Let's Encrypt Web-based validation failed and DNS-based validation failed

6 posts / 0 new
Last post
#1 Fri, 10/19/2018 - 10:49
adamus007p

Let's Encrypt Web-based validation failed and DNS-based validation failed

Hello,

I am trying to requesting a certificate for my domain exampledomain.com using Let's Encrypt.

exampledomain.com is virtualserver other subdomains are only aliases with no email.

domain: exampledomain.com www.exampledomain.com

aliases: mail.exampledomain.com www.mail.exampledomain.com dl.exampledomain.com www.dl.exampledomain.com

It is weird but then I was using OVH for DNS everything was ok, after moving DNS to Amazon Route53 I have problems.

Interesting is that I have other domain on Amazon Route52 and there is no problem there.

Domain > server configuration> Manage SSL Certificate and I select domains and I have error:

Requesting a certificate for exampledomain.com, www.exampledomain.com, mail.exampledomain.com, www.mail.exampledomain.com, dl.exampledomain.com, www.dl.exampledomain.com from Let's Encrypt .. .. request failed : Web-based validation failed : Failed to request certificate : www.exampledomain.com challenge did not pass: Invalid response from http://www.exampledomain.com/.well-known/acme-challenge/25kxZh6xxxxxxxxx... "\r\n404 Not Found\r\n\r\n

404 Not Found

\r\n

" DNS-based validation failed : Failed to request certificate : Gave up waiting for validation

Whan I have check: I have check permissions I have created a test.txt http://www.exampledomain.com/.well-known/acme-challenge/test.txt Access from browser is ok.

I have test only exampledomain.com the same error.

I have txt in DNS entry added, but maybe it is wrong. In DNS records there was only

_acme-challenge.www there was no _acme-challenge

I am using DNS from Amazon Route53.

How can I check the correct values for _acme-challenge and _acme-challenge.www?

I was doing updates of virtualmin and webmin, but I don't know when the problem start. I know only when I was using OVH DNS there was OK. I was moving the VPS in April 2018 to new DC and in August I was adding and configuring new domain.

What is different that I use geoDNS and I have 4VPS and I have a problem only with one EU VPS and one domain. I have the similar config with other domain and I have no problem there.

Webmin version 1.893 Usermin version 1.741 Virtualmin version 6.04

May you help? For me this is weird either Web-based validation failed or DNS-based validation failed should works.

  1. How to check the correct TXT values for _acme-challenge and _acme-challenge.www? via GUI or command line
  2. How to generate via command SSL for domain using Let's Encrypt?
Fri, 10/19/2018 - 20:11
adamus007p

I use dig from the sever there I host my both domains. DomainA >> I have problem with SSL adn domainB >> it is OK

The dig results dig domain.com

root@host1:~# dig domainA.com

; <<>> DiG 9.10.3-P4-Debian <<>> domainA.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27189 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;domainA.com. IN A

;; ANSWER SECTION: domainA.com. 38400 IN A AAA.DDD.BBB.CCC

;; AUTHORITY SECTION: domainA.com. 38400 IN NS host1.domainB.com.

;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Oct 20 02:44:25 CEST 2018 ;; MSG SIZE rcvd: 94

root@host1:~# dig domainB.com

; <<>> DiG 9.10.3-P4-Debian <<>> domainB.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21826 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;domainB.com. IN A

;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Oct 20 02:44:58 CEST 2018 ;; MSG SIZE rcvd: 45

root@host1:~#

Why there are different results? There is something wrong.

How to check Glue records?

I have made dig, ns-1658.awsdns-15.co.uk. < this is one of my NS

root@host1:~# dig NS domainA.com ns-1658.awsdns-15.co.uk.

; <<>> DiG 9.10.3-P4-Debian <<>> NS domainA.com ns-1658.awsdns-15.co.uk. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39144 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;domainA.com. IN NS

;; ANSWER SECTION: domainA.com. 38400 IN NS host1.domainB.com.

;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Oct 20 03:05:55 CEST 2018 ;; MSG SIZE rcvd: 78

;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32196 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ns-1658.awsdns-15.co.uk. IN NS

;; AUTHORITY SECTION: awsdns-15.co.uk. 696 IN SOA g-ns-335.awsdns-15.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Oct 20 03:05:55 CEST 2018 ;; MSG SIZE rcvd: 125

root@host1:# root@host1:# root@host1:# root@host1:# root@host1:~# dig NS domainB.com ns-1658.awsdns-15.co.uk.

; <<>> DiG 9.10.3-P4-Debian <<>> NS domainB.com ns-1658.awsdns-15.co.uk. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64106 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;domainB.com. IN NS

;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Oct 20 03:06:01 CEST 2018 ;; MSG SIZE rcvd: 45

;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63806 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ns-1658.awsdns-15.co.uk. IN NS

;; AUTHORITY SECTION: awsdns-15.co.uk. 690 IN SOA g-ns-335.awsdns-15.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Oct 20 03:06:01 CEST 2018 ;; MSG SIZE rcvd: 125

Wed, 12/05/2018 - 07:40
adamus007p

Any help? How to start troubleshooting?

