The server offers no ACME challenge that is configured for this MD. The server offered 'dns-01 tls-alpn-01 http-01' and available for this MD are: 'tls-sni-01

I am new in the community and would like to use Let’s encrypt CA in my server.

My domain is:
stg.packit.dev

My configuration httpd file looks like:

DocumentRoot "/var/www/html"
ServerName stg.packit.dev

WSGISocketPrefix /var/lib/httpd/wsgi

WSGIDaemonProcess packit threads=5
WSGIProcessGroup packit

WSGIScriptAlias / /usr/share/packit/packit.wsgi

MDomain stg.packit.dev
MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
MDCertificateAuthority https://acme-staging.api.letsencrypt.org/directory
MDPortMap 443:8443
ServerAdmin user-cont-team@redhat.com

<VirtualHost *:8443>
    ErrorLog /dev/stderr
    TransferLog /dev/stdout
    LogLevel debug
    SSLEngine on
    ServerName stg.packit.dev
    Protocols h2 http/1.1
</VirtualHost>
<Location />
    WSGIProcessGroup packit
    WSGIApplicationGroup %{GLOBAL}

    Require all granted
</Location>

I receive this error in apache error log

[Tue Apr 23 13:21:01.765559 2019] [mpm_event:notice] [pid 1:tid 139884133178752] AH00489: Apache/2.4.39 (Fedora) OpenSSL/1.1.1 mod_wsgi/4.6.4 Python/2.7 configured -- resuming normal operations

[Tue Apr 23 13:21:01.765588 2019] [core:notice] [pid 1:tid 139884133178752] AH00094: Command line: 'httpd -D FOREGROUND'

[Tue Apr 23 13:21:05.156111 2019] [md:warn] [pid 31:tid 139884114093824] (22)Invalid argument: stg.packit.dev: the server offers no ACME challenge that is configured for this MD. The server offered 'dns-01 tls-alpn-01 http-01' and available for this MD are: 'tls-sni-01' (via [https://acme-staging.api.letsencrypt.org/acme/authz/C-TxUsk6cG1vFBHuvsq3IgvbipWLK9d83Uk-mAJPcG4 ](https://acme-staging.api.letsencrypt.org/acme/authz/C-TxUsk6cG1vFBHuvsq3IgvbipWLK9d83Uk-mAJPcG4)).

[Tue Apr 23 13:21:05.156188 2019] [md:error] [pid 31:tid 139884114093824] (22)Invalid argument: AH10056: processing stg.packit.dev

[Tue Apr 23 13:21:11.864970 2019] [md:warn] [pid 31:tid 139884114093824] (22)Invalid argument: stg.packit.dev: the server offers no ACME challenge that is configured for this MD. The server offered 'dns-01 tls-alpn-01 http-01' and available for this MD are: 'tls-sni-01' (via [https://acme-staging.api.letsencrypt.org/acme/authz/C-TxUsk6cG1vFBHuvsq3IgvbipWLK9d83Uk-mAJPcG4 ](https://acme-staging.api.letsencrypt.org/acme/authz/C-TxUsk6cG1vFBHuvsq3IgvbipWLK9d83Uk-mAJPcG4)).

[Tue Apr 23 13:21:11.865019 2019] [md:error] [pid 31:tid 139884114093824] (22)Invalid argument: AH10056: processing stg.packit.dev

[Tue Apr 23 13:21:23.762940 2019] [md:warn] [pid 31:tid 139884114093824] (22)Invalid argument: stg.packit.dev: the server offers no ACME challenge that is configured for this MD. The server offered 'dns-01 tls-alpn-01 http-01' and available for this MD are: 'tls-sni-01' (via [https://acme-staging.api.letsencrypt.org/acme/authz/C-TxUsk6cG1vFBHuvsq3IgvbipWLK9d83Uk-mAJPcG4 ](https://acme-staging.api.letsencrypt.org/acme/authz/C-TxUsk6cG1vFBHuvsq3IgvbipWLK9d83Uk-mAJPcG4)).

[Tue Apr 23 13:21:23.762991 2019] [md:error] [pid 31:tid 139884114093824] (22)Invalid argument: AH10056: processing stg.packit.dev

[Tue Apr 23 13:21:50.480849 2019] [md:warn] [pid 31:tid 139884114093824] (22)Invalid argument: stg.packit.dev: the server offers no ACME challenge that is configured for this MD. The server offered 'dns-01 tls-alpn-01 http-01' and available for this MD are: 'tls-sni-01' (via [https://acme-staging.api.letsencrypt.org/acme/authz/C-TxUsk6cG1vFBHuvsq3IgvbipWLK9d83Uk-mAJPcG4 ](https://acme-staging.api.letsencrypt.org/acme/authz/C-TxUsk6cG1vFBHuvsq3IgvbipWLK9d83Uk-mAJPcG4)).

