Howdy brainstrust
I have a server where the primary website is external to the SME & the host entry is configures as such in the server manager.
When I run the commands to implement Letsencrypt I get the "Challenge is invalid!" error. When I check the external access to the SME Server using http (which is how dehydrated does it) all paths fail including the root path.
Server manager works fine using http or https from the LAN or WAN (https only using a nominated specific IP)
So, some detail:
The script I run based on the howto page
#! /bin/bash
set -x
clear
# Base settings
Internet_Domain=<Domain1>
config setprop letsencrypt ACCEPT_TERMS yes status test API 2
config setprop letsencrypt configure none
# Foreach of your domains you want SSL do the following
db domains setprop $Internet_Domain letsencryptSSLcert disabled
# Foreach of your hosts (subdomains) you want SSL do the following
db hosts setprop www.$Internet_Domain letsencryptSSLcert disabled
db hosts setprop wpad.$Internet_Domain letsencryptSSLcert disabled
db hosts setprop proxy.$Internet_Domain letsencryptSSLcert disabled
db hosts setprop ftp.$Internet_Domain letsencryptSSLcert disabled
db hosts setprop mail.$Internet_Domain letsencryptSSLcert enabled
db hosts setprop gateway.$Internet_Domain letsencryptSSLcert enabled
signal-event console-save
# Make sure Apache subfolder perms are correct for Dehydrated check
namei --modes /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
chown root:root /home/e-smith/files/ibays/Primary
chmod 0755 /home/e-smith/files/ibays/Primary
chown admin:shared /home/e-smith/files/ibays/Primary/html
chmod 2750 /home/e-smith/files/ibays/Primary/html
dehydrated -c
The output I get when it runs
[root@gateway ~]# ./lets_encrypt_setup.sh
+ clear
+ Internet_Domain=<domain1>
+ config setprop letsencrypt ACCEPT_TERMS yes status test API 2
+ config setprop letsencrypt configure none
+ db domains setprop $Internet_Domain letsencryptSSLcert disabled
+ db hosts setprop www.$Internet_Domain letsencryptSSLcert disabled
+ db hosts setprop wpad.$Internet_Domain letsencryptSSLcert disabled
+ db hosts setprop proxy.$Internet_Domain letsencryptSSLcert disabled
+ db hosts setprop ftp.$Internet_Domain letsencryptSSLcert disabled
+ db hosts setprop mail.$Internet_Domain letsencryptSSLcert enabled
+ db hosts setprop gateway.$Internet_Domain letsencryptSSLcert enabled
+ signal-event console-save
+ namei --modes /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
f: /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
dr-xr-xr-x /
drwxr-xr-x home
drwxr-xr-x e-smith
drwxr-xr-x files
drwxr-xr-x ibays
drwxr-xr-x Primary
drwxr-s--- html
drwxrwsr-x .well-known
drwxrwsr-x acme-challenge
+ chown root:root /home/e-smith/files/ibays/Primary
+ chmod 0755 /home/e-smith/files/ibays/Primary
+ chown admin:shared /home/e-smith/files/ibays/Primary/html
+ chmod 2750 /home/e-smith/files/ibays/Primary/html
+ dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
Processing gateway.<domain1> with alternative names: mail.<domain1>
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 2 authorizations URLs from the CA
+ Handling authorization for gateway.<domain1>
+ Handling authorization for mail.<domain1>
+ 2 pending challenge(s)
+ Deploying challenge tokens...
+ Responding to challenge for gateway.<domain1> authorization...
+ Cleaning challenge tokens...
+ Challenge validation has failed
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01"
["status"] "invalid"
["error","type"] "urn:ietf:params:acme:error:unauthorized"
["error","detail"] "Invalid response from
http://gateway.<domain1>/.well-known/acme-challenge/LuEbZqOy0ZIPQleeTYuwoMzCW0oHOPQDJNAB6il-m8c [xx.xx.xx.xx]: \"\u003c!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\"\u003e\\n\u003chtml\u003e\u003chead\u003e\\n\u003ctitle\u003e403 Forbidden\u003c/title\u003e\\n\u003c/head\u003e\u003cbody\u003e\\n\u003ch1\u003eForbidden\u003c/h1\u003e\\n\u003cp\""
["error","status"] 403
["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"Invalid response from
http://gateway.<domain1>/.well-known/acme-challenge/LuEbZqOy0ZIPQleeTYuwoMzCW0oHOPQDJNAB6il-m8c [xx.xx.xx.xx]: \"\u003c!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\"\u003e\\n\u003chtml\u003e\u003chead\u003e\\n\u003ctitle\u003e403 Forbidden\u003c/title\u003e\\n\u003c/head\u003e\u003cbody\u003e\\n\u003ch1\u003eForbidden\u003c/h1\u003e\\n\u003cp\"","status":403}
["url"] "
https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/1234416688/BLIc7w"
["token"] "LuEbZqOy0ZIPQleeTYuwoMzCW0oHOPQDJNAB6il-m8c"
["validationRecord",0,"url"] "
http://gateway.<domain1>/.well-known/acme-challenge/LuEbZqOy0ZIPQleeTYuwoMzCW0oHOPQDJNAB6il-m8c"
["validationRecord",0,"hostname"] "gateway.<domain1>"
["validationRecord",0,"port"] "80"
["validationRecord",0,"addressesResolved",0] "xx.xx.xx.xx"
["validationRecord",0,"addressesResolved"] ["xx.xx.xx.xx"]
["validationRecord",0,"addressUsed"] "xx.xx.xx.xx"
["validationRecord",0] {"url":"
http://gateway.<domain1>/.well-known/acme-challenge/LuEbZqOy0ZIPQleeTYuwoMzCW0oHOPQDJNAB6il-m8c","hostname":"gateway.<domain1>","port":"80","addressesResolved":["xx.xx.xx.xx"],"addressUsed":"xx.xx.xx.xx"}
["validationRecord"] [{"url":"
http://gateway.<domain1>/.well-known/acme-challenge/LuEbZqOy0ZIPQleeTYuwoMzCW0oHOPQDJNAB6il-m8c","hostname":"gateway.<domain1>","port":"80","addressesResolved":["xx.xx.xx.xx"],"addressUsed":"xx.xx.xx.xx"}]
["validated"] "2021-12-22T12:49:32Z")
So is this issue to do with the www redirect as I suspect or something else I'm missing?