Tls-sni-01 challenge failing

RaGE · October 22, 2017, 7:41am

Hello guys,

I am trying to install https:// access on a Debian stretch on a Raspberry Pi3. I am under apache. I am not linux illiterate, but not far from it

I read other similar topics, and it could be that I have also one of these issues; but I cannot sort it out. I am not using Ipv6, I have access to my domain using 443 port.

I am graded A on ssllabs when asking for a SSL report.

So below what I tried and what happens:

sudo /opt/letsencrypt/letsencrypt-auto --apache -d rstadel.freeboxos.fr

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for rstadel.freeboxos.fr
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. rstadel.freeboxos.fr (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 1fe182487d36a01e012c934ab5159f2b.61cef5cc05c4531d24aab4f11ab56f40.acme.invalid from [2a01:e35:2e53:5110::1]:443. Received 2 certificate(s), first certificate had names "rstadel.freeboxos.fr"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: rstadel.freeboxos.fr
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   1fe182487d36a01e012c934ab5159f2b.61cef5cc05c4531d24aab4f11ab56f40.acme.invalid
   from [2a01:e35:2e53:5110::1]:443. Received 2 certificate(s), first
   certificate had names "rstadel.freeboxos.fr"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

sahsanu · October 22, 2017, 9:10am

Hi @RaGE,

I don't really understand the problem, your site https://rstadel.freeboxos.fr is already using a Let's Encrypt certificate.

These are the still valid certificates issued by Let's Encrypt:

CRT ID     DOMAIN (CN)           VALID FROM             VALID TO               EXPIRES IN  SANs
236755983  rstadel.freeboxos.fr  2017-Oct-21 13:55 UTC  2018-Jan-19 13:55 UTC  89 days     rstadel.freeboxos.fr
193235751  rstadel.freeboxos.fr  2017-Aug-18 11:15 UTC  2017-Nov-16 11:15 UTC  25 days     rstadel.freeboxos.fr

And this is the cert your web server (nginx) is returning:

echo | openssl s_client -connect rstadel.freeboxos.fr:443 -servername rstadel.freeboxos.fr 2>/dev/null | openssl x509 -noout -text | grep -E '(Issuer:|Not After|DNS:)'
        Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
            Not After : Jan 19 13:55:35 2018 GMT
                DNS:rstadel.freeboxos.fr

So, you said you are using Apache but the web server which is answering right now is nginx so I suppose it is FreeBox answering the requests for your site because you have not forwarded port 443 from the router to your RPi3.

Well, yes, you are ;), the FreeBox router is answering to requests to your IPv4 (82.229.53.17) and IPv6 (2a01:e35:2e53:5110::1) addresses for domain rstadel.freeboxos.fr

$ curl -IkL6 https://rstadel.freeboxos.fr/
HTTP/1.1 302 Found
Server: nginx
Date: Sun, 22 Oct 2017 09:02:06 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
Location: /login.php
Expires: Sun, 22 Oct 2017 09:02:05 GMT
Cache-Control: no-cache
Cache-Control: must-revalidate,no-store

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 22 Oct 2017 09:02:06 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Expires: Sun, 22 Oct 2017 09:02:05 GMT
Cache-Control: no-cache
Cache-Control: must-revalidate,no-store

$ curl -IkL4 https://rstadel.freeboxos.fr/
HTTP/1.1 302 Found
Server: nginx
Date: Sun, 22 Oct 2017 09:02:19 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
Location: /login.php
Expires: Sun, 22 Oct 2017 09:02:18 GMT
Cache-Control: no-cache
Cache-Control: must-revalidate,no-store

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 22 Oct 2017 09:02:19 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Expires: Sun, 22 Oct 2017 09:02:18 GMT
Cache-Control: no-cache
Cache-Control: must-revalidate,no-store

Keep in mind that Let's Encrypt will prefer IPv6 over IPv4 so it will try to validate your domain using your IPv6 address... there should be no problem, your router is answering requests to this IP but if you need to port forward port 443 to your RPi3, keep in mind that you should port forward this port for IPv4 and IPv6 requests.

Cheers,
sahsanu

RaGE · October 22, 2017, 9:30am

Ok thanks, this is valuable information.

My problem is the folllowing:
rstadel.freeboxos.fr is the domain name given by my provider. Behind it I have a router (well, to be precise, that’s the “box” over which we guys over here get “home access to the internet”), which i can access over port 443 and https, that is the letsencrypt certificate you have found - I suppose. On this router i have a Pi3, that I would like to access also using https - and that is the connection that is failing, and for which I need a certificate for. The letsencrypt certificate you have spot is the one automatically provided by my internet provider for the router, the one I am trying to create is for accessing my raspberry Pi. I hope I am clear - could also be this does not make sense, since I am quite new in the stuff, but that is what I understood so far.

sahsanu · October 22, 2017, 9:47am

@RaGE, yes, makes sense but to reach your RPi3 from internet you need to configure your freebox to port forward requests to external port 443 to your internal ip and internal port (the one used by RPi3).

If you only want to access your RPi3 internally you could:

1.- Use webroot validation challenge, it uses port 80 so maybe it is easy for you to port forward port 80 from your freebox to your RPi3 (I’ve no idea what are the possible configurations allowed by freebox).

2.- Copy the cert and key already used by your freebox to your RPi3, I don’t know if this is easy nor possible but it could be a pain to do this manually every 60 days.

3.- Use your own self-signed certificate.

4.- You could also use DNS-01 challenge that doesn’t involve requests from Let’s Encrypt to your server, only to the DNS Server but I doubt that you could be able to create TXT records for your sub domain as it is managed by freebox. An alternative is to use your own domain where you are able to modify DNS records (there are cheap ones out there and even free domains) but this option will involve much work.

5.- Sure there are other possibilities.

As I said, If you want to access your RPi3 externally (from internet) then you need to configure your freebox to port forward requests to your RPi3, it could be the best option in your case.

Cheers,
sahsanu

system · November 21, 2017, 9:47am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.