Unable to validate challenge

Help
1

My domain is:

home.skywayskase.com

I ran this command:

bash ./dehydrated --domain home.skywayskase.com --cron

It produced this output:

Processing home.skywayskase.com
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Aug 31 07:26:56 2018 GMT (Less than 30 days). Renewing!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for home.skywayskase.com
 + 1 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for home.skywayskase.com authorization...
 + Cleaning challenge tokens...
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:connection",
    "detail": "Fetching https://home.skywayskase.com/.well-known/acme-challenge/kZX_tYz3pn1CiQNEllKJLfFcaR7AxDchOR24NcBw848: Error getting validation data",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/3eHuPgwLAfH2f8DZDyyOp58mxcTjW5dvTvF02E3I9us/7038525351",
  "token": "kZX_tYz3pn1CiQNEllKJLfFcaR7AxDchOR24NcBw848",
  "validationRecord": [
    {
      "url": "http://home.skywayskase.com/.well-known/acme-challenge/kZX_tYz3pn1CiQNEllKJLfFcaR7AxDchOR24NcBw848",
      "hostname": "home.skywayskase.com",
      "port": "80",
      "addressesResolved": [
        "73.254.229.249"
      ],
      "addressUsed": "73.254.229.249"
    },
    {
      "url": "https://home.skywayskase.com/.well-known/acme-challenge/kZX_tYz3pn1CiQNEllKJLfFcaR7AxDchOR24NcBw848",
      "hostname": "home.skywayskase.com",
      "port": "443",
      "addressesResolved": [
        "73.254.229.249"
      ],
      "addressUsed": "73.254.229.249"
    }
  ]
})

My web server is (include version):

nginx/1.12.2

The operating system my web server runs on is (include version):

Asuswrt-merlin 384.5

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

Additional Info:

I've been using let's encrypt for a few years now. I'm pretty sure I'm following the same steps that have worked for me in the past. I can't think of anything that's changed in my environment in the last 3 months.

2

Where does dehydrated put the challenge token? I.e., what does it use for the webroot path? Is it possible to run dehydrated in ‘verbose’ mode?

3

I believe it uses /opt/share/nginx/html/.well-known/acme-challenge
I initially set it up using the directions outlined here: Using Let's Encrypt · Entware/Entware-ng Wiki · GitHub

How would I do that? I tried adding a --verbose to the command but that didn't seem to do it.

4

Hi @skywayskase

please create a file 123456789 and save it there. Then check, if you can load this file via

http://home.skywayskase.com/.well-known/acme-challenge/123456789
5

I’ve actually already done that with a file “test.txt” and loaded it via

https://home.skywayskase.com/.well-known/acme-challenge/test.txt

Which load just fine (feel free to test yourself).

6

Your file works. So your directory should be correct.

Do you have that:

location ^~ /.well-known {
	allow all;
}

But I can fetch your file, so this shouldn't be a problem. Remove the extension .txt, the file to validate has no extension.

One thing I don't understand.

Checking via

there is the "normal" error (http - status 404 from your server)

acme: error code 403 "urn:ietf:params:acme:error:unauthorized": Invalid response from Welcome to our server

because this test can't create a file on your webserver.

But you have the error

"type": "urn:ietf:params:acme:error:connection",
    "detail": "Fetching https://home.skywayskase.com/.well-known/acme-challenge/kZX_tYz3pn1CiQNEllKJLfFcaR7AxDchOR24NcBw848: Error getting validation data",
    "status": 400

"error:connection": May be a temporary error. Did you test it again?

7

Oh, there is a problem. Using my own tool download.exe:

D:>download Welcome to our server -h
Only SslPolicyErrors.RemoteCertificateChainErrors found
SSL error: RemoteCertificateChainErrors
Error (1): Der Server hat eine Protokollverletzung ausgeführt.. Section=ResponseHeader Detail=Auf CR muss LF folgen
ServerProtocolViolation

The certificate error isn't the problem, Letsencrypt ignores that. But http headers must have two line-ends: Character 13 and Character 10 (CR + LF).

Perhaps this is the reason the Letsencrypt validator can't load your file.

8

Yep, there is the definition:

The request/status line and headers must all end with <CR><LF>

And the empty line between the header lines and the content must also have only <CR><LF>

9

So, I think I understand a little more about issue, but I’m still not sure what (file?) I need to change to get this working again… Or, why it has worked in the past and it’s just now not working correctly this renewal.

10

It’s not a problem of the files, it’s a problem, that your webserver sends a wrong header.

I use the download.exe to test, which headers are sent. Normally, that works. But this (simple) .NET-tool doesn’t understand your header.

Same with your start page https://home.skywayskase.com/

http://www.webconfs.com/http-header-check.php shows nothing, has problem to read your page.

says: URL may be Incorrect or the Server denied access to this test!

11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.