Unexplained Error 400 in Retreiving Validation Data

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dr-xml.totalflood.com

I ran this command:

/usr/local/bin/le.pl --key le.account.key --csr dr-xml.totalflood.com.csr --csr-key dr-xml.totalflood.com.key --crt dr-xml.totalflood.com.crt --domains "dr-xml.totalflood.com" --path /var/www/lighttpd/.well-known/acme-challenge --renew 30 --issue-code 100 --debug

It produced this output:

2023/10/06 07:40:59 [ Crypt::LE client v0.39 started. ]
2023/10/06 07:40:59 Loading an account key from le.account.key
2023/10/06 07:40:59 Account key loaded.
2023/10/06 07:40:59 Loading a CSR from dr-xml.totalflood.com.csr
2023/10/06 07:40:59 Loaded domain names from CSR: dr-xml.totalflood.com
2023/10/06 07:40:59 CSR loaded.
2023/10/06 07:40:59 CSR key loaded
2023/10/06 07:40:59 Checking certificate for expiration (local file).
2023/10/06 07:40:59 Expiration threshold set at 30 days, the certificate expires in 28 days - will be renewing.
2023/10/06 07:40:59 Connecting to https://acme-staging-v02.api.letsencrypt.org/directory
2023/10/06 07:41:00 Connecting to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce
2023/10/06 07:41:00 Directory loaded successfully.
2023/10/06 07:41:00 Registering the account key
2023/10/06 07:41:00 Connecting to https://acme-staging-v02.api.letsencrypt.org/acme/new-acct
2023/10/06 07:41:00 Key is already registered, reg path: https://acme-staging-v02.api.letsencrypt.org/acme/acct/44380708.
2023/10/06 07:41:00 Connecting to https://acme-staging-v02.api.letsencrypt.org/acme/acct/44380708
2023/10/06 07:41:00 Account ID: 44380708
2023/10/06 07:41:00 Registration success: TOS change status - 0, new registration flag - 0.
2023/10/06 07:41:00 The key is already registered. ID: 44380708
2023/10/06 07:41:00 TOS has NOT been changed, no need to accept again.
2023/10/06 07:41:00 Connecting to https://acme-staging-v02.api.letsencrypt.org/acme/new-order
2023/10/06 07:41:00 Connecting to https://acme-staging-v02.api.letsencrypt.org/acme/finalize/44380708/11409563844
2023/10/06 07:41:00 Could not finalize an order.
2023/10/06 07:41:00 Requesting challenge.
2023/10/06 07:41:00 Connecting to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/8710099194
2023/10/06 07:41:00 Received challenges for dr-xml.totalflood.com.
2023/10/06 07:41:00 Requested challenges for 1 domain(s).
2023/10/06 07:41:00 Successfully saved a challenge file '/var/www/lighttpd/.well-known/acme-challenge/WLLJqB3LBsWzxKcbUpQWwF4tEpxYIrnhlCg_yTyuSXQ' for domain 'dr-xml.totalflood.com'
2023/10/06 07:41:00 Accepted challenges for 1 domain(s).
2023/10/06 07:41:00 Connecting to https://acme-staging-v02.api.letsencrypt.org/directory
2023/10/06 07:41:00 Connecting to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce
2023/10/06 07:41:00 Directory loaded successfully.
2023/10/06 07:41:00 Connecting to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/8710099194/Cnfv2g
2023/10/06 07:41:00 Connecting to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/8710099194/Cnfv2g
2023/10/06 07:41:03 Connecting to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/8710099194/Cnfv2g
2023/10/06 07:41:03 Domain verification results for 'dr-xml.totalflood.com': error. 198.204.113.121: Fetching https://dr-xml.totalflood.com/.well-known/acme-challenge/WLLJqB3LBsWzxKcbUpQWwF4tEpxYIrnhlCg_yTyuSXQ: Error getting validation data
2023/10/06 07:41:03 You can now delete the '/var/www/lighttpd/.well-known/acme-challenge/WLLJqB3LBsWzxKcbUpQWwF4tEpxYIrnhlCg_yTyuSXQ' file.
2023/10/06 07:41:03 Domain dr-xml.totalflood.com has failed verification (status code 200).
2023/10/06 07:41:03 All verifications failed
2023/10/06 07:41:03 All verifications failed

