Urn:acme:error:unauthorized Invalid response from http://visitboi.co.nz/.well-known/acme-challenge/ [solved]


#1

Please fill out the fields below so we can help you better.

My domain is: visitboi.co.nz

I ran this command:

root@apache2:/opt/dehydrated# ./dehydrated -c -d visitboi.co.nz -t http-01 -f ./dehydrated.conf

(https://github.com/lukas2511/dehydrated)

It produced this output:

root@apache2:/opt/dehydrated# ./dehydrated -c -d visitboi.co.nz -t http-01 -f ./dehydrated.conf 
# INFO: Using main config file ./dehydrated.conf
Processing visitboi.co.nz
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Mar 15 22:48:00 2017 GMT (Less than 30 days). Renewing!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for visitboi.co.nz...
 + Responding to challenge for visitboi.co.nz...
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:unauthorized",
    "detail": "Invalid response from http://visitboi.co.nz/.well-known/acme-challenge/h6H0F3yJc4S5AjcMO4f_nvAMAT2A-3eN-MHF_j9OJOc: \"\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody bgcolor=\"white\"\u003e\r\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003e\"",
    "status": 403
  },
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/OJNwO5DjzFVYrJvoZz5SBWbH6LPqWneatif-b29Svas/784571932",
  "token": "h6H0F3yJc4S5AjcMO4f_nvAMAT2A-3eN-MHF_j9OJOc",
  "keyAuthorization": "h6H0F3yJc4S5AjcMO4f_nvAMAT2A-3eN-MHF_j9OJOc.rkmNKQ3kRyJAbSgHMSQ9fHpmrPx-1QrVNYcMJPr89vw",
  "validationRecord": [
    {
      "url": "http://visitboi.co.nz/.well-known/acme-challenge/h6H0F3yJc4S5AjcMO4f_nvAMAT2A-3eN-MHF_j9OJOc",
      "hostname": "visitboi.co.nz",
      "port": "80",
      "addressesResolved": [
        "52.65.73.113"
      ],
      "addressUsed": "52.65.73.113"
    }
  ]
})

My operating system is (include version): Ubuntu 16.04

My web server is (include version): nginx version: nginx/1.10.0 (Ubuntu)

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes, am doing this as root

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Not using control panel

My nginx config file:

server {
        listen         80;
        server_name    visitboi.co.nz;
#        return         301 https://www.visitboi.co.nz$request_uri;

        location ^~ /.well-known/acme-challenge/ {
                default_type "text/plain";
                root         /opt/dehydrated;
        }


}
server {
        listen 443 ssl http2;
        server_name    visitboi.co.nz;
#        return         301 https://www.visitboi.co.nz$request_uri;

        location ^~ /.well-known/acme-challenge/ {
                default_type "text/plain";
                root         /opt/dehydrated;
        }
        ssl_certificate_key /etc/nginx/ssl/visitboi.co.nz.pem;
        ssl_certificate /etc/nginx/ssl/visitboi.co.nz.fullchain.crt;
}

I have placed a test.txt file into /opt/dehydrated/.well-known/acme-challenge/test.txt and tested here

https://www.webpagetest.org/result/170312_RJ_E81/1/details/#waterfall_view_step1

(I can’t keep this running though due to redirect to www.visitboi.co.nz required)

Thanks for any help.


#2

your issue seems to be that file is not found

before using the verification make sure that the file is openable (at the location) and that the context is type application/text

https://letsencrypt.github.io/acme-spec/#rfc.section.7.1

review the challenges in the ACME documentation

Andrei


#3

What does dehydrated.conf say? What does Nginx’s error.log say?

I’m not sure, but try using “alias /opt/dehydrated/;” instead of “root /opt/dehydrated;”;

The redirect isn’t a problem. For one thing, Let’s Encrypt will follow any redirects, so it will work as long as the ultimate destination serves the correct file. For another, you don’t have to redirect everything. For example:

location / {
    return 301 https://www.visitboi.co.nz$request_uri;
}
location /.well-known/acme-challenge/ {
    alias /opt/dehydrated/;
}

#4

Thanks for your help, it was a combination of

  • trying different locations for the challenge file, assuming that /var/www/dehydrated is the default.

(It needed to be /var/www/dehydrated/.well-known/acme-challenge for the specific configuration

  • being confused by having to comment out redirect (thanks mnordhoff, using location for redirect helped a lot)

  • alias seems tidier

Thanks for all responses.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.