starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

dehydrated fails with "challenge is invalid" #272

New Issue
Closed
opened 2025-12-29 01:20:46 +01:00 by adam · 9 comments
adam commented 2025-12-29 01:20:46 +01:00
Owner
Copy Link

Originally created by @alavarre on GitHub (Jan 10, 2018).

Love this program and it has saved lots of pain in the past, but I seem to have broken it. How to reconnect it to apache2? Certbot works as far as certs, but doesn't fix apache:

Enabling PHP disables SSL. This is totally reproducible:

  1. disable php (5 or 7) in the server module configuration (for opensuse leap 42.2 that is yast), restart the server

  2. Run
    sudo certbot --authenticator webroot --webroot-path /srv/www/htdocs/<vhost> --installer apache

  3. Go to the vhost website. It correctly lists the contents of the directory but does not execute .php files because of 1. above.

  4. Enable PHP in the server module configuration, restart the server

  5. Go to the vhost website. It throws
    ERR_SSL_PROTOCOL_ERROR

  6. Go to 1. above, loop.
    x.x.x.x.x.x.x.x
    Installed certbot-apache plugin, which has been deprecated to the crypto plugin...
    https://pypi.python.org/pypi/certbot-apache

Once done with that ran
sudo certbot --authenticator webroot --webroot-path /srv/www/htdocs/privustech --installer apache -d privustech.com
and it just worked...
So now we can read the site under https, but PHP still is not executing...
.........................
Running certbot results in a Qualys grade of "A" but
• Running dehydrated -c -x -f /etc/dehydrated/config fails with "challenge is invalid"
• Following the instructions:
https://github.com/lukas2511/dehydrated
+ config, domain.txt, and hook.sh are present and appear valid (although only the local line is uncommented)
+ I've set the staging CA and CA_TERMS in config to avoid running out of limits (and subsequently removed them...)
+ I've added the opensuse security repository but dehydrated-apache does not appear so is not installed (although this was not an issue before)
+ .well-known is copied to all the vhost sites
+ listen.conf includes both 80 and 443
-x-x-x-x-x-x-x-x-x-x-x-x-x-x
Everything has been working for almost a year; I run certbot on schedule regularly and life is good.

But I was using PHP5 and have a need for PHP7, so upgraded my system (opensuse Leap 42.2 using yast) to install PHP7 and remove PHP5. At which point the server stopped executing PHP: scripts were being downloaded instead of executed.

Much farkling about: reinstalled PHP5, removed PHP7, no joy. Finally said nuke it all (PHP, apache2) and reinstall, at which point PHP7 resumed functioning but SSL stopped working.

Ran
dehydrated -c -x -f /etc/dehydrated/config
which fails with this error.

The four vhosts are responding on port 80 but not on port 443.
:-(

I suspect there is an easy way to reset things, given how cool dehydrated is, but I haven't found it yet....

Thanks in advance, Andy

Originally created by @alavarre on GitHub (Jan 10, 2018). Love this program and it has saved lots of pain in the past, but I seem to have broken it. How to reconnect it to apache2? Certbot works as far as certs, but doesn't fix apache: Enabling PHP disables SSL. This is totally reproducible: 1. disable php (5 or 7) in the server module configuration (for **opensuse leap 42.2** that is **yast**), restart the server 2. Run `sudo certbot --authenticator webroot --webroot-path /srv/www/htdocs/<vhost> --installer apache` 3. Go to the vhost website. It correctly lists the contents of the **<vhost>** directory but does not execute **.php** files because of 1. above. 4. Enable PHP in the server module configuration, restart the server 5. Go to the vhost website. It throws ERR_SSL_PROTOCOL_ERROR 6. Go to 1. above, loop. x.x.x.x.x.x.x.x Installed **certbot-apache** plugin, which has been deprecated to the **crypto** plugin... [https://pypi.python.org/pypi/certbot-apache](https://pypi.python.org/pypi/certbot-apache) Once done with that ran `sudo certbot --authenticator webroot --webroot-path /srv/www/htdocs/privustech --installer apache -d privustech.com` and it just worked... So now we can read the site under https, but PHP still is not executing... ......................... Running certbot results in a Qualys grade of "A" but • Running `dehydrated -c -x -f /etc/dehydrated/config` fails with "challenge is invalid" • Following the instructions: [https://github.com/lukas2511/dehydrated](https://github.com/lukas2511/dehydrated) + `config`, `domain.txt`, and `hook.sh` are present and appear valid (although only the `local` line is uncommented) + I've set the staging **CA** and **CA_TERMS** in `config` to avoid running out of limits (and subsequently removed them...) _+ I've added the opensuse `security` repository but `dehydrated-apache` does not appear so is not installed (although this was not an issue before)_ + `.well-known` is copied to all the vhost sites + `listen.conf` includes both 80 and 443 -x-x-x-x-x-x-x-x-x-x-x-x-x-x Everything has been working for almost a year; I run **certbot** on schedule regularly and life is good. But I was using PHP5 and have a need for PHP7, so upgraded my system (opensuse Leap 42.2 using yast) to install PHP7 and remove PHP5. At which point the server stopped executing PHP: scripts were being downloaded instead of executed. Much farkling about: reinstalled PHP5, removed PHP7, no joy. Finally said nuke it all (PHP, apache2) and reinstall, at which point PHP7 resumed functioning but SSL stopped working. Ran `dehydrated -c -x -f /etc/dehydrated/config` which fails with this error. The four vhosts are responding on port 80 but not on port 443. :-( I suspect there is an easy way to reset things, given how cool dehydrated is, but I haven't found it yet.... Thanks in advance, Andy
adam closed this issue 2025-12-29 01:20:46 +01:00
adam commented 2025-12-29 01:20:46 +01:00
Author
Owner
Copy Link

