Koozali.org: home of the SME Server

letsencrypt challenge not completing

Offline umbi

  • ***
  • 100
  • +0/-0
Re: letsencrypt challenge not completing
« Reply #15 on: April 22, 2021, 09:07:30 PM »
ok i got a big log file....

maskerating sensitive datas takes a fiew minutes... .

Offline umbi

  • ***
  • 100
  • +0/-0
Re: letsencrypt challenge not completing
« Reply #16 on: April 22, 2021, 09:26:42 PM »
Jean-Philippe

the logfile is bigger than 20k charakters...   i sent you by mail function in forum function
« Last Edit: April 22, 2021, 09:29:41 PM by umbi »

Offline Jean-Philippe Pialasse

  • *
  • 2,745
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: letsencrypt challenge not completing
« Reply #17 on: April 22, 2021, 10:07:01 PM »
from what I have received (the beginning is missing)
you did not used the test staging but the v2
CA=https://acme-v02.api.letsencrypt.org/directory


you successfully registered
Code: [Select]
+ echo '+ Registering account key with ACME server...'
+ echo '+ Fetching account ID...'
+ echo '+ Done!'
+ Done!
+ exit 0

so you have now an active account and you just have to do the following (yes I want you in root home)

Code: [Select]
cd
/usr/bin/dehydrated -c

just to check

Code: [Select]
ll /root/config
and

Code: [Select]
whereis dehydrated

Offline umbi

  • ***
  • 100
  • +0/-0
Re: letsencrypt challenge not completing
« Reply #18 on: April 22, 2021, 10:28:44 PM »
Hi Jean-Philippe

cd
/usr/bin/dehydrated -c

give me this:

"type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Invalid response from http://de*-ver*.ch/.well-known/acme-challenge/GaM1p7****************xNo9K_y_9U7Onw [81.6.*.*]: \"\u003c!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\"\u003e\\n\u003chtml\u003e\u003chead\u003e\\n\u003ctitle\u003e403 Forbidden\u003c/title\u003e\\n\u003c/head\u003e\u003cbody\u003e\\n\u003ch1\u003eForbidden\u003c/h1\u003e\\n\u003cp\"",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/125*****39/xYL8Ig",
  "token": "GaM1p7********************xNo9K_y_9U7Onw",
  "validationRecord": [
    {
      "url": "http://de*-ver*.ch/.well-known/acme-challenge/GaM1p**************_y_9U7Onw",
      "hostname": "de*-ver*.ch",
      "port": "80",
      "addressesResolved": [
        "81.6.*.*"
      ],
      "addressUsed": "81.6.*.*"
    }
  ],
  "validated": "2021-04-22T20:20:19Z"
})
[root@g-server ~]#


it looks that now the problem is at the  domains  and not at the hosts...

my scare is that they block me if i make many tries

-------

Code: [Select]
ll /root/config

**** not existing ****
--------

-server ~]# whereis dehydrated
dehydrated: /usr/bin/dehydrated /etc/dehydrated /usr/local/bin/dehydrated


thank you verry verry much - i guess we come the solution nearer... .

Offline Jean-Philippe Pialasse

  • *
  • 2,745
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: letsencrypt challenge not completing
« Reply #19 on: April 22, 2021, 10:43:03 PM »
Quote
403 Forbidden

that is why

Quote
"addressUsed": "81.6.*.*"
I guess you checked this is really your ip

Quote
"Invalid response from http://de*-ver*.ch/.well-known/acme-challenge/GaM1p7****************xNo9K_y_9U7Onw [81.6.*.*]

is your Ibay configured to force SSL connection ?
is the Primary ibay configured to force SSL connection (if domain not linked to the Primary ibay)?

you have to allow non ssl connection on the /.well-known/acme-challenge path, meaning you need to disable force ssl connection Primary ibay. If an important site is there I suggest moving it on another ibay


Finally is the ibay password protected ?

Offline umbi

  • ***
  • 100
  • +0/-0
Re: letsencrypt challenge not completing
« Reply #20 on: April 22, 2021, 10:56:19 PM »
Hi  Jean-Philippe

im really gracefull for your help.

- the masterdomain of the server points to  "primary i-bay"  and was SSL forced, now i have it disabled,
  but by htaccess there is a rewriteroule with goto https. Think should not be a problem.

- the primary directory is not pw protected.

Should i bether go to test mode to make a retry with etc/dehydrated -c ?
I'm scared that i arrive at the try limits...

umbi
« Last Edit: April 22, 2021, 11:11:46 PM by umbi »

Offline Jean-Philippe Pialasse

  • *
  • 2,745
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: letsencrypt challenge not completing
« Reply #21 on: April 22, 2021, 11:21:38 PM »
classic test is as follow

Code: [Select]
echo "pk" > /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge/testme
then tries to it
http://myserver.ch/.well-known/acme-challenge/testme

from the internet. Your phone on the LTE might be your fiend there.

when you get a correct access you can proceed and delete the test file

Code: [Select]
rm /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge/testme

https redirection should not be a problem according to the let's encrypt website...

