Verify error:Invalid response

#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
gscatter.wali.pro

I ran this command:
acme.sh --issue -d gscatter.wali.pro --webroot /www/gscatter.wali.pro/

It produced this output:

[Fri Mar  1 12:27:38 CST 2019] Single domain='gscatter.wali.pro'
[Fri Mar  1 12:27:38 CST 2019] Getting domain auth token for each domain
[Fri Mar  1 12:27:38 CST 2019] Getting webroot for domain='gscatter.wali.pro'
[Fri Mar  1 12:27:38 CST 2019] Getting new-authz for domain='gscatter.wali.pro'
[Fri Mar  1 12:27:39 CST 2019] The new-authz request is ok.
[Fri Mar  1 12:27:40 CST 2019] Verifying: gscatter.wali.pro
[Fri Mar  1 12:27:43 CST 2019] gscatter.wali.pro:Verify error:Invalid response from http://gscatter.wali.pro/.well-known/acme-challenge/OFK9diJu-tQ7iYwvhi1CsYgppQ1vDFGDehCBeyHK1Nc [47.75.77.57]: 
[Fri Mar  1 12:27:43 CST 2019] Please add '--debug' or '--log' to check more details.
[Fri Mar  1 12:27:43 CST 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

My web server is (include version):
Nginx1.14.1 \ Python Django

The operating system my web server runs on is (include version):
Centos 64

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

nginx config

server {
        listen       80;
        server_name  gscatter.wali.pro;

        location /.well-known/acme-challenge/ {
                alias /www/gscatter.wali.pro/;
        }
}

#2

Change this to root and reload nginx.

#3

Thank you for your reply.

input command:

acme.sh  --issue  -d gscatter.wali.pro  --webroot /root/www/gscatter.wali.pro/ --debug --log

output log:

