Unable to perform http-01 challenge and create a certificate

ZKalon · April 24, 2024, 2:46pm

I ran this command: https://acme-v02.api.letsencrypt.org/acme/order/1421692756/263707142897

It produced this output:

{
  "status": "invalid",
  "expires": "2024-05-01T13:55:26Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "communithrive.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/342475979137"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1421692756/263707142897"
}

My web server is (include version): Azure App Service

The operating system my web server runs on is (include version): Windows

My hosting provider, if applicable, is: NameHero

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The order when created through the API is invalid, and if I check the auth endpoint

https://acme-v02.api.letsencrypt.org/acme/authz-v3/342475979137

The error is:

urn:ietf:params:acme:error:unauthorized 40.88.135.152: Invalid response from https://communithrive.com/.well-known/acme-challenge/ZVG-RQk-m38Wlr2kRIEjvg26N4tl6luj-Bna0yluAFI: 400

But If I open the link it returns https 200 ok.

Let's debug initially returned All ok:

This is only an issue for the apex domain, for the www, the order was successfully created and the certificate was generated.

Currently, the certificate is generated manually through Azure for the apex domain.

MikeMcQ · April 24, 2024, 3:15pm

Welcome to the community @ZKalon

Let's Debug recently had a change to help identify problems like this. Try re-running it and you'll see your server responds with an HTTP error 400 after you redirect the HTTP challenge to HTTPS.

But, the bigger problem I think is your DNS. Your registered domain points directly to a single IP but your www subdomain is proxied at Cloudflare and using their CDN. You actually CNAME your www subdomain to a much different domain. Using Cloudflare CDN for one name and not for the other is very unusual and is why the cert request process is so different for those names.

Can you explain more about how you want to use Cloudflare for these names?

dig +noall +answer A communithrive.com
communithrive.com.      300     IN      A       40.88.135.152
dig +noall +answer AAAA communithrive.com
(no AAAA record)

dig +noall +answer A www.communithrive.com
www.communithrive.com.  300     IN      CNAME   app.causemachine.com.
app.causemachine.com.   300     IN      A       172.67.70.185
app.causemachine.com.   300     IN      A       104.26.14.134
app.causemachine.com.   300     IN      A       104.26.15.134

dig +noall +answer AAAA www.communithrive.com
www.communithrive.com.  293     IN      CNAME   app.causemachine.com.
app.causemachine.com.   300     IN      AAAA    2606:4700:20::ac43:46b9
app.causemachine.com.   300     IN      AAAA    2606:4700:20::681a:e86
app.causemachine.com.   300     IN      AAAA    2606:4700:20::681a:f86

ZKalon · April 24, 2024, 5:17pm

Thanks for the warm welcome and your asistance @MikeMcQ.

That is the setup of a site that we currently use, it is hosted on Azure with Cloudflare. When you register on that site you get assigned a built-in subdomain, but it gives you also the ability to register custom domains. You are instructed to add the required DNS records and once you add all required DNS records and those are validated, then your domain gets registered on Azure and on Cloudflare.

The A record points to Azure, and www is pointed to cloudflare fallback origin in order to utilize the cloudflare custom hostnames feature.

The reason why a record points to azure is a cloudflare plan limitation, and as a workaround the apex domain will always get redirected to www.

Cloudflare for SaaS with Apex Proxying:
This allows you to support apex domains even if your customers are using a DNS provider that does not allow a CNAME at the apex. This is available as an add-on for Enterprise plans. For more details, refer to Apex Proxying.

This is the reasoning behind the current setup

For example, some other domains use the same setup, and the Let's Encrypt order was successfully created, and the certificate was successfully generated and uploaded.

Here is the other domain with the same DNS records that I used for test and on this one everything works:
cookiecode.online

On this domain, the order was without errors for both the apex and www domains. and on communithrive.com it worked for www and consistently failed for the apex domain.

MikeMcQ · April 24, 2024, 5:39pm

Ah, that sounds messy but I'll ignore that and focus just on the cert failure for your registered domain.

I'm not sure why your test domain would have worked or if it would work today. I see similar pattern to below for it.

Here's what is happening maybe this helps you discover the cause.

You are using an HTTP Challenge for the registered domain and the Let's Encrypt server sends a challenge like below and gets redirected to HTTPS. Ideally you would respond to the challenge now rather than redirect but redirect is allowed.

(some headers removed for brevity)

curl -i http://communithrive.com/.well-known/acme-challenge/Test404
HTTP/1.1 302 Found
Server: Microsoft-IIS/10.0
Location: https://communithrive.com/.well-known/acme-challenge/Test404
X-Powered-By: ASP.NET

Following that redirect gets an HTTP error 400. With this test token I would expect 404. And, maybe with a valid token it wouldn't do that. But, the failure in your first post was also due to a 400 reply so I think this is still pertinent.

curl -i https://communithrive.com/.well-known/acme-challenge/Test404
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET

Bad Request

Below is the detail failure message from your cert request in first post. You can see the 400 error there too

"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "40.88.135.152: Invalid response from https://communithrive.com/.well-known/acme-challenge/ZVG-RQk-m38Wlr2kRIEjvg26N4tl6luj-Bna0yluAFI: 400",

ZKalon · April 25, 2024, 5:14pm

Thanks, @MikeMcQ for all the help and your insight.

This at least steers me in the right direction. I will play with the configuration and see if resolving the issues that you pointed out results in success.

Thanks once again!

webprofusion · April 26, 2024, 4:05am

There's a little bit of information missing, namely which ACME client are you using, I suspect you are developing your own integration?

Keep in mind that most established Windows acme clients used in conjunction with IIS run their own temporary HTTP challenge listener (via http.sys, listening for http://*/.well-known/acme-challenge/) instead of going via IIS. That's because by default IIS won't serve the extensionless text file you need at /.well-known/acme-challenge/<response> and it needs a web.config setup that skips auth requirements and skips handlers for apps/content management systems etc (so that the real result can be served via the filesystem instead of some other handler trying to process it).

system · May 26, 2024, 4:05am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
The Lets Encrypt ACME server unable to reach http://www.mysite.nl/.well-known/acme-challenge/{some guid} Help	8	1959	December 15, 2017
SSL Certificate not applying Help	4	1400	June 16, 2020
Certbot - Cannot Pass HTTP-01 Challenge Help	4	2209	June 14, 2017
Responding to Challenges Client dev	20	994	April 14, 2024
ERROR: Challenge is invalid reg Server	10	4188	December 10, 2018

Unable to perform http-01 challenge and create a certificate

Related topics