Let's Encrypt Web-based validation failed and DNS-based validation failed

5 posts / 0 new
Last post
#1 Fri, 10/19/2018 - 10:49
adamus007p

Let's Encrypt Web-based validation failed and DNS-based validation failed

Hello,

I am trying to requesting a certificate for my domain exampledomain.com using Let's Encrypt.

exampledomain.com is virtualserver other subdomains are only aliases with no email.

domain: exampledomain.com www.exampledomain.com

aliases: mail.exampledomain.com www.mail.exampledomain.com dl.exampledomain.com www.dl.exampledomain.com

It is weird but then I was using OVH for DNS everything was ok, after moving DNS to Amazon Route53 I have problems.

Interesting is that I have other domain on Amazon Route52 and there is no problem there.

Domain > server configuration> Manage SSL Certificate and I select domains and I have error:

Requesting a certificate for exampledomain.com, www.exampledomain.com, mail.exampledomain.com, www.mail.exampledomain.com, dl.exampledomain.com, www.dl.exampledomain.com from Let's Encrypt .. .. request failed : Web-based validation failed : Failed to request certificate : www.exampledomain.com challenge did not pass: Invalid response from http://www.exampledomain.com/.well-known/acme-challenge/25kxZh6xxxxxxxxx... "\r\n404 Not Found\r\n\r\n

404 Not Found

\r\n

" DNS-based validation failed : Failed to request certificate : Gave up waiting for validation

Whan I have check: I have check permissions I have created a test.txt http://www.exampledomain.com/.well-known/acme-challenge/test.txt Access from browser is ok.

I have test only exampledomain.com the same error.

I have txt in DNS entry added, but maybe it is wrong. In DNS records there was only

_acme-challenge.www there was no _acme-challenge

I am using DNS from Amazon Route53.

How can I check the correct values for _acme-challenge and _acme-challenge.www?

I was doing updates of virtualmin and webmin, but I don't know when the problem start. I know only when I was using OVH DNS there was OK. I was moving the VPS in April 2018 to new DC and in August I was adding and configuring new domain.

What is different that I use geoDNS and I have 4VPS and I have a problem only with one EU VPS and one domain. I have the similar config with other domain and I have no problem there.

Webmin version 1.893 Usermin version 1.741 Virtualmin version 6.04

May you help? For me this is weird either Web-based validation failed or DNS-based validation failed should works.

  1. How to check the correct TXT values for _acme-challenge and _acme-challenge.www? via GUI or command line
  2. How to generate via command SSL for domain using Let's Encrypt?
Fri, 10/19/2018 - 20:11
adamus007p

I use dig from the sever there I host my both domains. DomainA >> I have problem with SSL adn domainB >> it is OK

The dig results dig domain.com

root@host1:~# dig domainA.com

; <<>> DiG 9.10.3-P4-Debian <<>> domainA.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27189 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;domainA.com. IN A

;; ANSWER SECTION: domainA.com. 38400 IN A AAA.DDD.BBB.CCC

;; AUTHORITY SECTION: domainA.com. 38400 IN NS host1.domainB.com.

;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Oct 20 02:44:25 CEST 2018 ;; MSG SIZE rcvd: 94

root@host1:~# dig domainB.com

; <<>> DiG 9.10.3-P4-Debian <<>> domainB.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21826 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;domainB.com. IN A

;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Oct 20 02:44:58 CEST 2018 ;; MSG SIZE rcvd: 45

root@host1:~#

Why there are different results? There is something wrong.

How to check Glue records?

I have made dig, ns-1658.awsdns-15.co.uk. < this is one of my NS

root@host1:~# dig NS domainA.com ns-1658.awsdns-15.co.uk.

; <<>> DiG 9.10.3-P4-Debian <<>> NS domainA.com ns-1658.awsdns-15.co.uk. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39144 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;domainA.com. IN NS

;; ANSWER SECTION: domainA.com. 38400 IN NS host1.domainB.com.

;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Oct 20 03:05:55 CEST 2018 ;; MSG SIZE rcvd: 78

;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32196 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ns-1658.awsdns-15.co.uk. IN NS

;; AUTHORITY SECTION: awsdns-15.co.uk. 696 IN SOA g-ns-335.awsdns-15.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Oct 20 03:05:55 CEST 2018 ;; MSG SIZE rcvd: 125

root@host1:# root@host1:# root@host1:# root@host1:# root@host1:~# dig NS domainB.com ns-1658.awsdns-15.co.uk.

