The server offers no ACME challenge that is configured for this MD. The server offered 'dns-01 tls-alpn-01 http-01' and available for this MD are: 'tls-sni-01

phracek · April 23, 2019, 1:36pm

I am new in the community and would like to use Let’s encrypt CA in my server.

My domain is:
stg.packit.dev

My configuration httpd file looks like:

DocumentRoot&#32;"/var/www/html"
ServerName&#32;stg.packit.dev

WSGISocketPrefix&#32;/var/lib/httpd/wsgi

WSGIDaemonProcess&#32;packit&#32;threads=5
WSGIProcessGroup&#32;packit

WSGIScriptAlias&#32;/&#32;/usr/share/packit/packit.wsgi

MDomain&#32;stg.packit.dev
MDCertificateAgreement&#32;https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
MDCertificateAuthority&#32;https://acme-staging.api.letsencrypt.org/directory
MDPortMap&#32;443:8443
ServerAdmin&#32;user-cont-team@redhat.com

&lt;VirtualHost&#32;*:8443&gt;
&#32;&#32;&#32;&#32;ErrorLog&#32;/dev/stderr
&#32;&#32;&#32;&#32;TransferLog&#32;/dev/stdout
&#32;&#32;&#32;&#32;LogLevel&#32;debug
&#32;&#32;&#32;&#32;SSLEngine&#32;on
&#32;&#32;&#32;&#32;ServerName&#32;stg.packit.dev
&#32;&#32;&#32;&#32;Protocols&#32;h2&#32;http/1.1
&lt;/VirtualHost&gt;
&lt;Location&#32;/&gt;
&#32;&#32;&#32;&#32;WSGIProcessGroup&#32;packit
&#32;&#32;&#32;&#32;WSGIApplicationGroup&#32;%{GLOBAL}

&#32;&#32;&#32;&#32;Require&#32;all&#32;granted
&lt;/Location&gt;

I receive this error in apache error log

[Tue Apr 23 13:21:01.765559 2019] [mpm_event:notice] [pid 1:tid 139884133178752] AH00489: Apache/2.4.39 (Fedora) OpenSSL/1.1.1 mod_wsgi/4.6.4 Python/2.7 configured -- resuming normal operations

[Tue Apr 23 13:21:01.765588 2019] [core:notice] [pid 1:tid 139884133178752] AH00094: Command line: 'httpd -D FOREGROUND'

[Tue Apr 23 13:21:05.156111 2019] [md:warn] [pid 31:tid 139884114093824] (22)Invalid argument: stg.packit.dev: the server offers no ACME challenge that is configured for this MD. The server offered 'dns-01 tls-alpn-01 http-01' and available for this MD are: 'tls-sni-01' (via [https://acme-staging.api.letsencrypt.org/acme/authz/C-TxUsk6cG1vFBHuvsq3IgvbipWLK9d83Uk-mAJPcG4 ](https://acme-staging.api.letsencrypt.org/acme/authz/C-TxUsk6cG1vFBHuvsq3IgvbipWLK9d83Uk-mAJPcG4)).

[Tue Apr 23 13:21:05.156188 2019] [md:error] [pid 31:tid 139884114093824] (22)Invalid argument: AH10056: processing stg.packit.dev

[Tue Apr 23 13:21:11.864970 2019] [md:warn] [pid 31:tid 139884114093824] (22)Invalid argument: stg.packit.dev: the server offers no ACME challenge that is configured for this MD. The server offered 'dns-01 tls-alpn-01 http-01' and available for this MD are: 'tls-sni-01' (via [https://acme-staging.api.letsencrypt.org/acme/authz/C-TxUsk6cG1vFBHuvsq3IgvbipWLK9d83Uk-mAJPcG4 ](https://acme-staging.api.letsencrypt.org/acme/authz/C-TxUsk6cG1vFBHuvsq3IgvbipWLK9d83Uk-mAJPcG4)).

[Tue Apr 23 13:21:11.865019 2019] [md:error] [pid 31:tid 139884114093824] (22)Invalid argument: AH10056: processing stg.packit.dev

[Tue Apr 23 13:21:23.762940 2019] [md:warn] [pid 31:tid 139884114093824] (22)Invalid argument: stg.packit.dev: the server offers no ACME challenge that is configured for this MD. The server offered 'dns-01 tls-alpn-01 http-01' and available for this MD are: 'tls-sni-01' (via [https://acme-staging.api.letsencrypt.org/acme/authz/C-TxUsk6cG1vFBHuvsq3IgvbipWLK9d83Uk-mAJPcG4 ](https://acme-staging.api.letsencrypt.org/acme/authz/C-TxUsk6cG1vFBHuvsq3IgvbipWLK9d83Uk-mAJPcG4)).

[Tue Apr 23 13:21:23.762991 2019] [md:error] [pid 31:tid 139884114093824] (22)Invalid argument: AH10056: processing stg.packit.dev

[Tue Apr 23 13:21:50.480849 2019] [md:warn] [pid 31:tid 139884114093824] (22)Invalid argument: stg.packit.dev: the server offers no ACME challenge that is configured for this MD. The server offered 'dns-01 tls-alpn-01 http-01' and available for this MD are: 'tls-sni-01' (via [https://acme-staging.api.letsencrypt.org/acme/authz/C-TxUsk6cG1vFBHuvsq3IgvbipWLK9d83Uk-mAJPcG4 ](https://acme-staging.api.letsencrypt.org/acme/authz/C-TxUsk6cG1vFBHuvsq3IgvbipWLK9d83Uk-mAJPcG4)).

