Type: unauthorized Detail: Invalid response from

Dear Let's Encrypt:

Thank you kindly for your reply. You folks are a wonderful resource!

My domain is:
testmaps.camavision.com

I ran this command:
sudo certbot-auto certonly --webroot -w /pub/maps/html/ -d testmaps.camavision.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for testmaps.camavision.com
Using the webroot path /pub/maps/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain testmaps.camavision.com
http-01 challenge for testmaps.camavision.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version):
bash-5.0$ httpd -v
Server version: Apache/2.4.46 (Unix)
Server built: Aug 4 2020 17:22:48

The operating system my web server runs on is (include version):
bash-5.0$ cat /etc/slackware-version
Slackware 14.2+

My hosting provider, if applicable, is:
None.

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.36.0

According to my network guy, he has enabled port 443 forwarding via SonicWall.

bash-5.0$ nmap athena.camavision.com | grep 80
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-05 14:31 CST
80/tcp open http
bash-5.0$ nmap athena.camavision.com | grep 443
443/tcp open https

My apache config has the following:

bash-5.0$ grep -i listen /etc/httpd/httpd.conf
Listen 80
Listen 443

The VirtualHost directives in apache are similar to the following:

<VirtualHost *:80 *:443>
ServerName testmaps.camavision.com
ServerAlias maps.camavision.com map2.camavision.com
DocumentRoot "/pub/maps/html"
CustomLog "/var/log/httpd/access_log" common

# SSLEngine on
# SSLCertificateFile  /etc/letsencrypt/live/testmaps.camavision.com/cert.pem
# SSLCertificateKeyFile /etc/letsencrypt/live/testmaps.camavision.com/privkey.pem
# SSLCertificateChainFile /etc/letsencrypt/live/testmaps.camavision.com/chain.pem
...

I am planning to uncomment the directives above after I am successful in getting certbot to run.

It looks like "http" works okay:

bash-5.0$ wget --spider testmaps.camavision.com
Spider mode enabled. Check if remote file exists.
--2020-11-05 14:46:57-- http://testmaps.camavision.com/
Resolving testmaps.camavision.com (testmaps.camavision.com)... 192.168.10.14
Connecting to testmaps.camavision.com (testmaps.camavision.com)|192.168.10.14|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Remote file exists and could contain further links,
but recursion is disabled -- not retrieving.

It looks like there are some problems with https:

bash-5.0$ wget --spider https://testmaps.camavision.com
Spider mode enabled. Check if remote file exists.
--2020-11-05 14:47:18-- https://testmaps.camavision.com/
Resolving testmaps.camavision.com (testmaps.camavision.com)... 192.168.10.14
Connecting to testmaps.camavision.com (testmaps.camavision.com)|192.168.10.14|:443... connected.
OpenSSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
Unable to establish SSL connection.

The version openssl is fairly recent:

bash-5.0$ openssl version
OpenSSL 1.1.1g 21 Apr 2020

This server has never had any previous certificates. I have never had https running successfully on this server.

2 Likes

Hi @fredm

first step: Don't mix http and https in the same vHost definition.

Second: If your config doesn't work, what says

apachectl -S

Then you see your real used configuration.

Third: If webroot doesn't work, you use the wrong webroot or the vHost isn't used.

Create a test file in webroot/.well-known/acme-challenge (file name 1234), load that file via http://yourdomain/.well-known/acme-challenge/1234 (use curl or online tools to check that).

That must work -> you have your correct webroot.

3 Likes

Welcome to the Let's Encrypt Community, Fred :slightly_smiling_face:

I'm seeing this:


I'm also seeing this:
testmaps.camavision.com. 3599 IN CNAME imon.camavision.com.
imon.camavision.com. 3599 IN A 199.188.65.182

Are you running certbot on something that answers for 199.188.65.182:80?


1 Like

There is a separate problem with imon.camavision.com.

That certificate does not include imon.camavision.com.


Complete Certificate History
2 Likes

Additionally...

https://www.camavision.com has a TON of mixed content, which will cause the site to be flagged as insecure, resulting in no padlock appearing next to the address.

The following tool can used to locate the mixed content:

2 Likes

I would strongly suggest that your IT/web team sit down and make some thorough decisions regarding the desired hierarchy and functionally.

2 Likes