mirror of
https://github.com/dehydrated-io/dehydrated.git
synced 2026-01-11 22:30:44 +01:00
Challenge validation has failed (apache reverse proxy) #392
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @sdblanchet on GitHub (Dec 26, 2018).
Hi
I'm trying to get a certificate for one of my sites and getting nowhere.
Some background information: my network structure is as stated behind an (CentOS 7.5) apache reverse proxy but it is also from a dyndns redirection !!! My ISP is blocking the port 80. From the past I was redirecting everything to port 8080 and it was working good. Now, because everything is going https I wanted to get letsencrypt certificates but because of port 80 being blocked and not having access to the DNS records I was hoping for tls_alpn-01.
I have setup dehydrated stuffs in /etc/dehydrated, created the hook.sh script from your example, created the domains.txt file for a single site and the config file with the required _USER, _GROUP, IP_VERSION, CA as staging, CHALLENGETYPE=tls-alpn-01, CONFIG_D=/etc/dehydrated/config, CERTDIR/$BASEDIR/certs, ALPNCERTDIR=$BASEDIR/alpn-certs, WELLKNOWN=/var/www/html/dehydrated/ RENEW_DELAY=60, KEY_ALGO=rsa. The hook.sh file was also modified to reflect my configuration, certs pointing to my self-signed certificates and httpd replacing nginx.
as root I ran
./dehydrated --register --accept-terms -f config/config
and then
./dehydrated -c -f config/config
with the following results
./dehydrated --register --accept-terms -f config/config
INFO: Using main config file config/config
./dehydrated -c -f config/config
INFO: Using main config file config/config
Processing www.cloud.sdbl.homelinux.net
ERROR: Challenge is invalid! (returned: invalid) (result: {
"type": "tls-alpn-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge",
"status": 403
},
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/0ukP1YqdR8nHWg39bPi-FmX7XzToodg2CYBhyfqgObc/213663690",
"token": "EYSgysjiytJxAGKGGWZ_pHIsSjrRotDT08O7hmoamYw",
"validationRecord": [
{
"hostname": "www.cloud.sdbl.homelinux.net",
"port": "443",
"addressesResolved": [
"70.83.210.222"
],
"addressUsed": "70.83.210.222"
}
]
})
I have some questions
1- Where the tls-responder.py should be running in my current configuration ?
on the proxy server or on the cloud server
2- Where should be created the /var/www/html/dehydrated directory ?
on the proxy server or on the cloud server
3- Because of the dyndns redirection, am I using the proper url
cloud.sdbl.homelinux.net (IP is setup here) or sdblcloud.webhop.net
Anyway, just hoping you can help me some.
Sylvain
@lukas2511 commented on GitHub (Dec 27, 2018):
For this you'll need a "web"-server (it could actually be a standalone TLS server) with TLS-ALPN support.
You can think of TLS-ALPN like a new kind of network protocol "port" where you have multiple services running on a normal TCP port, identified by name.
acme-tls-requests have to be redirected to the tls-responder, everything else (likeh2for http2 iirc) to your normal webserver.I have no idea if this works with just Apache, but you could install nginx as a proxy server in front of your apache server, just for handling TLS-ALPN.
The html/dehydrated directory is completely ignored for TLS-ALPN verification, it just has to exist so the initial config checks will work. Could just as well be /tmp for a TLS-ALPN-only setup.
Since this is not really an issue I'm closing this ticket. Feel free to ask questions anyway, I'll still get the notifications.