starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

403 Error on letsencrypt tls-alpn-01 #537

New Issue
Closed
opened 2025-12-29 01:26:59 +01:00 by adam · 1 comment
adam commented 2025-12-29 01:26:59 +01:00
Owner
Copy Link

Originally created by @sephamorr on GitHub (May 10, 2021).

I'm sorry for making an issue for something that's probably a configuration issue on my end, but here goes:
For a server which only has port 443 access to the internet (no port 80), I started using dehydrated last year as a tls-alpn-01 responder, with a Lighttpd web server. Everything worked great for ~6 months, including the recurring cron job to renew the cert. Based on logging, the last successful renew was December 30, 2020.

Now, however, given a renew command of (note redacted domain/ips):
./dehydrated -d my.domain.com -t tls-alpn-01 --out /etc/lighttpd/certs --alpn /etc/lighttpd/dehydrated/tls-alpn-01 -c

I now receive this output and error:

Processing my.domain.com
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Mar 31 03:00:04 2021 GMT (Less than 30 days). Renewing!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for my.domain.com
 + Generating ALPN certificate and key for my.domain.com...
 + 1 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for my.domain.com authorization...
 + Cleaning challenge tokens...
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]	"tls-alpn-01"
["status"]	"invalid"
["error","type"]	"urn:ietf:params:acme:error:unauthorized"
["error","detail"]	"Incorrect validation certificate for tls-alpn-01 challenge. Missing acmeValidationV1 extension."
["error","status"]	403
["error"]	{"type":"urn:ietf:params:acme:error:unauthorized","detail":"Incorrect validation certificate for tls-alpn-01 challenge. Missing acmeValidationV1 extension.","status":403}
["url"]	"https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/redacted/redacted"
["token"]	"redacted"
["validationRecord",0,"hostname"]	"my.domain.com"
["validationRecord",0,"port"]	"443"
["validationRecord",0,"addressesResolved",0]	"my server IP"
["validationRecord",0,"addressesResolved"]	["my server IP"]
["validationRecord",0,"addressUsed"]	"my server IP"
["validationRecord",0]	{"hostname":"my.domain.com","port":"443","addressesResolved":["my server IP"],"addressUsed":"my server IP"}
["validationRecord"]	[{"hostname":"my.domain.com","port":"443","addressesResolved":[my server IP"],"addressUsed":"my server IP"}]
["validated"]	"2021-05-10T06:42:13Z")

Based on a suggestion here, I disabled TLSv1.3 and also tried forcing a 2048 bit key per this other bug, to no avail.

I'm not sure which version of Lighttpd was in use back when this worked, but I've tested that this issue occurs on 1.4.55 and 1.4.59

Any ideas about what is going on here?

Originally created by @sephamorr on GitHub (May 10, 2021). I'm sorry for making an issue for something that's probably a configuration issue on my end, but here goes: For a server which only has port 443 access to the internet (no port 80), I started using dehydrated last year as a tls-alpn-01 responder, with a Lighttpd web server. Everything worked great for ~6 months, including the recurring cron job to renew the cert. Based on logging, the last successful renew was December 30, 2020. Now, however, given a renew command of (note redacted domain/ips): `./dehydrated -d my.domain.com -t tls-alpn-01 --out /etc/lighttpd/certs --alpn /etc/lighttpd/dehydrated/tls-alpn-01 -c ` I now receive this output and error: ``` Processing my.domain.com + Checking domain name(s) of existing cert... unchanged. + Checking expire date of existing cert... + Valid till Mar 31 03:00:04 2021 GMT (Less than 30 days). Renewing! + Signing domains... + Generating private key... + Generating signing request... + Requesting new certificate order from CA... + Received 1 authorizations URLs from the CA + Handling authorization for my.domain.com + Generating ALPN certificate and key for my.domain.com... + 1 pending challenge(s) + Deploying challenge tokens... + Responding to challenge for my.domain.com authorization... + Cleaning challenge tokens... + Challenge validation has failed :( ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "tls-alpn-01" ["status"] "invalid" ["error","type"] "urn:ietf:params:acme:error:unauthorized" ["error","detail"] "Incorrect validation certificate for tls-alpn-01 challenge. Missing acmeValidationV1 extension." ["error","status"] 403 ["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"Incorrect validation certificate for tls-alpn-01 challenge. Missing acmeValidationV1 extension.","status":403} ["url"] "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/redacted/redacted" ["token"] "redacted" ["validationRecord",0,"hostname"] "my.domain.com" ["validationRecord",0,"port"] "443" ["validationRecord",0,"addressesResolved",0] "my server IP" ["validationRecord",0,"addressesResolved"] ["my server IP"] ["validationRecord",0,"addressUsed"] "my server IP" ["validationRecord",0] {"hostname":"my.domain.com","port":"443","addressesResolved":["my server IP"],"addressUsed":"my server IP"} ["validationRecord"] [{"hostname":"my.domain.com","port":"443","addressesResolved":[my server IP"],"addressUsed":"my server IP"}] ["validated"] "2021-05-10T06:42:13Z") ``` Based on a suggestion [here](https://serverfault.com/questions/1024751/traefik-error-invalid-certificate-missing-extension), I disabled TLSv1.3 and also tried forcing a 2048 bit key per [this other bug](https://github.com/icing/mod_md/issues/200), to no avail. I'm not sure which version of Lighttpd was in use back when this worked, but I've tested that this issue occurs on 1.4.55 and 1.4.59 Any ideas about what is going on here?
adam closed this issue 2025-12-29 01:26:59 +01:00
adam commented 2025-12-29 01:27:00 +01:00
Author
Owner
Copy Link

@sephamorr commented on GitHub (May 16, 2021):

I solved my issue, honestly not entirely sure how. I made some changes to my lighttpd.conf file, and when I ultimately tried it again, it worked. I tried to revert the changes I remembered, but it still worked (and I hadn't kept a backup of the bad config, oops). The changes I made were part of sanitizing it, to make lighttpd -tt pass without errors, in case anyone comes by this thread with the same problem.

@sephamorr commented on GitHub (May 16, 2021): I solved my issue, honestly not entirely sure how. I made some changes to my lighttpd.conf file, and when I ultimately tried it again, it worked. I tried to revert the changes I remembered, but it still worked (and I hadn't kept a backup of the bad config, oops). The changes I made were part of sanitizing it, to make ```lighttpd -tt``` pass without errors, in case anyone comes by this thread with the same problem.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#537
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?