starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

http-01, invalid, urn:acme:error:unauthorized, status 403 #183

New Issue
Closed
opened 2025-12-29 00:26:44 +01:00 by adam · 6 comments
adam commented 2025-12-29 00:26:44 +01:00
Owner
Copy Link

Originally created by @tekbasse on GitHub (Jan 5, 2017).

What might be causing this error?

The diagnostics test provided in /docs/troubleshooting.md passes. See below.

The config file is using staging CA, per staging.md
Here is complete history of latest attempt:
[letsencrypt@or97 ~]$ bash dehydrated/dehydrated -c -f /home/letsencrypt/config
`# INFO: Using main config file /home/letsencrypt/config
Processing or97.net

$ telnet or97.net 80
`Trying 188.227.186.70...
Connected to or97.net.
Escape character is '^]'.
GET .well-known/acme-challenge/VuYLOVM67NO_vVlYmbQYyBJcUVnNhEUhrIPS7auZjM8 HTTP/1.1
Host: or97.net

HTTP/1.1 200 OK
Server: NaviServer/4.99.12
Date: Thu, 05 Jan 2017 04:21:30 GMT
Set-Cookie: ad_user_login=""; Expires=Fri, 01-Jan-1980 01:00:00 GMT; Path=/
Set-Cookie: ad_secure_token=""; Expires=Fri, 01-Jan-1980 01:00:00 GMT; Path=/; Secure
Set-Cookie: ad_user_login_secure=""; Expires=Fri, 01-Jan-1980 01:00:00 GMT; Path=/; Secure
Set-Cookie: ad_session_id="78360046%252c0%252c0%252c1483590090%2b%257b874%2b1483591290%2bD68F6CFD05A841A5AD4F1DBAEF4E4CD3BF33DDB1%257d"; Expires=Fri, 01-Jan-2035 01:00:00 GMT; Path=/; Discard; HttpOnly
Last-Modified: Thu, 05 Jan 2017 03:54:55 GMT
Content-Type: /
Accept-Ranges: bytes
Content-Length: 8
Connection: keep-alive

success
Connection closed by foreign host.
`

Originally created by @tekbasse on GitHub (Jan 5, 2017). What might be causing this error? The diagnostics test provided in /docs/troubleshooting.md passes. See below. The config file is using staging CA, per staging.md Here is complete history of latest attempt: `[letsencrypt@or97 ~]$ bash dehydrated/dehydrated -c -f /home/letsencrypt/config` `# INFO: Using main config file /home/letsencrypt/config Processing or97.net + Signing domains... + Generating private key... + Generating signing request... + Requesting challenge for or97.net... + Responding to challenge for or97.net... ERROR: Challenge is invalid! (returned: invalid) (result: { "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid response from http://or97.net/.well-known/acme-challenge/VuYLOVM67NO_vVlYmbQYyBJcUVnNhEUhrIPS7auZjM8 [188.227.186.70]: 404", "status": 403 }, "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/ScDB3W7f9fcLmt_8s3waNELOY9sJ1QInzkR0nkEeKeI/19674597", "token": "VuYLOVM67NO_vVlYmbQYyBJcUVnNhEUhrIPS7auZjM8", "keyAuthorization": "VuYLOVM67NO_vVlYmbQYyBJcUVnNhEUhrIPS7auZjM8.SjR9lX0eFmmOyCAllb43DCesuKnhj7ocuE0buM6iZIY", "validationRecord": [ { "url": "http://or97.net/.well-known/acme-challenge/VuYLOVM67NO_vVlYmbQYyBJcUVnNhEUhrIPS7auZjM8", "hostname": "or97.net", "port": "80", "addressesResolved": [ "188.227.186.70" ], "addressUsed": "188.227.186.70" } ] }) ` I created a replica file using the same user. Here's the results: `$ telnet or97.net 80` `Trying 188.227.186.70... Connected to or97.net. Escape character is '^]'. GET .well-known/acme-challenge/VuYLOVM67NO_vVlYmbQYyBJcUVnNhEUhrIPS7auZjM8 HTTP/1.1 Host: or97.net HTTP/1.1 200 OK Server: NaviServer/4.99.12 Date: Thu, 05 Jan 2017 04:21:30 GMT Set-Cookie: ad_user_login=""; Expires=Fri, 01-Jan-1980 01:00:00 GMT; Path=/ Set-Cookie: ad_secure_token=""; Expires=Fri, 01-Jan-1980 01:00:00 GMT; Path=/; Secure Set-Cookie: ad_user_login_secure=""; Expires=Fri, 01-Jan-1980 01:00:00 GMT; Path=/; Secure Set-Cookie: ad_session_id="78360046%252c0%252c0%252c1483590090%2b%257b874%2b1483591290%2bD68F6CFD05A841A5AD4F1DBAEF4E4CD3BF33DDB1%257d"; Expires=Fri, 01-Jan-2035 01:00:00 GMT; Path=/; Discard; HttpOnly Last-Modified: Thu, 05 Jan 2017 03:54:55 GMT Content-Type: */* Accept-Ranges: bytes Content-Length: 8 Connection: keep-alive success Connection closed by foreign host. `
adam closed this issue 2025-12-29 00:26:44 +01:00
adam commented 2025-12-29 00:26:45 +01:00
Author
Owner
Copy Link