My web server is (include version): haproxy 2.4.2-553dee3 + lighttpd 1.4.67

The operating system my web server runs on is (include version): Oracle Linux Server release 8.8

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Not using certbot


I checked the URL where, if I understand correctly, I should be able to find the error:

$ curl https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/8710099194/Cnfv2g

Which returned:

{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "198.204.113.121: Fetching https://dr-xml.totalflood.com/.well-known/acme-challenge/WLLJqB3LBsWzxKcbUpQWwF4tEpxYIrnhlCg_yTyuSXQ: Error getting validation data",
"status": 400 <----!!!
},
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/8710099194/Cnfv2g",
"token": "WLLJqB3LBsWzxKcbUpQWwF4tEpxYIrnhlCg_yTyuSXQ",
"validationRecord": [
{
"url": "http://dr-xml.totalflood.com/.well-known/acme-challenge/WLLJqB3LBsWzxKcbUpQWwF4tEpxYIrnhlCg_yTyuSXQ",
"hostname": "dr-xml.totalflood.com",
"port": "80",
"addressesResolved": [
"198.204.113.121"
],
"addressUsed": "198.204.113.121"
},
{
"url": "https://dr-xml.totalflood.com/.well-known/acme-challenge/WLLJqB3LBsWzxKcbUpQWwF4tEpxYIrnhlCg_yTyuSXQ",
"hostname": "dr-xml.totalflood.com",
"port": "443",
"addressesResolved": [
"198.204.113.121"
],
"addressUsed": "198.204.113.121"
}
],
"validated": "2023-10-06T14:41:00Z"

The status 400 is puzzling to me since haproxy and lighttp report no errors at all:

Oct 6 07:41:01 localhost haproxy[698694]: 66.133.109.36:38125 [06/Oct/2023:07:41:01.696] fe-dr-totalflood.com~ be-letsencrypt/localhost 0/0/30 303 -- 1/1/0/0/0 0/0

127.0.0.1 dr-xml.totalflood.com - [06/Oct/2023:07:41:01 -0700] "GET /.well-known/acme-challenge/WLLJqB3LBsWzxKcbUpQWwF4tEpxYIrnhlCg_yTyuSXQ HTTP/1.1" 200 87 "http://dr-xml.totalflood.com/.well-known/acme-challenge/WLLJqB3LBsWzxKcbUpQWwF4tEpxYIrnhlCg_yTyuSXQ" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

I checked from servers in different parts of the US and was able to retrieve the validation date fine. for example from a server in Atlanta:

$ curl https://dr-xml.totalflood.com/.well-known/acme-challenge/WLLJqB3LBsWzxKcbUpQWwF4tEpxYIrnhlCg_yTyuSXQ;echo

WLLJqB3LBsWzxKcbUpQWwF4tEpxYIrnhlCg_yTyuSXQ.ELoStPhDAW1vih3w7kb2dDO6bdNDOvfp0kkfJ4M2BWo

I am at a loss to understand why this site is failing now. So far LetsEncrypt and Crypt::LE has worked for months at this site, about two years on other corporate nodes and close to four years on my personal sites.

I must agree: It is hard to understand exactly why this fails.
The HTTP request gets redirected to HTTPS.
And the HTTPS request is shown to return the expected code.

:confused:

3 Likes

My curl's work fine too but Let's Debug points out a possible issue

2 Likes

Sigh...

Looks like a malformed set-cookie in the header. Caused by an old syntax in haproxy.cfg -- mea culpa. I removed the line and LetsEncrypt works correctly now.

Thanks for the help and that URL.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.