.well-known attached to domain name, slash missing


#1

Hello,

I am trying to renew my certificate for multiple domains. The strange behaviour happens for all of them, so I will just write about one of them: finplay.sk
I tried renew subcommand (certbot renew), but the same happens when creating certificate with certonly subcommand:

certbot certonly --webroot -w /var/www/html/finplay/public -d finplay.sk

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for finplay.sk
Using the webroot path /var/www/html/finplay/public for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. finplay.sk (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://finplay.sk.well-known/acme-challenge/Qw2enxtK0uOHfLmg77h9QBDyxPqFJRW0qa7A_tWubZ8: Error getting validation data

IMPORTANT NOTES:

You can see that the attempted address is https://finplay.sk.well-known. If this address is tested it obviusly can’t be reached. However it is generated automatically, I don’t know of any configuration rule, that would anyhow control address generation.
I am a bit hopeless here, because my certs need to be renewed.

If I try adding slash to domain name like this:
certbot certonly --webroot -w /var/www/html/finplay/public -d finplay.sk/
it produces error:
Obtaining a new certificate
An unexpected error occurred:
The request message was malformed :: Error creating new authz :: Invalid character in DNS name
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version): Apache/2.4.25

The operating system my web server runs on is (include version):
(uname output) Debian 3.16.43-2+deb8u3 (2017-08-15) x86_64 GNU/Linux
runs in docker container

Just a note, this worked 90 days ago, when certs were created. Maybe also cron renew job was failing due this this error.

Thanks for every idea


#2

Hi @delavei

checking your website via https://check-your-website.server-daten.de/?q=finplay.sk - you see the problem:


Domainname Http-Status redirect Sec. G
http://finplay.sk/
80.211.223.107 301 https://finplay.sk 0.076 A
http://www.finplay.sk/
80.211.223.107 301 https://finplay.sk 0.080 E
https://finplay.sk 200 5.437 N
Certificate error: RemoteCertificateChainErrors
https://finplay.sk/
80.211.223.107 200 5.700 N
Certificate error: RemoteCertificateChainErrors
https://www.finplay.sk/
80.211.223.107 200 5.493 N
Certificate error: RemoteCertificateChainErrors
http://finplay.sk/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
80.211.223.107 301 https://finplay.sk.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.077 A
http://www.finplay.sk/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
80.211.223.107 301 https://finplay.sk.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.077 E
https://finplay.sk.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -1 0.014 R
NameResolutionFailure - The remote name could not be resolved: ‘finplay.sk.well-known’

Your redirects don’t add a slash. This isn’t a problem redirecting your root. But redirecting the subdirectory /.well-known/acme-challenge the slash is missing.

So the result is the not existing domain finplay.sk.well-known.

So check your redirect rules. There is a missing slash between your server-name and your path.


#3

Now it’s fixed, no redirect to a not existing domain.

And there is a new Letsencrypt certificate :wink: :sunny:


#4

Hello,

you were right about wrong redirect rule, thank you very much. Didn’t occur to me that anything in Apache configuration might have been wrong. I added slash to redirect rule from http to https in virtual host config in Apache and certificate renewal started to work.

Thanks again for pointing me in the right direction.