Offline umbi

  • ***
  • 100
  • +0/-0
Re: letsencrypt challenge not completing
« Reply #22 on: April 22, 2021, 11:53:50 PM »
Sorry for the late answer - i had to bring my son to bed :-)

ok first i pointet the server-maindomain to  "primary i-bay"  and it worked not.  Auth. cert. error.
then i pointet the server-maindomain to an other i-bay and it results:

Forbidden

You don't have permission to access /.well-known/acme-challenge/testme on this server because the file is not there -  but its the best to point to primary isnt'it ?

 db accounts show Primary
Primary=ibay
    AllowOverride=All
    CgiBin=enabled
    FollowSymLinks=enabled
    Group=shared
    Modifiable=no
    Name=Primary i-bay
    PasswordSet=no
    Passwordable=no
    PublicAccess=global
    Removable=no
    SSL=enabled
    UserAccess=wr-*-rd-group

i did:

db accounts setprop Primary SSL disabled
[root@g-server ~]# signal-event console-save

and now is accessable ...

I wait your ok to retry

cd
/usr/bin/dehydrated -c

in test mode or in enabled mode ?

Umbi

« Last Edit: April 23, 2021, 12:24:35 AM by umbi »

Offline Jean-Philippe Pialasse

  • *
  • 2,745
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: letsencrypt challenge not completing
« Reply #23 on: April 23, 2021, 12:22:37 AM »
again i said ssl should be disabled on primary.
or have set an efficient redirection to https   for the wel-known. 
as soon as the robot it a 403 it will fail
« Last Edit: April 23, 2021, 12:25:10 AM by Jean-Philippe Pialasse »

Offline umbi

  • ***
  • 100
  • +0/-0
Re: letsencrypt challenge not completing
« Reply #24 on: April 23, 2021, 12:29:12 AM »
nono i did

db accounts setprop Primary SSL disabled
[root@g-server ~]# signal-event console-save

and your file is accessable under http://  without problems.

my question ist only should i go to test mode for requesting the certificate or should i make the dehydrated -c on productive mode ?

Offline umbi

  • ***
  • 100
  • +0/-0
Re: letsencrypt challenge not completing
« Reply #25 on: April 23, 2021, 12:46:26 AM »
i tried to get the certificate but failed again :-(

+ Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:dns",
    "detail": "Fetching http://www.g-server.domain.ch/.well-known/acme-challenge/uOwts6q_******_KrK-jBU: DNS problem: NXDOMAIN looking up A for www.g-server.domain.ch - check that a DNS record exists for this domain",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/125*****865/_vV3Vw"                    ,
  "token": "uOwts6q_yF*******J1oNB_KrK-jBU",
  "validationRecord": [
    {
      "url": "http://g-server.domain.ch/.well-known/acme-challenge/uOwt                   
                          s6q_yFo8u*****NB_KrK-jBU",
      "hostname": "g-server.domain.ch",
      "port": "80",
      "addressesResolved": [
        "81.6.*.*"
      ],
      "addressUsed": "81.6.*.*"
    }
  ],
  "validated": "2021-04-22T22:33:51Z"
})
[root@gserver ~]#

-----

why is he now trying to feetch from "http://www.g-server.domain.ch" with "www".
Maybe caused from the htaccess to force www in primary ?

I cannot make an A Record on my dns service now, because the e-mail for validation login is not working of cause the certificate trouble on server.

I cant get any mails at the moment.

Thank you in advance for your help.

Umbi
« Last Edit: April 23, 2021, 12:53:11 AM by umbi »

Offline Jean-Philippe Pialasse

  • *
  • 2,745
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: letsencrypt challenge not completing
« Reply #26 on: April 23, 2021, 01:12:22 AM »
i started to ask you to check the content of domains.txt. it will fetch all of them. 

please review the content and follow the wiki page to disable the hosts (www,mail...) and domaines that you do not have actively pointing to your ip

Offline umbi

  • ***
  • 100
  • +0/-0
Re: letsencrypt challenge not completing
« Reply #27 on: April 23, 2021, 01:24:38 AM »
thank you

i did it and  www.g-server.domain.ch is not listet in domains.txt

he tries to feetch something here:

"type": "urn:ietf:params:acme:error:dns",
    "detail": "Fetching http://www.g-server.domain.ch/.well-known/acme-challenge/uOwts6q_

why ?  i never putet that double host in server .... -  without email access i cannot login to the dns service to add the "A" record  www.g-server.domain.ch   

 im lost...

Offline Jean-Philippe Pialasse

  • *
  • 2,745
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: letsencrypt challenge not completing
« Reply #28 on: April 23, 2021, 01:42:15 AM »
without the full picture and just an isolated error it is hard to help. I am not reading in cristal balls ;)

do your htaccess has a redirection to www? i would wonder why if your dns are not pointing to the server. but still rather inclined that the domain is really the one verified.

as far as you keep on giving partial output, obfuscate all domains as this is dns issue / redirection we can not help you more.

finally you can access your server for mail using a self signed ssl certificate. just need to accept it. 

Offline umbi

  • ***
  • 100
  • +0/-0
Re: letsencrypt challenge not completing
« Reply #29 on: April 23, 2021, 01:52:09 AM »
Hi Jean-Philippe

Thank you for answering me at that time - im now 24h at work...

Of course

g-server.domain.ch   points to my server
www.domain.ch points to my server

but not www.g-server.domain.ch
i cant understand why he says that   it needs an "A" record to DNS  for www.g-server.domain.ch

i deleted now  the htaccess entry  which makes  from  domain.ch -> www.domain.ch   because it can be that
it will maybe redirect  g-server.domain.ch  to www.g-server.domain.ch  and that may cause  the error 400.

In the past i never changed something. For me unclear i have to change all this settings in primary i-bay.

If you find a cristal-ball, please send me allso one :-)