starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

HTTP challenge is invalid #355

New Issue
Closed
opened 2025-12-29 01:23:37 +01:00 by adam · 2 comments
adam commented 2025-12-29 01:23:37 +01:00
Owner
Copy Link

Originally created by @Footur on GitHub (Jun 7, 2018).

I've a very similar issue to #465.

I checked if a file can be accessed via the URL http://example.net/.well-known/acme-challenge/test.html, and this works fine with curl.

When I want to renew the certificate, I always get the following error message:

# INFO: Using main config file /etc/dehydrated/config
Processing example.net with alternative names: www.example.net
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Jul 16 12:10:51 2018 GMT (Longer than 30 days). Skipping renew!
Processing example.net with alternative names: www.example.net
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for example.net
 + Handling authorization for www.example.net
 + 2 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for example.net authorization...
 + Cleaning challenge tokens...
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Invalid response from http://example.net/.well-known/acme-challenge/OwcyTl0EXL1AGp6FnvkRpou1MGH1Wg5JGHZPncQmx1s: \"\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\n\u003c!DOCTYPE html\n    PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n    \"http://www.w3.org\"",
    "status": 403
  },
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/712i8R9j9ks7iYe9EFyfg_NvMX9tLWpAElCfaROeEaQ/133781095",
  "token": "OwcyTl0EXL1AGp6FnvkRpou1MGH1Wg5JGHZPncQmx1s",
  "validationRecord": [
    {
      "url": "http://example.net/.well-known/acme-challenge/OwcyTl0EXL1AGp6FnvkRpou1MGH1Wg5JGHZPncQmx1s",
      "hostname": "example.net",
      "port": "80",
      "addressesResolved": [
        "203.0.113.123"
      ],
      "addressUsed": "203.0.113.123"
    },
    {
      "url": "https://www.example.net/.well-known/acme-challenge/OwcyTl0EXL1AGp6FnvkRpou1MGH1Wg5JGHZPncQmx1s",
      "hostname": "www.example.net",
      "port": "443",
      "addressesResolved": [
        "203.0.113.123"
      ],
      "addressUsed": "203.0.113.123"
    }
  ]
})

Do you have any more tips on how I can better debug this problem?

Here is my dehydrated config:

IP_VERSION=4
CA="https://acme-staging-v02.api.letsencrypt.org/directory"
WELLKNOWN="/srv/www/vhosts/dehydrated"

Here is my Apache vhost config:


<VirtualHost 203.0.113.123:80>
 ServerAlias example.net
 ServerAlias www.example.net

 ErrorLog /var/log/apache2/example.net-error_log
 CustomLog /var/log/apache2/example.net-access_log combined

 HostnameLookups Off
 UseCanonicalName Off
 ServerSignature Off
 TraceEnable Off

 # Redirect
 RewriteEngine On
 RewriteCond %{HTTP_HOST} !^www\. [NC]
 RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
 RewriteRule ^(.*)$ https://www.%{HTTP_HOST}$1 [R=301,L]

 RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
 RewriteCond %{HTTPS} off
 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

# Let's Encrypt

Alias /.well-known/acme-challenge /srv/www/vhosts/dehydrated
<Directory /srv/www/vhosts/dehydrated>
        Options None
        AllowOverride None

 <IfModule mod_authz_core.c>
     Require all granted
 </IfModule>
</Directory>

</VirtualHost>


<VirtualHost 203.0.113.123:443>
 ServerAdmin webmaster@example.net
 ServerName www.example.net
 ServerAlias example.net
 DocumentRoot /srv/www/vhosts/example.net
 ErrorLog /var/log/apache2/www.example.net-ssl-error_log
 CustomLog /var/log/apache2/www.example.net-ssl-access_log combined
 HostnameLookups Off
 UseCanonicalName Off
 ServerSignature Off
 TraceEnable Off

 # Redirect
 RewriteEngine On
 RewriteCond %{HTTP_HOST} !^www\. [NC]
 RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
 RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]

 SSLEngine on
 SSLCertificateFile /etc/dehydrated/certs/example.net/fullchain.pem
 SSLCertificateKeyFile /etc/dehydrated/certs/example.net/privkey.pem
 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
 SSLProtocol all -SSLv2 -SSLv3

 <Directory "/srv/www/vhosts/example.net">
  Options FollowSymLinks
  AllowOverride All
  Require all granted
 </Directory>
# Let's Encrypt

 Alias /.well-known/acme-challenge /srv/www/vhosts/dehydrated
 <Directory /srv/www/vhosts/dehydrated>
        Options None
        AllowOverride None

