TLS-SNI-01 To HTTP-01

LucD · 2019-01-29 09:28:26 UTC

Hi,

I would need some help to renew a cert using HTTP-01.

Here is the message I received when running: sudo certbot renew --dry-run

The following errors were reported by the server:

Domain: intuineo002.pro
Type: unauthorized
Detail: Invalid response from
http://intuineo002.pro/.well-known/acme-challenge/dxoul7sYq-Qi5lL1…
[2001:41d0:401:3100::702d]: 404

My web server: Apache 2.4.18 on Ubuntu 16.04.3

I can login to a root shell on my machine and I use Webmin 1.900

certbot --version = 0.28

Thanks

JuergenAuer · 2019-01-29 10:01:01 UTC

Hi @LucD

you have an ipv6 Teredo tunneling address as your ip address ( https://check-your-website.server-daten.de/?q=intuineo002.pro ):

Host	T	IP-Address	is auth.	∑ Queries	∑ Timeout
intuineo002.pro	A	92.222.84.144	yes	1	0
	AAAA	2001:41d0:401:3100::702d	yes
www.intuineo002.pro	A	92.222.84.144	yes	1	0
	AAAA	2001:41d0:401:3100::702d	yes

–

Y	intuineo002.pro

	2001:41d0:401:3100::702d
	warning: Private ip address found: 2001:0000:0000:0000:0000:0000:0000:0000 to 2001:ffff:ffff:ffff:ffff:ffff:ffff:ffff: Teredo tunneling
Y	www.intuineo002.pro

	2001:41d0:401:3100::702d
	warning: Private ip address found: 2001:0000:0000:0000:0000:0000:0000:0000 to 2001:ffff:ffff:ffff:ffff:ffff:ffff:ffff: Teredo tunneling

Perhaps remove this ipv6, then try it again. Or check your vHosts, then find your DocumentRoot. Then use

certbot run -a webroot -i apache -w YourDocumentRoot -d intuineo002.pro -d www.intuineo002.pro

You have both dns entries - www and non-www. And http + www answers. But your certificate has only one domain name. So you should create one certificate with both domain names.

LucD · 2019-01-29 10:34:34 UTC

Thank you Juergen for your answer and all the provided information.

I didn’t know about all this…

I need IPV6 on this server so I have no option to remove it.

I’m going to try your cerbot command and will be back soon…

LucD · 2019-01-29 11:18:10 UTC

Unfortunately, I received the following error (from letsencryp.log)

2019-01-29 12:09:43,135:ERROR:certbot.log:An unexpected error occurred:
2019-01-29 12:13:25,830:DEBUG:certbot.main:certbot version: 0.28.0
2019-01-29 12:13:25,831:DEBUG:certbot.main:Arguments: [’-a’, ‘webroot’, ‘-i’, ‘apache’, ‘-w’, ‘/var/www/html’, ‘-d’, ‘intuineo002.pro’, ‘-d’, ‘www.intuineo002.pro’]
2019-01-29 12:13:25,831:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-01-29 12:13:25,847:DEBUG:certbot.log:Root logging level set at 20
2019-01-29 12:13:25,848:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-01-29 12:13:25,854:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer apache
2019-01-29 12:13:25,939:DEBUG:certbot_apache.configurator:Apache version is 2.4.18
2019-01-29 12:13:26,313:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7fc8f85597f0>
Prep: True
2019-01-29 12:13:26,315:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7fc8f8559198>
Prep: True
2019-01-29 12:13:26,316:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7fc8f8559198> and installer <certbot_apache.override_debian.DebianConfigurator object at 0x7fc8f85597f0>
2019-01-29 12:13:26,316:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer apache
2019-01-29 12:13:26,320:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(uri=‘https://acme-v01.api.letsencrypt.org/acme/reg/22362322’, terms_of_service=‘https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf’, body=Registration(only_return_existing=None, contact=(‘mailto:tech@intuineo.fr’,), agreement=‘https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf’, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7fc8f849fa20>)>), status=None, terms_of_service_agreed=None), new_authzr_uri=‘https://acme-v01.api.letsencrypt.org/acme/new-authz’), 29b050103c0efb16c2d50bc9b607ff4c, Meta(creation_dt=datetime.datetime(2017, 10, 7, 20, 51, 55, tzinfo=), creation_host=‘vps463490’))>
2019-01-29 12:13:26,322:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2019-01-29 12:13:26,325:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2019-01-29 12:13:26,549:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 658
2019-01-29 12:13:26,550:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 29 Jan 2019 11:13:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 29 Jan 2019 11:13:26 GMT
Connection: keep-alive