[Fri Mar  1 12:40:23 CST 2019] Single domain='gscatter.wali.pro'
[Fri Mar  1 12:40:23 CST 2019] Getting domain auth token for each domain
[Fri Mar  1 12:40:23 CST 2019] Getting webroot for domain='gscatter.wali.pro'
[Fri Mar  1 12:40:23 CST 2019] Getting new-authz for domain='gscatter.wali.pro'
[Fri Mar  1 12:40:24 CST 2019] The new-authz request is ok.
[Fri Mar  1 12:40:24 CST 2019] Verifying: gscatter.wali.pro
[Fri Mar  1 12:40:27 CST 2019] gscatter.wali.pro:Verify error:Invalid response from http://gscatter.wali.pro/.well-known/acme-challenge/eQ2Km3tfxR7pAo4ehjm3zHZgZFKjRKLd7zUmU0A4rHQ [47.75.77.57]: 
[Fri Mar  1 12:40:27 CST 2019] Please add '--debug' or '--log' to check more details.
[Fri Mar  1 12:40:27 CST 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[root@bepal-kuangji .acme.sh]# acme.sh  --issue  -d gscatter.wali.pro  --webroot /root/www/gscatter.wali.pro/ --debug --log
[Fri Mar  1 12:46:20 CST 2019] Lets find script dir.
[Fri Mar  1 12:46:20 CST 2019] _SCRIPT_='/root/.acme.sh/acme.sh'
[Fri Mar  1 12:46:20 CST 2019] _script='/root/.acme.sh/acme.sh'
[Fri Mar  1 12:46:20 CST 2019] _script_home='/root/.acme.sh'
[Fri Mar  1 12:46:20 CST 2019] Using default home:/root/.acme.sh
[Fri Mar  1 12:46:20 CST 2019] Using config home:/root/.acme.sh
https://github.com/Neilpang/acme.sh
v2.8.1
[Fri Mar  1 12:46:20 CST 2019] _main_domain='gscatter.wali.pro'
[Fri Mar  1 12:46:20 CST 2019] _alt_domains='no'
[Fri Mar  1 12:46:20 CST 2019] Using config home:/root/.acme.sh
[Fri Mar  1 12:46:20 CST 2019] ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
[Fri Mar  1 12:46:20 CST 2019] DOMAIN_PATH='/root/.acme.sh/gscatter.wali.pro'
[Fri Mar  1 12:46:20 CST 2019] Using ACME_DIRECTORY: https://acme-v01.api.letsencrypt.org/directory
[Fri Mar  1 12:46:20 CST 2019] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Fri Mar  1 12:46:20 CST 2019] GET
[Fri Mar  1 12:46:20 CST 2019] url='https://acme-v01.api.letsencrypt.org/directory'
[Fri Mar  1 12:46:20 CST 2019] timeout=
[Fri Mar  1 12:46:21 CST 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Fri Mar  1 12:46:21 CST 2019] ret='0'
[Fri Mar  1 12:46:21 CST 2019] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[Fri Mar  1 12:46:21 CST 2019] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Fri Mar  1 12:46:21 CST 2019] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Fri Mar  1 12:46:21 CST 2019] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Fri Mar  1 12:46:21 CST 2019] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Fri Mar  1 12:46:21 CST 2019] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Fri Mar  1 12:46:21 CST 2019] ACME_NEW_NONCE
[Fri Mar  1 12:46:21 CST 2019] ACME_VERSION
[Fri Mar  1 12:46:21 CST 2019] Le_NextRenewTime
[Fri Mar  1 12:46:21 CST 2019] _on_before_issue
[Fri Mar  1 12:46:21 CST 2019] _chk_main_domain='gscatter.wali.pro'
[Fri Mar  1 12:46:21 CST 2019] _chk_alt_domains
[Fri Mar  1 12:46:21 CST 2019] Le_LocalAddress
[Fri Mar  1 12:46:21 CST 2019] d='gscatter.wali.pro'
[Fri Mar  1 12:46:21 CST 2019] Check for domain='gscatter.wali.pro'
[Fri Mar  1 12:46:21 CST 2019] _currentRoot='/root/www/gscatter.wali.pro/'
[Fri Mar  1 12:46:21 CST 2019] d
[Fri Mar  1 12:46:21 CST 2019] _saved_account_key_hash is not changed, skip register account.
[Fri Mar  1 12:46:21 CST 2019] Read key length:
[Fri Mar  1 12:46:21 CST 2019] _createcsr
[Fri Mar  1 12:46:21 CST 2019] Single domain='gscatter.wali.pro'
[Fri Mar  1 12:46:21 CST 2019] Getting domain auth token for each domain
[Fri Mar  1 12:46:21 CST 2019] d='gscatter.wali.pro'
[Fri Mar  1 12:46:21 CST 2019] Getting webroot for domain='gscatter.wali.pro'
[Fri Mar  1 12:46:21 CST 2019] _w='/root/www/gscatter.wali.pro/'
[Fri Mar  1 12:46:21 CST 2019] _currentRoot='/root/www/gscatter.wali.pro/'
[Fri Mar  1 12:46:21 CST 2019] Getting new-authz for domain='gscatter.wali.pro'