@alavarre commented on GitHub (Jan 10, 2018):

OBTW, using hyphens or equal signs (even just one) in this editor changes everything above it to bold!

Yikes!
:-)

@alavarre commented on GitHub (Jan 10, 2018): OBTW, using hyphens or equal signs (even just one) in this editor changes everything above it to bold! - Yikes! :-)
adam commented 2025-12-29 01:20:47 +01:00
Author
Owner
Copy Link

@iphoting commented on GitHub (Jan 11, 2018):

LE has disabled cert generation for TLS method: https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996

@iphoting commented on GitHub (Jan 11, 2018): LE has disabled cert generation for TLS method: https://community.letsencrypt.org/t/2018-01-09-issue-with-tls-sni-01-and-shared-hosting-infrastructure/49996
adam commented 2025-12-29 01:20:47 +01:00
Author
Owner
Copy Link

@alavarre commented on GitHub (Jan 11, 2018):

Thank you for your notification.

Tomorrow is another day, but for now this may explain why dehydrated fails, so I'll take a look tomorrow to changing the cert method from TLS to something else.

But in the meantime, I cannot understand why enabling PHP disables SSL... :-( maybe I need to change the server from opensuse to something more friendly like Mint, but that will be a major undertaking... :-(

Thanks again.

@alavarre commented on GitHub (Jan 11, 2018): Thank you for your notification. Tomorrow is another day, but for now this may explain why dehydrated fails, so I'll take a look tomorrow to changing the cert method from TLS to something else. But in the meantime, I cannot understand why enabling PHP disables SSL... :-( maybe I need to change the server from opensuse to something more friendly like Mint, but that will be a major undertaking... :-( Thanks again.
adam commented 2025-12-29 01:20:47 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Jan 11, 2018):

I'm really not sure what your problem is? Are you even using dehydrated? You are saying that you are using certbot? Also this seems more like a Apache problem in general than a dehydrated problem. Sorry but I'm closing this as I really don't think this has anything to do with this project.

Also @iphoting dehydrated never used tls-sni-01 verification, it was always using http-01 (default) and dns-01 verification.

@lukas2511 commented on GitHub (Jan 11, 2018): I'm really not sure what your problem is? Are you even using dehydrated? You are saying that you are using certbot? Also this seems more like a Apache problem in general than a dehydrated problem. Sorry but I'm closing this as I really don't think this has anything to do with this project. Also @iphoting dehydrated never used tls-sni-01 verification, it was always using http-01 (default) and dns-01 verification.
adam commented 2025-12-29 01:20:48 +01:00
Author
Owner
Copy Link

@alavarre commented on GitHub (Jan 11, 2018):

Hi, thanks, yes I'm using dehydrated, but it isn't working, so I'm trying other things, including certbot.
I've gone back to your tutorial and gone through it all (the example command has -c and -f inverted).

