Strange response from Challenge Validation (403) #405

New Issue

adam · 2025-12-29T01:24:29+01:00

adam commented

2025-12-29 01:24:29 +01:00

Originally created by @jillian1701 on GitHub (Mar 6, 2019).

Hello. I'm trying to set up dehydrated and I'm getting a strange Challenge Validation error:

ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "tls-alpn-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Incorrect validation certificate for tls-alpn-01 challenge. Requested mysitename.us from x.x.x.x:443. Received 1 certificate(s), first certificate had names \"kubuntu\"",
    "status": 403
  },

I'm unsure why it returns "Kubuntu". I do run kubuntu, so it seems logical to assume I've set something up incorrectly. However, this was all working using CertBot.

Any ideas what might be going wrong?

Originally created by @jillian1701 on GitHub (Mar 6, 2019). Hello. I'm trying to set up dehydrated and I'm getting a strange Challenge Validation error: ``` ERROR: Challenge is invalid! (returned: invalid) (result: { "type": "tls-alpn-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "Incorrect validation certificate for tls-alpn-01 challenge. Requested mysitename.us from x.x.x.x:443. Received 1 certificate(s), first certificate had names \"kubuntu\"", "status": 403 }, ``` I'm unsure why it returns "Kubuntu". I do run kubuntu, so it seems logical to assume I've set something up incorrectly. However, this was all working using CertBot. Any ideas what might be going wrong?

adam closed this issue

2025-12-29 01:24:29 +01:00

adam commented

2025-12-29 01:24:30 +01:00

@txr13 commented on GitHub (Mar 6, 2019):

Are you sure you want to be using the tls-alpn-01 challenge type? This requires a very particular and uncommon configuration to validate, and it's very infrequently seen.

@txr13 commented on GitHub (Mar 6, 2019): Are you sure you want to be using the tls-alpn-01 challenge type? This requires a very particular and uncommon configuration to validate, and it's very infrequently seen.

adam commented

2025-12-29 01:24:30 +01:00

@jillian1701 commented on GitHub (Mar 6, 2019):

@txr13 My ISP blocks port 80 entirely, there is no way to open it up. I'm under the impression that tls-alpn-01 is my only option?

@jillian1701 commented on GitHub (Mar 6, 2019): @txr13 My ISP blocks port 80 entirely, there is no way to open it up. I'm under the impression that tls-alpn-01 is my only option?

adam commented

2025-12-29 01:24:30 +01:00

@txr13 commented on GitHub (Mar 6, 2019):

You have two options, in this case: dns-01 and tls-alpn-01. While I'm more familiar with dns-01 challenges (and they also permit wildcard validations), that requires additional configuration as well, so it may not be optimal for your use case either.

I've never used tls-alpn-01, but I can (somewhat) read the code involved. Can you provide more information on your configuration (particularly what you have set as ALPNCERTDIR, what responder you're using, and the responder's configuration)?

@txr13 commented on GitHub (Mar 6, 2019): You have two options, in this case: dns-01 and tls-alpn-01. While I'm more familiar with dns-01 challenges (and they also permit wildcard validations), that requires additional configuration as well, so it may not be optimal for your use case either. I've never used tls-alpn-01, but I can (somewhat) read the code involved. Can you provide more information on your configuration (particularly what you have set as `ALPNCERTDIR`, what responder you're using, and the responder's configuration)?

adam commented

2025-12-29 01:24:31 +01:00

@jillian1701 commented on GitHub (Mar 6, 2019):

Yes!! Thank you @txr13! It was ALPNCERTDIR. I still had that set as the default, which was what I needed to change. All is working well now. You're the best!

PS - I'm using the instructions found here, so I'm using alpn-responder.py as a responder.

@jillian1701 commented on GitHub (Mar 6, 2019): Yes!! Thank you @txr13! It was ALPNCERTDIR. I still had that set as the default, which was what I needed to change. All is working well now. You're the best! PS - I'm using the instructions found [here](https://medium.com/@decrocksam/deploying-lets-encrypt-certificates-using-tls-alpn-01-https-18b9b1e05edf), so I'm using alpn-responder.py as a responder.

adam commented

2025-12-29 01:24:31 +01:00

@txr13 commented on GitHub (Mar 6, 2019):

I thought you might be using that source for instructions. While I would change some of those instructions if I had been the one writing it, and while it really doesn't explain how dehydrated does what it does (or why the various options are important), it seems serviceable enough. Glad you got it working!

I'll just leave you with a couple of thoughts for future: be aware that installing dehydrated using those instructions will not keep the script updated automatically. As bugs are fixed, or as the ACME standard evolves, you may eventually find that your script no longer functions correctly. Also, if you're ever asked to provide the version number, the built-in version command will give a result which doesn't make sense. (It will say that you're using "git-master-after-0.6.2", but with a git revision of "unknown".) There will be no way to identify exactly which revision you're using, and it will consequently be more difficult to troubleshoot things for you, if you run into a bug in the script itself.