[Fri Mar  1 12:46:21 CST 2019] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Fri Mar  1 12:46:21 CST 2019] Try new-authz for the 0 time.
[Fri Mar  1 12:46:21 CST 2019] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Fri Mar  1 12:46:21 CST 2019] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "gscatter.wali.pro"}}'
[Fri Mar  1 12:46:21 CST 2019] RSA key
[Fri Mar  1 12:46:21 CST 2019] GET
[Fri Mar  1 12:46:21 CST 2019] url='https://acme-v01.api.letsencrypt.org/directory'
[Fri Mar  1 12:46:21 CST 2019] timeout=
[Fri Mar  1 12:46:21 CST 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Fri Mar  1 12:46:22 CST 2019] ret='0'
[Fri Mar  1 12:46:22 CST 2019] POST
[Fri Mar  1 12:46:22 CST 2019] _post_url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Fri Mar  1 12:46:22 CST 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Fri Mar  1 12:46:22 CST 2019] _ret='0'
[Fri Mar  1 12:46:22 CST 2019] code='201'
[Fri Mar  1 12:46:22 CST 2019] The new-authz request is ok.
[Fri Mar  1 12:46:22 CST 2019] entry='"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/rNVXvTyJ79oey2zld9ne2yi8j7GmvA6T2H-_yZIEqTo/13107543768","token":"EFi7joOjoAvdjufu4RXkDrk8HNescYeZW7YUHzmZDSk"'
[Fri Mar  1 12:46:22 CST 2019] token='EFi7joOjoAvdjufu4RXkDrk8HNescYeZW7YUHzmZDSk'
[Fri Mar  1 12:46:22 CST 2019] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/rNVXvTyJ79oey2zld9ne2yi8j7GmvA6T2H-_yZIEqTo/13107543768'
[Fri Mar  1 12:46:22 CST 2019] keyauthorization='EFi7joOjoAvdjufu4RXkDrk8HNescYeZW7YUHzmZDSk.KoX93o8hFThwttANXjp3GpSre0bNxBnmDIasyUvtF5o'
[Fri Mar  1 12:46:22 CST 2019] dvlist='gscatter.wali.pro#EFi7joOjoAvdjufu4RXkDrk8HNescYeZW7YUHzmZDSk.KoX93o8hFThwttANXjp3GpSre0bNxBnmDIasyUvtF5o#https://acme-v01.api.letsencrypt.org/acme/challenge/rNVXvTyJ79oey2zld9ne2yi8j7GmvA6T2H-_yZIEqTo/13107543768#http-01#/root/www/gscatter.wali.pro/'
[Fri Mar  1 12:46:22 CST 2019] d
[Fri Mar  1 12:46:22 CST 2019] vlist='gscatter.wali.pro#EFi7joOjoAvdjufu4RXkDrk8HNescYeZW7YUHzmZDSk.KoX93o8hFThwttANXjp3GpSre0bNxBnmDIasyUvtF5o#https://acme-v01.api.letsencrypt.org/acme/challenge/rNVXvTyJ79oey2zld9ne2yi8j7GmvA6T2H-_yZIEqTo/13107543768#http-01#/root/www/gscatter.wali.pro/,'
[Fri Mar  1 12:46:23 CST 2019] d='gscatter.wali.pro'
[Fri Mar  1 12:46:23 CST 2019] ok, let's start to verify
[Fri Mar  1 12:46:23 CST 2019] Verifying: gscatter.wali.pro
[Fri Mar  1 12:46:23 CST 2019] d='gscatter.wali.pro'
[Fri Mar  1 12:46:23 CST 2019] keyauthorization='EFi7joOjoAvdjufu4RXkDrk8HNescYeZW7YUHzmZDSk.KoX93o8hFThwttANXjp3GpSre0bNxBnmDIasyUvtF5o'
[Fri Mar  1 12:46:23 CST 2019] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/rNVXvTyJ79oey2zld9ne2yi8j7GmvA6T2H-_yZIEqTo/13107543768'
[Fri Mar  1 12:46:23 CST 2019] _currentRoot='/root/www/gscatter.wali.pro/'
[Fri Mar  1 12:46:23 CST 2019] wellknown_path='/root/www/gscatter.wali.pro//.well-known/acme-challenge'
[Fri Mar  1 12:46:23 CST 2019] writing token:EFi7joOjoAvdjufu4RXkDrk8HNescYeZW7YUHzmZDSk to /root/www/gscatter.wali.pro//.well-known/acme-challenge/EFi7joOjoAvdjufu4RXkDrk8HNescYeZW7YUHzmZDSk
[Fri Mar  1 12:46:23 CST 2019] Changing owner/group of .well-known to root:root
[Fri Mar  1 12:46:23 CST 2019] url='https://acme-v01.api.letsencrypt.org/acme/challenge/rNVXvTyJ79oey2zld9ne2yi8j7GmvA6T2H-_yZIEqTo/13107543768'
[Fri Mar  1 12:46:23 CST 2019] payload='{"resource": "challenge", "type": "http-01", "keyAuthorization": "EFi7joOjoAvdjufu4RXkDrk8HNescYeZW7YUHzmZDSk.KoX93o8hFThwttANXjp3GpSre0bNxBnmDIasyUvtF5o"}'
[Fri Mar  1 12:46:23 CST 2019] POST
[Fri Mar  1 12:46:23 CST 2019] _post_url='https://acme-v01.api.letsencrypt.org/acme/challenge/rNVXvTyJ79oey2zld9ne2yi8j7GmvA6T2H-_yZIEqTo/13107543768'
[Fri Mar  1 12:46:23 CST 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Fri Mar  1 12:46:23 CST 2019] _ret='0'
[Fri Mar  1 12:46:23 CST 2019] code='202'
[Fri Mar  1 12:46:23 CST 2019] sleep 2 secs to verify