It creates the CSR, the cert, the key and then fails with
ERROR: Challenge is invalid! (returned: invalid) (result: {
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:acme:error:unauthorized",
"detail": "Invalid response from http://privustech.com/.well-known/acme-challenge/lFNXf9Ked61zibv20YV9xBtGWd-nsXpIPGdWCITT8w0: "\u003c?xml version="1.0" encoding="UTF-8"?\u003e\n\u003c!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"\n "http://www.w3.org/TR/xhtml1/D"",
"status": 403
},

Thanks again.

@alavarre commented on GitHub (Jan 11, 2018): Hi, thanks, yes I'm using dehydrated, but it isn't working, so I'm trying other things, including certbot. I've gone back to your tutorial and gone through it all (the example command has -c and -f inverted). It creates the CSR, the cert, the key and then fails with ERROR: Challenge is invalid! (returned: invalid) (result: { "type": "http-01", "status": "invalid", "error": { "type": "urn:acme:error:unauthorized", "detail": "Invalid response from http://privustech.com/.well-known/acme-challenge/lFNXf9Ked61zibv20YV9xBtGWd-nsXpIPGdWCITT8w0: \"\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003c!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\"\n \"http://www.w3.org/TR/xhtml1/D\"", "status": 403 }, Thanks again.
adam commented 2025-12-29 01:20:48 +01:00
Author
Owner
Copy Link

@alavarre commented on GitHub (Jan 11, 2018):

I have created .well-known at the root of the website:
/srv/www/htdocs/
drwxr-xr-x 3 wwwrun www 4096 Jan 11 14:31 .well-known
it contains the acme-challenge subdirectory
drwxr-xr-x 2 wwwrun www 4096 Feb 7 2017 acme-challenge
which contains
-rw-r--r-- 1 wwwrun www 0 Feb 7 2017 m4g1C-t0k3n
so there is no obvious reason for the 403 error.
I also tried putting it at
/srv/www/.well-known
without success.

@alavarre commented on GitHub (Jan 11, 2018): I have created .well-known at the root of the website: `/srv/www/htdocs/` `drwxr-xr-x 3 wwwrun www 4096 Jan 11 14:31 .well-known` it contains the acme-challenge subdirectory `drwxr-xr-x 2 wwwrun www 4096 Feb 7 2017 acme-challenge` which contains `-rw-r--r-- 1 wwwrun www 0 Feb 7 2017 m4g1C-t0k3n` so there is no obvious reason for the 403 error. I also tried putting it at `/srv/www/.well-known` without success.
adam commented 2025-12-29 01:20:49 +01:00
Author
Owner
Copy Link

@txr13 commented on GitHub (Jan 11, 2018):

@alavarre The 403 error indicates the problem is in your Apache config. Have you followed the example given in https://github.com/lukas2511/dehydrated/blob/master/docs/wellknown.md ?

@txr13 commented on GitHub (Jan 11, 2018): @alavarre The 403 error indicates the problem is in your Apache config. Have you followed the example given in https://github.com/lukas2511/dehydrated/blob/master/docs/wellknown.md ?
adam commented 2025-12-29 01:20:50 +01:00
Author
Owner
Copy Link

@alavarre commented on GitHub (Jan 12, 2018):

OMG do I love backups. I had saved the site as /etc/apache2-160115 two years ago... So what the heck, it's broken anyhow, give it a shot: deleted /etc/apache2, copied the backup... BOOM. Done.
Ran certbot, it reinstalled all the certs, and we are up and running.
Closed... :-)
www.privustech.com

Thanks to all.

@alavarre commented on GitHub (Jan 12, 2018): OMG do I love backups. I had saved the site as /etc/apache2-160115 two years ago... So what the heck, it's broken anyhow, give it a shot: deleted /etc/apache2, copied the backup... BOOM. Done. Ran **certbot**, it reinstalled all the certs, and we are up and running. Closed... :-) [www.privustech.com](url) Thanks to all.
adam commented 2025-12-29 01:20:50 +01:00
Author
Owner
Copy Link

@alavarre commented on GitHub (Jan 14, 2018):

Just to put this completely to rest, problem solved, multiple causes. Hope this helps:
https://privustech.com/index.php/reconciling-php7-with-certbot-ssl-under-opensuse-leap-42-2-apache2/

@alavarre commented on GitHub (Jan 14, 2018): Just to put this completely to rest, problem solved, multiple causes. Hope this helps: https://privustech.com/index.php/reconciling-php7-with-certbot-ssl-under-opensuse-leap-42-2-apache2/
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#272
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?