Koozali.org: home of the SME Server

[SOLVED] dehydrated cron fails: "Challenge validation has failed"

Offline Michail Pappas

  • *
  • 339
  • +1/-0
I've successfully configured SME 10 to obtain a let's encrypt certificate, as per the wiki instructions. Yesterday (and today) I've got failure reports during attempts to renew the certificate (redacted, can PM the exact message):

Code: [Select]
# INFO: Using main config file /etc/dehydrated/config
Processing myhost.mydomain
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Feb 22 09:35:15 2022 GMT (Less than 30 days). Renewing!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for myhost.mydomain
 + 1 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for myhost.mydomain authorization...
 + Cleaning challenge tokens...
 + Challenge validation has failed
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01"
["status"] "invalid"
["error","type"] "urn:ietf:params:acme:error:unauthorized"
["error","detail"] "Invalid response from http://myhost.mydomain/.well-known/acme-challenge/y2C3vJWm4-sTlcFOJgu4ZYJ-oNGvhBx6vMUUHL3jabM [my.ip.add.ress]: \"\u003c!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\"\u003e\\n\u003chtml\u003e\u003chead\u003e\\n\u003ctitle\u003e403 Forbidden\u003c/title\u003e\\n\u003c/head\u003e\u003cbody\u003e\\n\u003ch1\u003eForbidden\u003c/h1\u003e\\n\u003cp\""
["error","status"] 403
["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"Invalid response from http://myhost.mydomain/.well-known/acme-challenge/y2C3vJWm4-sTlcFOJgu4ZYJ-oNGvhBx6vMUUHL3jabM [my.ip.add.ress]: \"\u003c!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\"\u003e\\n\u003chtml\u003e\u003chead\u003e\\n\u003ctitle\u003e403 Forbidden\u003c/title\u003e\\n\u003c/head\u003e\u003cbody\u003e\\n\u003ch1\u003eForbidden\u003c/h1\u003e\\n\u003cp\"","status":403}
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/71559634970/xNPwug"
["token"] "y2C3vJWm4-sTlcFOJgu4ZYJ-oNGvhBx6vMUUHL3jabM"
["validationRecord",0,"url"] "http://myhost.mydomain/.well-known/acme-challenge/y2C3vJWm4-sTlcFOJgu4ZYJ-oNGvhBx6vMUUHL3jabM"
["validationRecord",0,"hostname"] "myhost.mydomain"
["validationRecord",0,"port"] "80"
["validationRecord",0,"addressesResolved",0] "my.ip.add.ress"
["validationRecord",0,"addressesResolved"] ["my.ip.add.ress"]
["validationRecord",0,"addressUsed"] "my.ip.add.ress"
["validationRecord",0] {"url":"http://myhost.mydomain/.well-known/acme-challenge/y2C3vJWm4-sTlcFOJgu4ZYJ-oNGvhBx6vMUUHL3jabM","hostname":"myhost.mydomain","port":"80","addressesResolved":["my.ip.add.ress"],"addressUsed":"my.ip.add.ress"}
["validationRecord"] [{"url":"http://myhost.mydomain/.well-known/acme-challenge/y2C3vJWm4-sTlcFOJgu4ZYJ-oNGvhBx6vMUUHL3jabM","hostname":"myhost.mydomain","port":"80","addressesResolved":["my.ip.add.ress"],"addressUsed":"my.ip.add.ress"}]
["validated"] "2022-01-24T22:22:38Z")
Any idea on how to proceed from here?
« Last Edit: January 25, 2022, 12:34:17 PM by Michail Pappas »

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Re: dehydrated cron fails: "Challenge validation has failed"
« Reply #1 on: January 25, 2022, 12:32:00 PM »
For whoever might have the same issue:

1) Please check the wiki entry at https://wiki.koozali.org/Letsencrypt#Challenge_fails_with_unauthorized_403_error

2) If your permissions are ok, then check if user www is in the group shared. To do that, issue a "id www" command. If the shared(500) group is not mentioned then in my case I had to edit /etc/group and /etc/gshadow to append www on the line corresponding to group shared. Worked fine after that.

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: [SOLVED] dehydrated cron fails: "Challenge validation has failed"
« Reply #2 on: January 25, 2022, 08:48:06 PM »
winners :-)
--
qui scribit bis legit