{
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
“letsencrypt.org”
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org”
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert”,
“skehR9wD_cU”: “Adding random entries to the directory”
}
2019-01-29 12:13:26,554:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.28.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1340, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1089, in run
should_get_cert, lineage = _find_cert(config, domains, certname)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 286, in _find_cert
action, lineage = _find_lineage_for_domains_and_certname(config, domains, certname)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 313, in _find_lineage_for_domains_and_certname
return _find_lineage_for_domains(config, domains)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 266, in _find_lineage_for_domains
return _handle_subset_cert_request(config, domains, subset_names_cert)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 163, in _handle_subset_cert_request
force_interactive=True):
File “/usr/lib/python3/dist-packages/certbot/display/util.py”, line 218, in yesno
no=_parens_around_char(no_label)))
File “/usr/lib/python3/dist-packages/certbot/display/util.py”, line 85, in input_with_timeout
raise EOFError
EOFError
2019-01-29 12:13:26,556:ERROR:certbot.log:An unexpected error occurred:

JuergenAuer · 2019-01-29 11:23:52 UTC

force_interactive = True - your Certbot want’s an input.

But there is no input, so it’s a timeout.

LucD · 2019-01-29 11:34:23 UTC

Yes but the script is so fast I don’t have any chance to press a key…

More seriously, I’m running the script via webmin console and this is (may be) related (the script is not waiting for input and exits right away).

I will try to run it with plain ssl/putty and let you know

LucD · 2019-01-29 11:50:32 UTC

Running the script with putty solved the problem.

I just need to check the next letsencrypt renewal deadline now!

Thanks Jeurgen for your help

Cheers

rg305 · 2019-01-29 17:33:14 UTC

You don’t have to remove IPv6 from the server; Only remove it from the global DNS zone.
If that is not possible, then I don’t think you will be able to use HTTP validation.
Maybe DNS validation can work for your case.

JuergenAuer · 2019-01-29 17:53:52 UTC

He has already created a new certificate.

CN=intuineo002.pro
	29.01.2019
	29.04.2019
	intuineo002.pro, www.intuineo002.pro - 2 entries

So Letsencrypt accepts these Teredo tunneling addresses.

rg305 · 2019-01-29 17:55:38 UTC

Accepts it? Like it actually uses it?
Or it just ignores it (and falls back to any other available address - like the IPv4 address in this case)?

JuergenAuer · 2019-01-29 17:58:12 UTC

The ipv6 Teredo is there:

Host	T	IP-Address	is auth.	∑ Queries	∑ Timeout
intuineo002.pro	A	92.222.84.144	yes	1	0
	AAAA	2001:41d0:401:3100::702d	yes
www.intuineo002.pro	A	92.222.84.144	yes	1	0
	AAAA	2001:41d0:401:3100::702d	yes

And the Topic uses this address.

Now the file was ok -> new certificate.

rg305 · 2019-01-29 18:02:24 UTC

OK, the confusion is that this is actually a normal IPv6 address (assigned to OVH France).
See: https://apps.db.ripe.net/db-web-ui/#/lookup?source=ripe&key=2001:41d0::/32&type=inet6num

So this is incorrect assumption:

JuergenAuer · 2019-01-29 18:05:33 UTC

It isn’t a normal IPv6 address, it’s a Teredo tunneling address. So as I know, it should be used as client address (sample: mobile clients), that may change. Not as a static server address.

rg305 · 2019-01-29 18:08:11 UTC

How do you know this?

rg305 · 2019-01-29 18:10:16 UTC

From: https://en.wikipedia.org/wiki/Teredo_tunneling#IPv6_addressing
Bits 0 to 31 hold the Teredo prefix (2001::/32).

That doesn’t cover: 2001:40d0::
Only 2001:0000::

JuergenAuer · 2019-01-29 18:17:08 UTC

Yep, thanks, it’s my error.

There

2001::/32 2001:: 2001::ffff:ffff:ffff:ffff:ffff:ffff

is a ::, not

2001::/32 2001:: 2001:ffff:ffff:ffff:ffff:ffff:ffff:ffff

So all with 2001:0000: as start is a Teredo address. Must fix it.