.well-known attached to domain name, slash missing


#1

Hello,

I am trying to renew my certificate for multiple domains. The strange behaviour happens for all of them, so I will just write about one of them: finplay.sk
I tried renew subcommand (certbot renew), but the same happens when creating certificate with certonly subcommand:

certbot certonly --webroot -w /var/www/html/finplay/public -d finplay.sk

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for finplay.sk
Using the webroot path /var/www/html/finplay/public for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. finplay.sk (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://finplay.sk.well-known/acme-challenge/Qw2enxtK0uOHfLmg77h9QBDyxPqFJRW0qa7A_tWubZ8: Error getting validation data

IMPORTANT NOTES:

You can see that the attempted address is https://finplay.sk.well-known. If this address is tested it obviusly can’t be reached. However it is generated automatically, I don’t know of any configuration rule, that would anyhow control address generation.
I am a bit hopeless here, because my certs need to be renewed.

If I try adding slash to domain name like this:
certbot certonly --webroot -w /var/www/html/finplay/public -d finplay.sk/
it produces error:
Obtaining a new certificate
An unexpected error occurred:
The request message was malformed :: Error creating new authz :: Invalid character in DNS name
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version): Apache/2.4.25

The operating system my web server runs on is (include version):
(uname output) Debian 3.16.43-2+deb8u3 (2017-08-15) x86_64 GNU/Linux
runs in docker container

Just a note, this worked 90 days ago, when certs were created. Maybe also cron renew job was failing due this this error.

Thanks for every idea


#2

Hi @delavei

checking your website via https://check-your-website.server-daten.de/?q=finplay.sk - you see the problem:


Domainname Http-Status redirect Sec. G
http://finplay.sk/
80.211.223.107 301 https://finplay.sk 0.076 A
http://www.finplay.sk/
80.211.223.107 301 https://finplay.sk 0.080 E
https://finplay.sk 200 5.437 N
Certificate error: RemoteCertificateChainErrors
https://finplay.sk/
80.211.223.107 200 5.700 N
Certificate error: RemoteCertificateChainErrors
https://www.finplay.sk/
80.211.223.107 200 5.493 N
Certificate error: RemoteCertificateChainErrors
http://finplay.sk/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
80.211.223.107 301 https://finplay.sk.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.077 A
http://www.finplay.sk/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
80.211.223.107 301 https://finplay.sk.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.077 E
https://finplay.sk.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -1 0.014 R
NameResolutionFailure - The remote name could not be resolved: ‘finplay.sk.well-known’

Your redirects don’t add a slash. This isn’t a problem redirecting your root. But redirecting the subdirectory /.well-known/acme-challenge the slash is missing.

So the result is the not existing domain finplay.sk.well-known.

So check your redirect rules. There is a missing slash between your server-name and your path.


#3

Now it’s fixed, no redirect to a not existing domain.

And there is a new Letsencrypt certificate :wink: :sunny:


#4

Hello,

you were right about wrong redirect rule, thank you very much. Didn’t occur to me that anything in Apache configuration might have been wrong. I added slash to redirect rule from http to https in virtual host config in Apache and certificate renewal started to work.

Thanks again for pointing me in the right direction.


closed #5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.