Topic: dehydrated - Challenge is invalid!

[Gibil]

Hi,

I'm seeking assistance with an issue concerning contact between LetsEncrypt and the .well-known/acme-challenge directory on Primary ibays.

Whenever I attempt to request a certificate for my host, port 80 appears to be blocked.

ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]      "http-01"
["status"]      "invalid"
["error","type"]        "urn:ietf:params:acme:error:unauthorized"
["error","detail"]      "3x.4x.1xx.1xx: Invalid response from http://xxx.xxx.xx/.well-known/acme-challenge/L1X7e-Bk6RTNzU1PRZUbw15Fah4Ngqb5q3pLz4pjfiU: 403"
["error","status"]      403
["error"]       {"type":"urn:ietf:params:acme:error:unauthorized","detail":"3x.4x.1xx.1xx: Invalid response from http://xxx.xxx.xx/.well-known/acme-challenge/L1X7e-Bk6RTNzU1PRZUbw15Fah4Ngqb5q3pLz4pjfiU: 403","status":403}
["url"] "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/7777081114/NfinGQ"
["token"]       "L1X7e-Bk6RTNzU1PRZUbw15Fah4Ngqb5q3pLz4pjfiU"

Here the error raised by the HTTPD server :

[Thu Aug 17 09:35:38.214890 2023] [mpm_prefork:notice] [pid 13378] AH00170: caught SIGWINCH, shutting down gracefully
[Thu Aug 17 09:35:40.009089 2023] [ssl:warn] [pid 6944] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu Aug 17 09:35:40.029888 2023] [ssl:warn] [pid 6944] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu Aug 17 09:35:40.034853 2023] [mpm_prefork:notice] [pid 6944] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips configured -- resuming normal operations
[Thu Aug 17 09:35:40.034889 2023] [core:notice] [pid 6944] AH00094: Command line: '/usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -D FOREGROUND'
[Thu Aug 17 09:36:03.711764 2023] [ssl:error] [pid 6945] [client 3.144.158.189:27056] AH02219: access to /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge/L1X7e-Bk6RTNzU1PRZUbw15Fah4Ngqb5q3pLz4pjfiU failed, reason: SSL connection required
[Thu Aug 17 09:36:03.797689 2023] [ssl:error] [pid 6946] [client 54.214.208.145:34820] AH02219: access to /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge/L1X7e-Bk6RTNzU1PRZUbw15Fah4Ngqb5q3pLz4pjfiU failed, reason: SSL connection required
[Thu Aug 17 09:36:04.108604 2023] [ssl:error] [pid 6948] [client 23.178.112.106:10592] AH02219: access to /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge/L1X7e-Bk6RTNzU1PRZUbw15Fah4Ngqb5q3pLz4pjfiU failed, reason: SSL connection required

The directory in question is set to require HTTPS, yet it seems to be unreachable via HTTP. Although the .well-known/acme-challenge directory exists, the expected file isn't being created.

I suspect there might be issues with port 80 being blocked and potential misconfiguration of permissions within these directories that might prevent LetsEncrypt from creating the necessary file. (The 80 port is authorized on the password

The permissions for the acme-challenge and .well-known directories appear to be correct:

drwxrwsr-x 2 apache shared 4096 [Date Redacted] acme-challenge/
drwxrwsr-x 3 apache shared [Date Redacted] .well-known/

I'm unsure of how to temporarily allow access to the Primary ibays on the http port, but I believe it might resolve the issue.

Regards

[sages]

What mode is your configured in? server only or server and gateway? ie is it a port forwarding issue on a separate firewall?
Is this a new configuration or an existing one? Has it ever worked?
If it is a new or changed configuration have you tested it in test mode to see if the config works? If you have been testing on the live letsencrypt server you may have exceeded the number of update checks per day?
Have you read the wiki and followed the testing process there?

[Gibil]

Hi Sages,

Thank you for your prompt response.

Mode: Server Only
Port Forwarding: From a separate firewall (the gateway), ports 80 & 443 are forwarded to the SME Server.
Configuration: The setup has been restored from a 9.2 SME Server on a new machine. Notably, 'dehydrated' wasn't backed up from the old machine.

Currently, I am seeing logs resultats from the test mode. I think we are notified if the number of checks exceeds a limit.

I've gone through and followed the testing process as you recommended.

However, I've observed that I can't access my server directly via HTTP. It automatically redirects to HTTPS. How can I force an HTTP connection?

Thanks in advance for your assistance.

[Gibil]

It is resolved !

The primary index.html file was written to force a redirection to another website. I commented it to prevent that and now the Challenge is passing !

It works