Triggering a challenge retry


#1

I am trying to figure out how to the the LetsEncrypt server to resend the challenge request.

My domain is:

testing.penforms.penrad.com

I ran this command:

Complete-ACMEChallenge dns1 -ChallengeType http-01 -Handler manual -force

It produced this output:

IdentifierPart : ACMESharp.Messages.IdentifierPart
IdentifierType : dns
Identifier : testing.penforms.penrad.com
Uri : https://acme-v01.api.letsencrypt.org/acme/authz/Nzhd1OSbttL0NwAbf0ClKhqnfuiJ6wXDXWS4xwyKHCA
Status : pending
Expires : 6/12/2018 5:32:47 PM
Challenges : {manual, manual}
Combinations : {0, 1}

My web server is (include version):

Kestrel

The operating system my web server runs on is (include version):

Windows 10

I can login to a root shell on my machine - YES


#2

I don’t use this.

But: The challenge

https://acme-v01.api.letsencrypt.org/acme/challenge/Nzhd1OSbttL0NwAbf0ClKhqnfuiJ6wXDXWS4xwyKHCA/4971797239

is invalid: “Timeout during connect (likely firewall problem)”.

Wenn fetching your url

testing.penforms.penrad.com/.well-known/acme-challenge/dTvsfhE3epTUE2em1hFF212qAdxCrNfsCj20oK9gvXk

manual, the http-status is 200. But the headers:

–

D:>download http://testing.penforms.penrad.com/.well-known/acme-challenge/dTvsfhE3epTUE2em1hFF212qAdxCrNfsCj20oK9gvXk -h
Content-Disposition: attachment; filename=dTvsfhE3epTUE2em1hFF212qAdxCrNfsCj20oK9gvXk; filename*=UTF-8’'dTvsfhE3epTUE2em1hFF212qAdxCrNfsCj20oK9gvXk
Content-Length: 87
Content-Type: text/plain
Date: Tue, 05 Jun 2018 20:27:39 GMT
Set-Cookie: NUSA_Guids=be4eb480-a8a7-4c01-bf67-4e2c8f7d8059%2F66bf3eb2-95de-42ce-a907-1109cb9ced8b; path=/
Server: Kestrel

Status: 200 OK

–

Your server adds a Content-Disposition attachment-Header with a Filename, so FireFox wants to download the file.

I don’t know if this is good when Letsencrypt checks your file. I would remove the Content-Disposition - Header if possible.


#3

I got a timeout on that site (resolved address 216.105.239.55) when trying to connect from two different locations. Could there be a firewall that blocks access to some IP address ranges?

Edit: It actually did connect but it took a very long time on the first connection, and then worked quickly on subsequent connections. Is it possible that there’s some kind of firewall or proxy that performs some kind of time-consuming check on hosts that connect to your site before allowing the connection to complete?


#4

Intermittent network issue sounds like it’s on the money. I don’t think Content-Disposition will affect Let’s Encrypt, since it doesn’t look for that header and doesn’t otherwise affect the response body. At least, Let’s Encrypt can connect to the server sometimes:

Challenge update failures for testing.penforms.penrad.com in order https://acme-staging-v02.api.letsencrypt.org/acme/order/5751349/1772981
acme: error code 403 “urn:ietf:params:acme:error:unauthorized”: The key authorization file from the server did not match this challenge [lvIDm50o6cDM2w6LGiJ4eijh_TW4p8agzXFf-65RXv0.49wknCPN_3HICrKF6BR-V-a-E_ipoaGro7D1Fju_2ec] != [dTvsfhE3epTUE2em1hFF212qAdxCrNfsCj20oK9gvXk.82563yWh0HmnK35FH2tUfRsCc7NP3doyWk89Q943qsc]

Maybe a reverse DNS lookup that gets cached? This also looks like a residential connection, which may have something to do with it.


#5

Thanks for both your replies.

The reason for the long timeout was I left a breakpoint in my code - SORRY! (LOL)

I also fixed the following:

Content-Disposition - gone.
Set-Cookie: HUSA_Guids… - gone

If anyone hits it now, it should immediately return. (No more breakpoints)


#6

Now there is no timeout. But:

http://testing.penforms.penrad.com/.well-known/acme-challenge/lvIDm50o6cDM2w6LGiJ4eijh_TW4p8agzXFf-65RXv0

shows

dTvsfhE3epTUE2em1hFF212qAdxCrNfsCj20oK9gvXk.82563yWh0HmnK35FH2tUfRsCc7NP3doyWk89Q943qsc

http://testing.penforms.penrad.com/.well-known/acme-challenge/lvIDm50o6cDM2w6LGiJ4eijh

shows the same

dTvsfhE3epTUE2em1hFF212qAdxCrNfsCj20oK9gvXk.82563yWh0HmnK35FH2tUfRsCc7NP3doyWk89Q943qsc

So I can remove characters and don’t get a 404-status, instead 200 and the same (wrong) content.

The filename must be the token, the content must be the token, a “.” and a JWK-Footprint of the account key.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.