@tekbasse commented on GitHub (Jan 5, 2017):

server log shows a slight variation of the GET url from letsencrypt staging server than the one tested via telent; ie a '/' prefix:

66.133.109.36 - - [05/Jan/2017:03:53:04 +0000] "GET /.well-known/acme-challenge/VuYLOVM67NO_vVlYmbQYyBJcUVnNhEUhrIPS7auZjM8 HTTP/1.1" 404 697 "" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" " 1483588384.020250 0.000284 0.000045 0.001559 0.000144"
However, all cases in the server log show the same GET url, and there doesn't seem to be a different in the data returned via telnet on a retest with prefix '/'

@tekbasse commented on GitHub (Jan 5, 2017): server log shows a slight variation of the GET url from letsencrypt staging server than the one tested via telent; ie a '/' prefix: `66.133.109.36 - - [05/Jan/2017:03:53:04 +0000] "GET /.well-known/acme-challenge/VuYLOVM67NO_vVlYmbQYyBJcUVnNhEUhrIPS7auZjM8 HTTP/1.1" 404 697 "" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" " 1483588384.020250 0.000284 0.000045 0.001559 0.000144" ` However, all cases in the server log show the same GET url, and there doesn't seem to be a different in the data returned via telnet on a retest with prefix '/'
adam commented 2025-12-29 00:26:45 +01:00
Author
Owner
Copy Link

@tekbasse commented on GitHub (Jan 5, 2017):

You'll notice the server log shows 404 for this case, but the log shows the server returns 200 for the test cases.

Is it possible this is a timing issue between dehydrated and letsencrypt? Is the script removing the file before it's checked, or is it possible the file is created and removed after its checked?

@tekbasse commented on GitHub (Jan 5, 2017): You'll notice the server log shows 404 for this case, but the log shows the server returns 200 for the test cases. Is it possible this is a timing issue between dehydrated and letsencrypt? Is the script removing the file before it's checked, or is it possible the file is created and removed after its checked?
adam commented 2025-12-29 00:26:46 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Jan 5, 2017):

This normally happens when WELLKNOWN isn't configured correctly, it should point directly to the directory you are serving under /.well-known/acme-challenge.
There also can't be a timing problem, the script creates the files before the checks and doesn't remove them until after everything is completed.

I'm closing this for now as it really just seems to be a configuration issue.

@lukas2511 commented on GitHub (Jan 5, 2017): This normally happens when WELLKNOWN isn't configured correctly, it should point directly to the directory you are serving under /.well-known/acme-challenge. There also can't be a timing problem, the script creates the files before the checks and doesn't remove them until after everything is completed. I'm closing this for now as it really just seems to be a configuration issue.
adam commented 2025-12-29 00:26:46 +01:00
Author
Owner
Copy Link

@tekbasse commented on GitHub (Jan 5, 2017):

You write: WELLKNOWN "should point directly to the directory you are serving under /.well-known/acme-challenge."

To be clear, I've tried pointing WELLKNOWN at different directories in the server's delivery tree, including one that doesn't send cookies with the content, but letsencrypt response is consistently a 404 error with reference to the server's root directory.

I know dehydrated is using other values from config; The evidence is in the lack of errors and the files returned in specified non-default locations.

Might value of WELLKNOWN get overwritten or lost somewhere?

Dehydration is supplied only 1 domain via domains.txt (No www.or97.net.) Has this case been tested?

@tekbasse commented on GitHub (Jan 5, 2017): You write: WELLKNOWN "should point directly to the directory you are serving under /.well-known/acme-challenge." To be clear, I've tried pointing WELLKNOWN at different directories in the server's delivery tree, including one that doesn't send cookies with the content, but letsencrypt response is consistently a 404 error with reference to the server's root directory. I know dehydrated is using other values from config; The evidence is in the lack of errors and the files returned in specified non-default locations. Might value of WELLKNOWN get overwritten or lost somewhere? Dehydration is supplied only 1 domain via domains.txt (No www.or97.net.) Has this case been tested?
adam commented 2025-12-29 00:26:47 +01:00
Author
Owner
Copy Link

@tekbasse commented on GitHub (Jan 5, 2017):

btw:
$ bash --version
GNU bash, version 4.3.42(1)-release
$ uname -r
10.3-STABLE

@tekbasse commented on GitHub (Jan 5, 2017): btw: $ bash --version GNU bash, version 4.3.42(1)-release $ uname -r 10.3-STABLE
adam commented 2025-12-29 00:26:48 +01:00
Author
Owner
Copy Link

@tekbasse commented on GitHub (Jan 5, 2017):

This seems conspicuously similar to issue #330 except producing a silent error later on. My understanding of bash is limited, but am investigating further.

@tekbasse commented on GitHub (Jan 5, 2017): This seems conspicuously similar to issue #330 except producing a silent error later on. My understanding of bash is limited, but am investigating further.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#183
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?