82\x0cftp.hanse.de\x82\x0elists.hanse.de\x82\x10schoner.hanse.de\x82\x14www.astloch.hanse.de\x82\x11www.baty.hanse.de\x82\x10www.dda.hanse.de\x82\x12www.eagle.hanse.de\x82\x15www.filterhh.hanse.de\x82\x18www.floppysheep.hanse.de\x82\x14www.fusebox.hanse.de\x82\x12www.mcshh.hanse.de\x82\x14www.minerva.hanse.de\x82\x13www.ranahh.hanse.de\x82\x12www.samhh.hanse.de\x82\x13www.signal.hanse.de\x82\x14www.transit.hanse.de\x82\x13www.wavehh.hanse.de0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x86\xd4\xd0\xae\x82\xaa\x9bl"D\xee\xb9kW\x1a\xd6/H\xb5di1 XI\xd5|\xa2\x1b\xee\xac"\xc8a\xcc+\xd3#\x01\xc5\xfeN\xb2\x1b\xcd\xc8\x8d\x12]\xe8)K\x8c:\x94U5\x8b\xe4:\xddJR\x0c\xe6\xa6\xa4\x8e\x8b$\x06\x9e\x91\xbb\x05\x84\xc8\xa4z#\xd4\xc1vv\xf1\xec\xa3~C\xc0sU\xc9\x1f\x06\xaf\xc4\x02\xe4_\x91j\x96\xf7\xa9~\xa5\x9dU,\x01\x18\x13]\xea\xe9 \xc3\x93\xea\xd5\xa4+\xb7\x97\x1a\xee\xc8|\xd06\xb2\xa1\x90)\x81e:\xf2\xe5\xab65@*\x9c\xebH\x06\xe2\x85pw I>\xe1h\x87\xe7Q\x01\xeb\xae%9\xbd\xa1,\x02\x91N\xc2\xcf\xe6fEL|{w\x18("\xb6\x80\xe3L\xb4k\xb1;\x86\x9cZzM\xec\xc9\xe9\x12\x8a\x9c\r\x90\xea\xf3n\x12!\xd4\xa3\xc7\xb5\xc38})\xab\xa1\xb7Vx\xc0\x840[\xd8I3\xd2\xb8\x85,\xa7\xc2\xbff\xff\xc5E\xc2\xbb\x80\x0f\xea#9\xc1\xd1\x94H\xc3\xde)\xb4’, form=β€˜der’), domains: [β€˜www.hanse.de’, β€˜ftp.hanse.de’, β€˜lists.hanse.de’, β€˜schoner.hanse.de’, β€˜www.astloch.hanse.de’, β€˜www.baty.hanse.de’, β€˜www.dda.hanse.de’, β€˜www.eagle.hanse.de’, β€˜www.filterhh.hanse.de’, β€˜www.floppysheep.hanse.de’, β€˜www.fusebox.hanse.de’, β€˜www.mcshh.hanse.de’, β€˜www.minerva.hanse.de’, β€˜www.ranahh.hanse.de’, β€˜www.samhh.hanse.de’, β€˜www.signal.hanse.de’, β€˜www.transit.hanse.de’, β€˜www.wavehh.hanse.de’]`

2016-02-28 11:03:30,777:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'I2DdMTZj2CB
rLIyvAl2KvnVu1HPJHQ2vu_Chpm49MKk', u'type': u'dns-01', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/rNVZY4aKsu2viZS9U
nGryi8-qME_ivqJIMn_iHMcpik/20363227'}
2016-02-28 11:03:30,778:INFO:letsencrypt.reporter:Reporting to user: The following errors were reported by the server:

Domain: schoner.hanse.de
Type:   connection
Detail: Could not connect to http://schoner.hanse.de/.well-known/acme-challenge/sEWE-U180leuXxB-OG3NRq4lwaLGVaVD_zbwOfVBcBY

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) t
he right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preven
ting the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving fi
les from the webroot path you provided.

2016-02-28 11:03:30,781:DEBUG:letsencrypt.plugins.webroot:Removing /usr/local/www/letsencrypt/.well-known/acme-challenge/2B74YGh8_DtAeTWTGrpE0qeUkZTi7fIS1umHNCfMibM
2016-02-28 11:03:30,781:DEBUG:letsencrypt.plugins.webroot:Removing /usr/local/www/letsencrypt/.well-known/acme-challenge/andMYeNTWzXhCB3kTsiXTiJFKgUdGHRG2CJ6gys_JWI
2016-02-28 11:03:30,783:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/letsencrypt", line 9, in <module>
    load_entry_point('letsencrypt==0.4.0', 'console_scripts', 'letsencrypt')()
  File "/usr/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1987, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 707, in obtain_cert
    _, action = _auth_from_domains(le_client, config, domains, lineage)
  File "/usr/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 458, in _auth_from_domains
    new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
  File "/usr/local/lib/python2.7/site-packages/letsencrypt/client.py", line 252, in obtain_certificate
    return self.obtain_certificate_from_csr(domains, csr) + (key, csr)
  File "/usr/local/lib/python2.7/site-packages/letsencrypt/client.py", line 225, in obtain_certificate_from_csr
    authzr = self.auth_handler.get_authorizations(domains)
  File "/usr/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 84, in get_authorizations
    self._respond(cont_resp, dv_resp, best_effort)
  File "/usr/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 142, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/usr/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 204, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. schoner.hanse.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to http://schoner.hanse.de/.well-known/acme-challenge/sEWE-U180leuXxB-OG3NRq4lwaLGVaVD_zbwOfVBcBY

#2

Could you try using the exact same filename that failed, i.e. sEWE-U180leuXxB-OG3NRq4lwaLGVaVD_zbwOfVBcBY?

A common issue are overzealous .htaccess files with redirects that accidentally match some part of the challenge URL. I noticed the failing challenge file contains a hyphen, while the others don’t - maybe that’s the reason this one doesn’t work.


#3

Hello @stb,

The difference between schoner.hanse.de and www.hanse.de (and the other domains that are just working fine) is that you have a temporary redirect (302) in http://schoner.hanse.de/.well-known/acme-challenge/foo

curl -i http://schoner.hanse.de/.well-known/acme-challenge/foo
HTTP/1.1 302 Found
Date: Sun, 28 Feb 2016 12:08:55 GMT
Server: Apache/2.4.18 (FreeBSD) OpenSSL/0.9.8zh-freebsd
Last-Modified: Sun, 28 Feb 2016 09:57:55 GMT
ETag: "1d-52cd190f4d3c3"
Accept-Ranges: bytes
Content-Length: 29

Sun Feb 28 09:57:55 UTC 2016

And www.hanse.de doesn’t return a redirect.

curl -i http://www.hanse.de/.well-known/acme-challenge/foo
HTTP/1.1 200 OK
Date: Sun, 28 Feb 2016 12:11:48 GMT
Server: Apache/2.4.18 (FreeBSD) OpenSSL/0.9.8zh-freebsd
Last-Modified: Sun, 28 Feb 2016 09:57:55 GMT
ETag: "1d-52cd190f4d3c3"
Accept-Ranges: bytes
Content-Length: 29

Sun Feb 28 09:57:55 UTC 2016

As far as I know Let’s Encrypt follows redirects ( at least permanent redirects (301) but don’t know whether it follows temporary redirects (302) ).

It’s worth to check this issue on your apache server.

Cheers,
sahsanu


#4

Thank you, I should have seen that myself. I was only testing with a browser, and there I didn’t see the redirect.