Www subdomain gets cert but forum subdomain fails - discourse behind haproxy

geraldM · June 13, 2019, 11:58pm

My Discourse server is pretty obviously feeding its index.html to certbot but I can’t figure out why. The WWW subdomain with the same exact DNS entry has no issue.

My domain is: dallaskf.com (specifically referencing forum.dallaskf.com)

I ran this command: sudo certbot certonly --standalone -d dallaskf.com -d www.dallaskf.com -d forum.dallaskf.com --non-interactive --agree-tos --email postmaster@forum.dallaskf.com --http-01-port=8800

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for forum.dallaskf.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. forum.dallaskf.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://forum.dallaskf.com/.well-known/acme-challenge/5fVXU27dIMqrZ12b4uUcZYXyEzhtMEck6MSPF435HDY [76.201.5.146]: "\n<html lang=“en-US”>\n\n <meta charset=“utf-8”>\n DallasKF.com Rust\n <meta name=“description”

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: forum.dallaskf.com
Type: unauthorized
Detail: Invalid response from
http://forum.dallaskf.com/.well-known/acme-challenge/5fVXU27dIMqrZ12b4uUcZYXyEzhtMEck6MSPF435HDY
[76.201.5.146]: "\n<html lang=“en-US”>\n\n
\n DallasKF.com Rust\n <meta name=\"description"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): Apache2 and Discourse behind haproxy. All latest stable

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: homelab (namecheap DNS)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

geraldM · June 14, 2019, 12:04am

I think I fixed it by shutting down haproxy and running the check on port 80. Will try this and report back if it fails

_az · June 14, 2019, 1:07am

The required configuration to avoid shutting down haproxy is to proxy the ACME validation requests to the Certbot standalone server.

Add a backend for Certbot:

backend be_certbot
        mode http
        server s_certbot 127.0.0.1:8800

and direct requests to it in your port 80 frontend:

use_backend be_certbot if { path_beg /.well-known/acme-challenge/ }

system · July 14, 2019, 1:10am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.