Validation failed with final slash on keys

Hi,

I used Nginx in reverse proxy to Apache but serve directly static files on Nginx side for better performance (root /var/www/example/docroot/; )
I noticed some issues with my webserver configuration when validation keys contains final slash.

Domain: example.com
Type:   unauthorized
Detail: During secondary validation: Invalid response from
https://example.com/.well-known/acme-challenge/sH_jbMPHAsMuPqv3spOxJMCi6GU079R6eC5X-vBesZU/

If I retry the same certbot command and the validation key is without final slash, it will work.
So when the key contains final slash, validation failed, I guess it's looking for a non-existing physical directory.

Sometimes, I have a lot of aliases to handle in the same certificate and I have to retry many times the same command to validate all the DNS.
And I already exceeded the tries number rate limits.

So it could be nice to have an option (command argument ?) to avoid final slash in validation key.

What do you think about that ?

Best regards,

1 Like

The validation key (known as the token in ACME) is guaranteed not to contain a forward slash (/). This is because it is restricted to the base64url alphabet, where forward slashes are replaced with underscores:

base64url = ALPHA / DIGIT / "-" / "_"

If I had to guess, I would say that in your case, your nginx server is creating a redirect from (HTTP, no forward slash):

http://example.com/.well-known/acme-challenge/sH_jbMPHAsMuPqv3spOxJMCi6GU079R6eC5X-vBesZU

to (HTTPS + the added forward slash)

https://example.com/.well-known/acme-challenge/sH_jbMPHAsMuPqv3spOxJMCi6GU079R6eC5X-vBesZU/

I would be looking through your access logs to confirm that a redirect is taking place, as well as looking for something in the nginx configuration that would cause the redirect to take precedence over a statically served file.

4 Likes

There is most definitely a redirect in place, as the Let's Encrypt validation server would never initiate a "probe" through HTTPS and the error message shows the https:// protocol. That can only happen if there's a redirect.

2 Likes

Oh ! I see

It makes sense, I indeed have a redirection http to https.
I don't understand yet why I just have sometimes this problem and not everytimes.
I will investigate and let you know

This is a very good track to follow !

Many thanks for your quick and relevant answer guys !

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.