[Tue Apr 23 13:21:50.481101 2019] [md:error] [pid 31:tid 139884114093824] (22)Invalid argument: AH10056: processing stg.packit.dev

[Tue Apr 23 13:22:37.361498 2019] [md:warn] [pid 31:tid 139884114093824] (22)Invalid argument: stg.packit.dev: the server offers no ACME challenge that is configured for this MD. The server offered 'dns-01 tls-alpn-01 http-01' and available for this MD are: 'tls-sni-01' (via [https://acme-staging.api.letsencrypt.org/acme/authz/C-TxUsk6cG1vFBHuvsq3IgvbipWLK9d83Uk-mAJPcG4 ](https://acme-staging.api.letsencrypt.org/acme/authz/C-TxUsk6cG1vFBHuvsq3IgvbipWLK9d83Uk-mAJPcG4)).

Can you help me, what's wrong?

Hi @phracek, welcome to the community :wave:

Can you share what version of Apache you’re using? It looks like your configuration is based on Apache’s built-in mod_md ACME client.

I think the problem is that the version you’re using only supports TLS-SNI-01 challenges and those have been disabled since March 13th.

1 Like

Hi @cpu

my apache version is:
httpd -v
Server version: Apache/2.4.39 (Fedora)
Server built: Apr 2 2019 15:45:49

and mod_md ACME client used in apache is
https://koji.fedoraproject.org/koji/buildinfo?buildID=1252003
especially
https://koji.fedoraproject.org/koji/rpminfo?rpmID=17328439

It means, mod_md ACME client should not be used from apache source like: http://httpd.apache.org/download.cgi?

mod_md module is build from apache sources based on Fedora spec file
https://src.fedoraproject.org/rpms/httpd/blob/master/f/httpd.spec#_175

Assuming that the upstream version is

(my colleagues would remember correctly), it looks like it requires some manual configuration to support the current Let’s Encrypt service (since you’ll probably want to use TLS-ALPN-01). If my interpretation of that is correct, it may be premature to use mod_md in real systems unless you’re an Apache developer, since it may simply be too experimental.

@sydneyli, do you know the current status of mod_md and its packaging and compatibility situation?

it seems, like build-in mod_md from apache supports only ACMEv1 http://httpd.apache.org/docs/2.4/mod/mod_md.html reachable over http-01

I have changed apache configuration to listen on port 80 and receiving https://acme-staging.api.letsencrypt.org/acme/authz/R_gJ2PEYY9Rfru7TtRkawe_SGEnLLYBb28lXsXtsrlo
But don’t understand.
Current apache configuration is:

MDomain stg.packit.dev
MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
MDCertificateAuthority https://acme-staging.api.letsencrypt.org/directory
#MDCertificateAuthority https://acme-staging-v02.api.letsencrypt.org/directory
MDPortMap 443:8443 80:8080
MDCAChallenges tls-sni-01 http-01
MDRequireHttps permanent

<VirtualHost :8443>
ErrorLog /dev/stderr
TransferLog /dev/stdout
LogLevel debug
SSLEngine on
ServerName stg.packit.dev
Protocols h2 http/1.1
</VirtualHost>
<VirtualHost
:8080>
ErrorLog /dev/stderr
TransferLog /dev/stdout
LogLevel debug
ServerName stg.packit.dev
</VirtualHost>

Maybe it would help to remove tls-sni-01 from your configured MDCAChallenges? Like:

MDCAChallenges http-01

Sorry does not help. The webserver is running in container which exposes ports 8080 8443.

I assume it’s connected to reverse proxy’s 80 and 443?

Can you please explain it a bit more?
we have a domain packit.dev contains URL stg.packit.dev.
This url is only DNS name and original URL is in OpenShift.

I have a container which listens on ports 8080 and 8443.

Does it help for support and solution?

if I wget http://stg.packit.dev it will reach container’s (or whatever certbot running) web server?

Ideally https://stg.packit.dev -> OpenshiftURL -> container with webserver, not certbot, only mod_md built from apache sources.

If you are using reverses proxy, cert should generated from proxy.

-------- 원본 이메일 --------

발신: Petr Hracek via Let’s Encrypt Community Support letsencrypt@discoursemail.com

날짜: 19/4/25 오후 5:25 (GMT+09:00)

받은 사람: abnoeh@mail.com

제목: [Let’s Encrypt Community Support] [Help] The server offers no ACME challenge that is configured for this MD. The server offered ‘dns-01 tls-alpn-01 http-01’ and available for this MD are: 'tls-sni-01

phracek

    April 25

Ideally https://stg.packit.dev -> OpenshiftURL -> container with webserver, not certbot, only mod_md built from apache sources.

If you have your Apache running behind a port mapper (or reverse proxy), you need to tell mod_md on which port to expect the challenges. Look here for a description of the MDPortMap command.

The reported error says “I do not know where you expect http: or https: requests to come in, so I cannot select the challenge method to perform with Let’s Encrypt”.

If you do MDPortMap 80:8080 the http-01 challenge will be enabled and Apache will get you certificates.

(Note: mod_md only support ACMEv1 right now, so tls-alpn-01 is not available. That is correct.)

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.