It produced this output:
5SH1d5GetURvg4wexDAtNMUjxWYMZk4q4K-IfgWWOuM.Gy2PF66rEjQusCGhKWHm2ddrBIp9vmikm38eyhOo57M
My web server is (include version):
CloudFront pointed to S3
The operating system my web server runs on is (include version):
CloudFront pointed to S3
My hosting provider, if applicable, is:
DNS zone is in Cloudflare, A records are pointed to CloudFront distribution with .well-known path backed by S3 bucket configured as a static website.
I can login to a root shell on my machine (yes or no, or I don’t know):
no
In CloudFront logs we can see the following:
2020-02-03 12:21:27 DEN50-C2 533 66.133.109.36 GET d1po0h3exnpx3a.cloudfront.net /.well-known/acme-challenge/5SH1d5GetURvg4wexDAtNMUjxWYMZk4q4K-IfgWWOuM 200 - Mozilla/5.0%20(compatible;%20Let’s%20Encrypt%20validation%20server;%20+https://www.letsencrypt.org) - - Miss tOLRS1HU5zYUOjtfDlY4JrRr019m6oWjrkhbp8820uckvYjIm9jTBw== magetest.cf http 263 0.104 - - - Miss HTTP/1.1 - - 27916 0.104 Miss text/plain 87 - -
Same log entry for curl:
2020-02-03 12:22:25 TXL52-C1 538 93.72.107.17 GET d1po0h3exnpx3a.cloudfront.net /.well-known/acme-challenge/5SH1d5GetURvg4wexDAtNMUjxWYMZk4q4K-IfgWWOuM 200 - curl/7.58.0 - - Miss sShFiNDpwEJTAFCRhYMhq0QxlffV7OoX8-0UU-0dJTDvoJZ9uVgbOg== magetest.cf http 145 0.105 - - - Miss HTTP/1.1 - - 57180 0.105 Miss text/plain 87 - -
If you are using Cloudfront and S3 storage as your source. You should consider using ACM (AWS Certificate Manager) issued certificates. Uploading Let’s Encrypt certificate to ACM (you’ll need to do that if you use Cloudfront) every 2 months are painful and ACM certificates serves better if you use Cloudfront or ELB in AWS.
I understand this, but it would be exceptionally hard to use S3 + Cloudflare with certbot (you might need to spend a long time between putting the files and complete challenge).
May I know why you want to use HTTP validation?
Based on your description and setup, you can easily use DNS validation for both Let's Encrypt and ACM.
Many programs allow you to use Cloudflare API to issue the Let's Encrypt certificate. DNS validation for ACM is also easy since the DNS records is the same for every renewal (in ACM), which means you don't need to update DNS records every renewal.
The problem is that we don’t actually have full control on DNS.
We’ve implemented a full lifecycle for issuing/renewing SSL certificates from LetsEncrypt via DNS01+HTTP01 challenges and further import to ACM. It worked fine for some time. I guess we’ve started facing the described HTTP verification issues after ACMEv1 end of life.
The trouble is that LetsEncrypt actually hits CloudFront and receives 200 status. Also, CloudFront shows connection closure. Still, LetsEncrypt answer_challenge endpoint raises an error.
This info was obtained from CloudFront log entries:
2020-02-03 12:21:27 DEN50-C2 533 66.133.109.36 GET d1po0h3exnpx3a.cloudfront.net /.well-known/acme-challenge/5SH1d5GetURvg4wexDAtNMUjxWYMZk4q4K-IfgWWOuM 200 - Mozilla/5.0%20(compatible;%20Let’s%20Encrypt%20validation%20server;%20+https://www.letsencrypt.org) - - Miss tOLRS1HU5zYUOjtfDlY4JrRr019m6oWjrkhbp8820uckvYjIm9jTBw== magetest.cf http 263 0.104 - - - Miss HTTP/1.1 - - 27916 0.104 Miss text/plain 87 - -
This is actually pretty clueless for me. The only issue I would suspect is that your timeout (time between deploy and propergration) isn’t long enough, so even if you’re seeing the response, some validation servers does not.
Looks pretty weird, but today I’ve managed to get the cert.
I didn’t change the code, but another try resulted in “no DNS challenge” for the domain.
I’ve added DNS challenge ignore and got the cert via HTTP verification.
Looks like something has changed on LetsEncrypt side.
Is there any changelog so we can validate code behavior change against it?