[Tue Apr 23 13:21:50.481101 2019] [md:error] [pid 31:tid 139884114093824] (22)Invalid argument: AH10056: processing stg.packit.dev

[Tue Apr 23 13:22:37.361498 2019] [md:warn] [pid 31:tid 139884114093824] (22)Invalid argument: stg.packit.dev: the server offers no ACME challenge that is configured for this MD. The server offered 'dns-01 tls-alpn-01 http-01' and available for this MD are: 'tls-sni-01' (via [https://acme-staging.api.letsencrypt.org/acme/authz/C-TxUsk6cG1vFBHuvsq3IgvbipWLK9d83Uk-mAJPcG4 ](https://acme-staging.api.letsencrypt.org/acme/authz/C-TxUsk6cG1vFBHuvsq3IgvbipWLK9d83Uk-mAJPcG4)).

Can you help me, what's wrong?

cpu · April 23, 2019, 2:48pm

Hi @phracek, welcome to the community

Can you share what version of Apache you’re using? It looks like your configuration is based on Apache’s built-in mod_md ACME client.

I think the problem is that the version you’re using only supports TLS-SNI-01 challenges and those have been disabled since March 13th.

phracek · April 23, 2019, 7:58pm

Hi @cpu

my apache version is:
httpd -v
Server version: Apache/2.4.39 (Fedora)
Server built: Apr 2 2019 15:45:49

and mod_md ACME client used in apache is
https://koji.fedoraproject.org/koji/buildinfo?buildID=1252003
especially
https://koji.fedoraproject.org/koji/rpminfo?rpmID=17328439

It means, mod_md ACME client should not be used from apache source like: http://httpd.apache.org/download.cgi?

phracek · April 23, 2019, 8:04pm

mod_md module is build from apache sources based on Fedora spec file
https://src.fedoraproject.org/rpms/httpd/blob/master/f/httpd.spec#_175

schoen · April 23, 2019, 11:41pm

Assuming that the upstream version is

(my colleagues would remember correctly), it looks like it requires some manual configuration to support the current Let’s Encrypt service (since you’ll probably want to use TLS-ALPN-01). If my interpretation of that is correct, it may be premature to use mod_md in real systems unless you’re an Apache developer, since it may simply be too experimental.

@sydneyli, do you know the current status of mod_md and its packaging and compatibility situation?

phracek · April 24, 2019, 8:39am

it seems, like build-in mod_md from apache supports only ACMEv1 http://httpd.apache.org/docs/2.4/mod/mod_md.html reachable over http-01

phracek · April 24, 2019, 8:51am

I have changed apache configuration to listen on port 80 and receiving https://acme-staging.api.letsencrypt.org/acme/authz/R_gJ2PEYY9Rfru7TtRkawe_SGEnLLYBb28lXsXtsrlo
But don't understand.
Current apache configuration is:

MDomain stg.packit.dev
MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
MDCertificateAuthority https://acme-staging.api.letsencrypt.org/directory
#MDCertificateAuthority https://acme-staging-v02.api.letsencrypt.org/directory
MDPortMap 443:8443 80:8080
MDCAChallenges tls-sni-01 http-01
MDRequireHttps permanent

<VirtualHost :8443>
ErrorLog /dev/stderr
TransferLog /dev/stdout
LogLevel debug
SSLEngine on
ServerName stg.packit.dev
Protocols h2 http/1.1
</VirtualHost>
<VirtualHost :8080>
ErrorLog /dev/stderr
TransferLog /dev/stdout
LogLevel debug
ServerName stg.packit.dev
</VirtualHost>

cpu · April 24, 2019, 12:34pm

Maybe it would help to remove tls-sni-01 from your configured MDCAChallenges? Like:

MDCAChallenges http-01

phracek · April 24, 2019, 12:38pm

Sorry does not help. The webserver is running in container which exposes ports 8080 8443.

orangepizza · April 24, 2019, 1:20pm

I assume it’s connected to reverse proxy’s 80 and 443?

phracek · April 25, 2019, 7:57am

Can you please explain it a bit more?
we have a domain packit.dev contains URL stg.packit.dev.
This url is only DNS name and original URL is in OpenShift.

I have a container which listens on ports 8080 and 8443.

Does it help for support and solution?

orangepizza · April 25, 2019, 7:59am

if I wget http://stg.packit.dev it will reach container’s (or whatever certbot running) web server?

phracek · April 25, 2019, 8:15am

Ideally https://stg.packit.dev -> OpenshiftURL -> container with webserver, not certbot, only mod_md built from apache sources.

orangepizza · April 25, 2019, 8:32am

If you are using reverses proxy, cert should generated from proxy.

-------- 원본 이메일 --------

발신: Petr Hracek via Let’s Encrypt Community Support letsencrypt@discoursemail.com

날짜: 19/4/25 오후 5:25 (GMT+09:00)

받은 사람: abnoeh@mail.com

제목: [Let’s Encrypt Community Support] [Help] The server offers no ACME challenge that is configured for this MD. The server offered ‘dns-01 tls-alpn-01 http-01’ and available for this MD are: 'tls-sni-01

phracek

    April 25

Ideally https://stg.packit.dev -> OpenshiftURL -> container with webserver, not certbot, only mod_md built from apache sources.

icing · May 8, 2019, 12:27pm

If you have your Apache running behind a port mapper (or reverse proxy), you need to tell mod_md on which port to expect the challenges. Look here for a description of the MDPortMap command.

The reported error says “I do not know where you expect http: or https: requests to come in, so I cannot select the challenge method to perform with Let’s Encrypt”.

If you do MDPortMap 80:8080 the http-01 challenge will be enabled and Apache will get you certificates.

(Note: mod_md only support ACMEv1 right now, so tls-alpn-01 is not available. That is correct.)

system · June 7, 2019, 12:27pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.