; <<>> DiG 9.10.3-P4-Debian <<>> NS domainB.com ns-1658.awsdns-15.co.uk. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64106 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;domainB.com. IN NS

;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Oct 20 03:06:01 CEST 2018 ;; MSG SIZE rcvd: 45

;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63806 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ns-1658.awsdns-15.co.uk. IN NS

;; AUTHORITY SECTION: awsdns-15.co.uk. 690 IN SOA g-ns-335.awsdns-15.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Oct 20 03:06:01 CEST 2018 ;; MSG SIZE rcvd: 125

Wed, 12/05/2018 - 07:40
adamus007p

Any help? How to start troubleshooting?

What I should check first?

I use Route53 geodns and two VPS, one in US, second in Europe.

One domain at Route53 is working the second one not. I don't know why...

I do not use ipv6 in both domains. I have updated VPS up to today 05.12.2018.

One of my domain which I use with geoIP works, the second one not.

Now my error is:

Requesting a certificate for domain2.com, mail.domain2.com, dl.domain2.com from Let's Encrypt ..
.. request failed : Web-based validation failed : Failed to request certificate :
domain2.com challenge did not pass: Invalid response from http://domain.com/.well-known/acme-challenge/pTLaBmndeumtQ_v03l1q6nJ_EWudo-4Fytw2ec3yFak: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor="white">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"
DNS-based validation failed : Failed to request certificate :
Gave up waiting for validation
Wed, 12/05/2018 - 16:47
adamus007p

Some update debug logs

Requesting a certificate for domain.com, www.domain.com, domain.de, www.domain.de, domain.nl, www.domain.nl, domain.fr, www.domain.fr, dl.domain.com, www.dl.domain.com, mail.domain.com, www.mail.domain.com from Let's Encrypt ..
.. request failed : Web-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domain.com
http-01 challenge for www.domain.com
http-01 challenge for domain.de
http-01 challenge for www.domain.de
http-01 challenge for domain.nl
http-01 challenge for www.domain.nl
http-01 challenge for domain.fr
http-01 challenge for www.domain.fr
http-01 challenge for dl.domain.com
http-01 challenge for www.dl.domain.com
http-01 challenge for mail.domain.com
http-01 challenge for www.mail.domain.com
Using the webroot path /home/domain/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory /home/domain/public_html/.well-known/acme-challenge
Failed authorization procedure. domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain.com/.well-known/acme-challenge/o1atRUTedFU2kI_uW32SV2BZ-esbngqtQsAd3O3H2QM: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor="white">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>", www.domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain.com/.well-known/acme-challenge/sSMnw9JW-c_DhUHefIdaY8W59nC0YIeTkxXMiOpjXbw: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor="white">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"
IMPORTANT NOTES:
- The following errors were reported by the server:

   Domain: domain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://domain.com/.well-known/acme-challenge/o1atRUTedFU2kI_uW32SV2BZ-esbngqtQsAd3O3H2QM:
   "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body
   bgcolor="white">\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>"

   Domain: www.domain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.domain.com/.well-known/acme-challenge/sSMnw9JW-c_DhUHefIdaY8W59nC0YIeTkxXMiOpjXbw:
   "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body
   bgcolor="white">\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.
DNS-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for domain.com
dns-01 challenge for www.domain.com
dns-01 challenge for domain.de
dns-01 challenge for www.domain.de
dns-01 challenge for domain.nl
dns-01 challenge for www.domain.nl
dns-01 challenge for domain.fr
dns-01 challenge for www.domain.fr
dns-01 challenge for dl.domain.com
dns-01 challenge for www.dl.domain.com
dns-01 challenge for mail.domain.com
dns-01 challenge for www.mail.domain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.domain.com (dns-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "N-endSwtgUgmM7_lIH03_QI74baxYkzqMunUN8pmzo8" found at _acme-challenge.www.domain.com, domain.com (dns-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "ocjCillaNyFwehuPktcoU9Y6wPc-jqGrI4t47EGliMM" found at _acme-challenge.domain.com
IMPORTANT NOTES:
- The following errors were reported by the server:

   Domain: www.domain.com
   Type:   unauthorized
   Detail: Incorrect TXT record
   "N-endSwtgUgmM7_lIH03_QI74baxYkzqMunUN8pmzo8" found at
   _acme-challenge.www.domain.com

   Domain: domain.com
   Type:   unauthorized
   Detail: Incorrect TXT record
   "ocjCillaNyFwehuPktcoU9Y6wPc-jqGrI4t47EGliMM" found at
   _acme-challenge.domain.com

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

any ideas?

Mon, 12/24/2018 - 20:51
sfbob

Try adding a test.html file to the server that is failing. I did that and could not retrieve it.

Found the solution at https://www.virtualmin.com/node/59694