 <IfModule mod_authz_core.c>
     Require all granted
 </IfModule>

 </Directory>


</VirtualHost>

OS

lsb_release -a
LSB Version:	n/a
Distributor ID:	SUSE LINUX
Description:	SUSE Linux Enterprise Server 12 SP1
Release:	12.1
Codename:	n/a
Originally created by @Footur on GitHub (Jun 7, 2018). I've a very similar issue to #465. I checked if a file can be accessed via the URL http://example.net/.well-known/acme-challenge/test.html, and this works fine with curl. When I want to renew the certificate, I always get the following error message: ``` # INFO: Using main config file /etc/dehydrated/config Processing example.net with alternative names: www.example.net + Checking domain name(s) of existing cert... unchanged. + Checking expire date of existing cert... + Valid till Jul 16 12:10:51 2018 GMT (Longer than 30 days). Skipping renew! Processing example.net with alternative names: www.example.net + Signing domains... + Generating private key... + Generating signing request... + Requesting new certificate order from CA... + Received 2 authorizations URLs from the CA + Handling authorization for example.net + Handling authorization for www.example.net + 2 pending challenge(s) + Deploying challenge tokens... + Responding to challenge for example.net authorization... + Cleaning challenge tokens... + Challenge validation has failed :( ERROR: Challenge is invalid! (returned: invalid) (result: { "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "Invalid response from http://example.net/.well-known/acme-challenge/OwcyTl0EXL1AGp6FnvkRpou1MGH1Wg5JGHZPncQmx1s: \"\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\n\u003c!DOCTYPE html\n PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n \"http://www.w3.org\"", "status": 403 }, "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/712i8R9j9ks7iYe9EFyfg_NvMX9tLWpAElCfaROeEaQ/133781095", "token": "OwcyTl0EXL1AGp6FnvkRpou1MGH1Wg5JGHZPncQmx1s", "validationRecord": [ { "url": "http://example.net/.well-known/acme-challenge/OwcyTl0EXL1AGp6FnvkRpou1MGH1Wg5JGHZPncQmx1s", "hostname": "example.net", "port": "80", "addressesResolved": [ "203.0.113.123" ], "addressUsed": "203.0.113.123" }, { "url": "https://www.example.net/.well-known/acme-challenge/OwcyTl0EXL1AGp6FnvkRpou1MGH1Wg5JGHZPncQmx1s", "hostname": "www.example.net", "port": "443", "addressesResolved": [ "203.0.113.123" ], "addressUsed": "203.0.113.123" } ] }) ``` Do you have any more tips on how I can better debug this problem? Here is my dehydrated config: ``` IP_VERSION=4 CA="https://acme-staging-v02.api.letsencrypt.org/directory" WELLKNOWN="/srv/www/vhosts/dehydrated" ``` Here is my Apache vhost config: ```apache <VirtualHost 203.0.113.123:80> ServerAlias example.net ServerAlias www.example.net ErrorLog /var/log/apache2/example.net-error_log CustomLog /var/log/apache2/example.net-access_log combined HostnameLookups Off UseCanonicalName Off ServerSignature Off TraceEnable Off # Redirect RewriteEngine On RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC] RewriteRule ^(.*)$ https://www.%{HTTP_HOST}$1 [R=301,L] RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC] RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} # Let's Encrypt Alias /.well-known/acme-challenge /srv/www/vhosts/dehydrated <Directory /srv/www/vhosts/dehydrated> Options None AllowOverride None <IfModule mod_authz_core.c> Require all granted </IfModule> </Directory> </VirtualHost> ``` ```apache <VirtualHost 203.0.113.123:443> ServerAdmin webmaster@example.net ServerName www.example.net ServerAlias example.net DocumentRoot /srv/www/vhosts/example.net ErrorLog /var/log/apache2/www.example.net-ssl-error_log CustomLog /var/log/apache2/www.example.net-ssl-access_log combined HostnameLookups Off UseCanonicalName Off ServerSignature Off TraceEnable Off # Redirect RewriteEngine On RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC] RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L] SSLEngine on SSLCertificateFile /etc/dehydrated/certs/example.net/fullchain.pem SSLCertificateKeyFile /etc/dehydrated/certs/example.net/privkey.pem SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS SSLProtocol all -SSLv2 -SSLv3 <Directory "/srv/www/vhosts/example.net"> Options FollowSymLinks AllowOverride All Require all granted </Directory> # Let's Encrypt Alias /.well-known/acme-challenge /srv/www/vhosts/dehydrated <Directory /srv/www/vhosts/dehydrated> Options None AllowOverride None <IfModule mod_authz_core.c> Require all granted </IfModule> </Directory> </VirtualHost> ``` OS ``` lsb_release -a LSB Version: n/a Distributor ID: SUSE LINUX Description: SUSE Linux Enterprise Server 12 SP1 Release: 12.1 Codename: n/a ```
adam closed this issue 2025-12-29 01:23:37 +01:00
adam commented 2025-12-29 01:23:38 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Jun 7, 2018):

Sorry, can't really help you with that, this seems like a webserver misconfiguration to me. I'd recommend you take a look at your logfiles, maybe you'll see a reason for why it doesn't work in there. Closing this ticket because this is not a dehydrated issue.

@lukas2511 commented on GitHub (Jun 7, 2018): Sorry, can't really help you with that, this seems like a webserver misconfiguration to me. I'd recommend you take a look at your logfiles, maybe you'll see a reason for why it doesn't work in there. Closing this ticket because this is not a dehydrated issue.
adam commented 2025-12-29 01:23:38 +01:00
Author
Owner
Copy Link

@cpu commented on GitHub (Jun 7, 2018):

@Footur The Let's Encrypt community forum would be happy to help you work through webserver configuration issues related to Let's Encrypt. Please open a new thread there in the help category and provide as much of the requested information as possible. Thanks!

@lukas2511 Please feel free to send this sort of troubleshooting to the forum!

@cpu commented on GitHub (Jun 7, 2018): @Footur The Let's Encrypt [community forum](https://community.letsencrypt.org) would be happy to help you work through webserver configuration issues related to Let's Encrypt. Please open a new thread there in the help category and provide as much of the requested information as possible. Thanks! @lukas2511 Please feel free to send this sort of troubleshooting to the forum!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#355
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?