What I should check first?

I use Route53 geodns and two VPS, one in US, second in Europe.

One domain at Route53 is working the second one not. I don't know why...

I do not use ipv6 in both domains. I have updated VPS up to today 05.12.2018.

One of my domain which I use with geoIP works, the second one not.

Now my error is:

Requesting a certificate for domain2.com, mail.domain2.com, dl.domain2.com from Let's Encrypt ..
.. request failed : Web-based validation failed : Failed to request certificate :
domain2.com challenge did not pass: Invalid response from http://domain.com/.well-known/acme-challenge/pTLaBmndeumtQ_v03l1q6nJ_EWudo-4Fytw2ec3yFak: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor="white">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"
DNS-based validation failed : Failed to request certificate :
Gave up waiting for validation
Wed, 12/05/2018 - 16:47
adamus007p

Some update debug logs

Requesting a certificate for domain.com, www.domain.com, domain.de, www.domain.de, domain.nl, www.domain.nl, domain.fr, www.domain.fr, dl.domain.com, www.dl.domain.com, mail.domain.com, www.mail.domain.com from Let's Encrypt ..
.. request failed : Web-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domain.com
http-01 challenge for www.domain.com
http-01 challenge for domain.de
http-01 challenge for www.domain.de
http-01 challenge for domain.nl
http-01 challenge for www.domain.nl
http-01 challenge for domain.fr
http-01 challenge for www.domain.fr
http-01 challenge for dl.domain.com
http-01 challenge for www.dl.domain.com
http-01 challenge for mail.domain.com
http-01 challenge for www.mail.domain.com
Using the webroot path /home/domain/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory /home/domain/public_html/.well-known/acme-challenge
Failed authorization procedure. domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain.com/.well-known/acme-challenge/o1atRUTedFU2kI_uW32SV2BZ-esbngqtQsAd3O3H2QM: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor="white">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>", www.domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain.com/.well-known/acme-challenge/sSMnw9JW-c_DhUHefIdaY8W59nC0YIeTkxXMiOpjXbw: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor="white">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"
IMPORTANT NOTES:
- The following errors were reported by the server:

   Domain: domain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://domain.com/.well-known/acme-challenge/o1atRUTedFU2kI_uW32SV2BZ-esbngqtQsAd3O3H2QM:
   "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body
   bgcolor="white">\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>"

   Domain: www.domain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.domain.com/.well-known/acme-challenge/sSMnw9JW-c_DhUHefIdaY8W59nC0YIeTkxXMiOpjXbw:
   "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body
   bgcolor="white">\r\n<center><h1>404 Not
   Found</h1></center>\r\n<hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.
DNS-based validation failed :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for domain.com
dns-01 challenge for www.domain.com
dns-01 challenge for domain.de
dns-01 challenge for www.domain.de
dns-01 challenge for domain.nl
dns-01 challenge for www.domain.nl
dns-01 challenge for domain.fr
dns-01 challenge for www.domain.fr
dns-01 challenge for dl.domain.com
dns-01 challenge for www.dl.domain.com
dns-01 challenge for mail.domain.com
dns-01 challenge for www.mail.domain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.domain.com (dns-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "N-endSwtgUgmM7_lIH03_QI74baxYkzqMunUN8pmzo8" found at _acme-challenge.www.domain.com, domain.com (dns-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect TXT record "ocjCillaNyFwehuPktcoU9Y6wPc-jqGrI4t47EGliMM" found at _acme-challenge.domain.com
IMPORTANT NOTES:
- The following errors were reported by the server:

   Domain: www.domain.com
   Type:   unauthorized
   Detail: Incorrect TXT record
   "N-endSwtgUgmM7_lIH03_QI74baxYkzqMunUN8pmzo8" found at
   _acme-challenge.www.domain.com

   Domain: domain.com
   Type:   unauthorized
   Detail: Incorrect TXT record
   "ocjCillaNyFwehuPktcoU9Y6wPc-jqGrI4t47EGliMM" found at
   _acme-challenge.domain.com

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

any ideas?

Mon, 12/24/2018 - 20:51
sfbob

Try adding a test.html file to the server that is failing. I did that and could not retrieve it.

Found the solution at https://www.virtualmin.com/node/59694

Wed, 05/22/2019 - 09:51
adamus007p

It did not helped.

Manual renew via command line and certbot works but not this one which is build in virtualmin.

Non geo DNS validation works. Problems starts when you use geoDNS e.g from Amazon AWS Route53 and you have two VPS. 1st in USA and 2nd in Europe.