@txr13 commented on GitHub (Mar 6, 2019): I thought you might be using that source for instructions. While I would change some of those instructions if I had been the one writing it, and while it really doesn't explain how `dehydrated` does what it does (or why the various options are important), it seems serviceable enough. Glad you got it working! I'll just leave you with a couple of thoughts for future: be aware that installing `dehydrated` using those instructions will not keep the script updated automatically. As bugs are fixed, or as the ACME standard evolves, you may eventually find that your script no longer functions correctly. Also, if you're ever asked to provide the version number, the built-in version command will give a result which doesn't make sense. (It will say that you're using "git-master-after-0.6.2", but with a git revision of "unknown".) There will be no way to identify exactly which revision you're using, and it will consequently be more difficult to troubleshoot things for you, if you run into a bug in the script itself.

adam commented

2025-12-29 01:24:31 +01:00

@jillian1701 commented on GitHub (Mar 6, 2019):

Thanks again, @txr13! Is there a more appropriate set of instructions with a more robust explaination that I could use?

Likewise, is there a better method of installing dehydrated? I do plan to automate this process using a script of some sort. First up was getting things running again! :)

@jillian1701 commented on GitHub (Mar 6, 2019): Thanks again, @txr13! Is there a more appropriate set of instructions with a more robust explaination that I could use? Likewise, is there a better method of installing dehydrated? I do plan to automate this process using a script of some sort. First up was getting things running again! :)

adam commented

2025-12-29 01:24:32 +01:00

@txr13 commented on GitHub (Mar 7, 2019):

For installation, I would recommend one of two different methods, depending on your needs.

The first option is to simply install from the Ubuntu "universe" repository. I don't know what version you're using, but I can see that Bionic (18.04) is using 0.6.1 (with an additional patch cherry-picked from the 0.6.2 release). Cosmic (18.10) is on 0.6.2 directly. Installing dehydrated from the Ubuntu package repository means that the script will automatically update as the package is updated in future, but won't be bleeding-edge--you'd need to wait for updates to be released by Debian, and then pulled in by Ubuntu. Even so, this is the route I would suggest for most non-technical users. (But in your case, you need tls-alpn-01 support, which isn't present in 0.6.2, so won't be available in any Ubuntu package yet.)

The second option is to install dehydrated by using git to clone the GitHub repository. Full instructions for doing so are probably out of scope for this particular issue, but going this route means that you get the absolute latest version of dehydrated and all its documentation. It does not automatically update on its own, but you can update it at any time by pulling in any new changes from GitHub, including any bug fixes that get patched.

In truth, I would highly recommend looking through the GitHub repository anyway. There's a lot of documentation available (see https://github.com/lukas2511/dehydrated/tree/master/docs). I would also go through the README (https://github.com/lukas2511/dehydrated/blob/master/README.md), particularly the Usage section. (For example, while the Medium post uses the -f config parameter when executing dehydrated, that parameter isn't actually needed, assuming you don't have another config file present in a higher-priority location.)

@txr13 commented on GitHub (Mar 7, 2019): For installation, I would recommend one of two different methods, depending on your needs. The first option is to simply install from the Ubuntu "universe" repository. I don't know what version you're using, but I can see that Bionic (18.04) is using 0.6.1 (with an additional patch cherry-picked from the 0.6.2 release). Cosmic (18.10) is on 0.6.2 directly. Installing `dehydrated` from the Ubuntu package repository means that the script will automatically update as the package is updated in future, but won't be bleeding-edge--you'd need to wait for updates to be released by Debian, and then pulled in by Ubuntu. Even so, this is the route I would suggest for most non-technical users. (But in your case, you need tls-alpn-01 support, which isn't present in 0.6.2, so won't be available in any Ubuntu package yet.) The second option is to install `dehydrated` by using git to clone the GitHub repository. Full instructions for doing so are probably out of scope for this particular issue, but going this route means that you get the absolute latest version of `dehydrated` and all its documentation. It does not automatically update on its own, but you can update it at any time by pulling in any new changes from GitHub, including any bug fixes that get patched. In truth, I would highly recommend looking through the GitHub repository anyway. There's a lot of documentation available (see https://github.com/lukas2511/dehydrated/tree/master/docs). I would also go through the README (https://github.com/lukas2511/dehydrated/blob/master/README.md), particularly the Usage section. (For example, while the Medium post uses the `-f config` parameter when executing `dehydrated`, that parameter isn't actually needed, assuming you don't have another config file present in a higher-priority location.)

adam commented

2025-12-29 01:24:32 +01:00

@jillian1701 commented on GitHub (Mar 7, 2019):

Thank you for the recommendation. I think I'll go the github route. :)

@jillian1701 commented on GitHub (Mar 7, 2019): Thank you for the recommendation. I think I'll go the github route. :)

adam commented

2025-12-29 01:24:32 +01:00

@lukas2511 commented on GitHub (Mar 8, 2019):

Closing this as this seems resolved. Thanks @txr13! I'm going to release a new version of dehydrated with all the latest changes very soon, hopefully this will land quickly in the external repositories...

@lukas2511 commented on GitHub (Mar 8, 2019): Closing this as this seems resolved. Thanks @txr13! I'm going to release a new version of dehydrated with all the latest changes very soon, hopefully this will land quickly in the external repositories...

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/dehydrated#405