[Fri Mar  1 12:46:26 CST 2019] checking
[Fri Mar  1 12:46:26 CST 2019] GET
[Fri Mar  1 12:46:26 CST 2019] url='https://acme-v01.api.letsencrypt.org/acme/challenge/rNVXvTyJ79oey2zld9ne2yi8j7GmvA6T2H-_yZIEqTo/13107543768'
[Fri Mar  1 12:46:26 CST 2019] timeout=
[Fri Mar  1 12:46:26 CST 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Fri Mar  1 12:46:26 CST 2019] ret='0'
[Fri Mar  1 12:46:26 CST 2019] gscatter.wali.pro:Verify error:Invalid response from http://gscatter.wali.pro/.well-known/acme-challenge/EFi7joOjoAvdjufu4RXkDrk8HNescYeZW7YUHzmZDSk [47.75.77.57]: 
[Fri Mar  1 12:46:26 CST 2019] Debug: get token url.
[Fri Mar  1 12:46:26 CST 2019] GET
[Fri Mar  1 12:46:26 CST 2019] url='http://gscatter.wali.pro/.well-known/acme-challenge/EFi7joOjoAvdjufu4RXkDrk8HNescYeZW7YUHzmZDSk'
[Fri Mar  1 12:46:26 CST 2019] timeout=1
[Fri Mar  1 12:46:26 CST 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g  --connect-timeout 1'
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>
[Fri Mar  1 12:46:26 CST 2019] ret='0'
[Fri Mar  1 12:46:26 CST 2019] Debugging, skip removing: /root/www/gscatter.wali.pro//.well-known
[Fri Mar  1 12:46:26 CST 2019] pid
[Fri Mar  1 12:46:26 CST 2019] No need to restore nginx, skip.
[Fri Mar  1 12:46:26 CST 2019] _clearupdns
[Fri Mar  1 12:46:26 CST 2019] dns_entries
[Fri Mar  1 12:46:26 CST 2019] skip dns.
[Fri Mar  1 12:46:26 CST 2019] _on_issue_err
[Fri Mar  1 12:46:26 CST 2019] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Fri Mar  1 12:46:26 CST 2019] url='https://acme-v01.api.letsencrypt.org/acme/challenge/rNVXvTyJ79oey2zld9ne2yi8j7GmvA6T2H-_yZIEqTo/13107543768'
[Fri Mar  1 12:46:26 CST 2019] payload='{"resource": "challenge", "type": "", "keyAuthorization": "EFi7joOjoAvdjufu4RXkDrk8HNescYeZW7YUHzmZDSk.KoX93o8hFThwttANXjp3GpSre0bNxBnmDIasyUvtF5o"}'
[Fri Mar  1 12:46:26 CST 2019] POST
[Fri Mar  1 12:46:26 CST 2019] _post_url='https://acme-v01.api.letsencrypt.org/acme/challenge/rNVXvTyJ79oey2zld9ne2yi8j7GmvA6T2H-_yZIEqTo/13107543768'
[Fri Mar  1 12:46:26 CST 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  -g '
[Fri Mar  1 12:46:27 CST 2019] _ret='0'
[Fri Mar  1 12:46:27 CST 2019] code='400'
[Fri Mar  1 12:46:27 CST 2019] socat doesn't exists.
[Fri Mar  1 12:46:27 CST 2019] Diagnosis versions: 
openssl:openssl
OpenSSL 1.0.2k-fips  26 Jan 2017
apache:
apache doesn't exists.
nginx:
nginx version: nginx/1.14.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) 
built with OpenSSL 1.0.2o  27 Mar 2018
TLS SNI support enabled
configure arguments: --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-openssl=/root/lnmp1.5/src/openssl-1.0.2o
socat:
#5

It seems to find the reason, whether it is related to the configuration of nginx

server {
        listen       80;
        server_name  gscatter.wali.pro;

        location /.well-known/acme-challenge/ {
                alias /root/www/gscatter.wali.pro/;
        }
}
server {
        listen       80;
        server_name  gscatter.wali.pro;

        location / {
                alias /root/www/gscatter.wali.pro/;
        }
}
#6

This damn prompt again!

new-authz error: {
  "type": "urn:acme:error:rateLimited",
  "detail": "Error creating new authz :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/",
  "status": 429
}

It’s a nightmare for a rookie

#7

You can use --test to use the staging server while testing, this will avoid you running into rate limits.

I don’t know where your 403 is coming from. It seems that you have some other configuration that you are omitting to include that might be causing it.

As a general hint, you might try using stateless mode: https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode

it would avoid all sorts of pains with webroots like you are currently experiencing.

1 Like
#8

Thank you for solving my problem!

1 Like
closed #9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.