Join the community today
Become a Member

Letsencrypt Create a fresh domain gives error on creating Let's encrypt

Discussion in 'Install & Upgrades or Pre-Install Questions' started by EckyBrazzz, Aug 23, 2019.

  1. EckyBrazzz

    EckyBrazzz Active Member

    587
    125
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +231
    Local Time:
    3:18 AM
    1.17.x
    10.3.x
    Hi there,

    Yesterday a client bought a new domain and today it was ready to use @ cloudflare. Took a while, slow domain registar, but very cheap, only euro 1,38 for a .nl domain.

    Install went fine, get A at ssllabs when testing the domain, but I keep with a question. Can I keep it this way, or should I delete the domain, wait a few days and give it a new try. I don't know how it will react on renewal.

    Error is below.
    Code (Text):
    [Thu Aug 22 23:18:28 UTC 2019] responseHeaders='HTTP/1.1 400 Bad Request
    Server: nginx
    Content-Type: application/problem+json
    Content-Length: 144
    Boulder-Requester: 63907569
    Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
    Replay-Nonce: 0002NWDogESUkxpetpQQgQNdCbbWjjE9bjicvgARiZE8gMA
    Expires: Thu, 22 Aug 2019 23:18:28 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Thu, 22 Aug 2019 23:18:28 GMT
    Connection: close
    ^M'
    [Thu Aug 22 23:18:28 UTC 2019] code='400'
    [Thu Aug 22 23:18:28 UTC 2019] original='{
      "type": "urn:ietf:params:acme:error:malformed",
      "detail": "Unable to update challenge :: authorization must be pending",
      "status": 400
    }'
    [Thu Aug 22 23:18:28 UTC 2019] response='{
      "type": "urn:ietf:params:acme:error:malformed",
      "detail": "Unable to update challenge :: authorization must be pending",
      "status": 400
    }'
    
    
     
  2. eva2000

    eva2000 Administrator Staff Member

    41,349
    9,279
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,236
    Local Time:
    4:18 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Try acmetool.sh add reissue-only option for existing nginx HTTPS SSL vhosts with domain.com.ssl.conf vhost config files that exist. This only does reissue of letsencrypt SSL cert without touching the nginx vhost. Ideal for use when you tried creating a Nginx HTTPS SSL default vhost site but letsencrypt SSL issuance failed the first time. When it fails, Centmin Mod usually falls back to self-signed SSL as a place holder for the domain.com.ssl.conf vhost config. When you run:
    Code (Text):
    cd /usr/local/src/centminmod/addons
    ./acmetool.sh reissue-only domain.com live
    

    It will only try reissuing the letsencrypt SSL certificate for the domain = domain.com for live production SSL certificate without touching any of the existing nginx vhost at domain.com.ssl.conf
     
  3. EckyBrazzz

    EckyBrazzz Active Member

    587
    125
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +231
    Local Time:
    3:18 AM
    1.17.x
    10.3.x
    To bad, did not work
    Code (Text):
    [Sat Aug 24 19:57:21 UTC 2019] responseHeaders='HTTP/1.1 400 Bad Request
    Server: nginx
    Content-Type: application/problem+json
    Content-Length: 144
    Boulder-Requester: 63907569
    Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
    Replay-Nonce: 0001uX9ehDtmPjiRJCiOjgm5uYX6ZXYEYJ3_oMZz-Vd9T_I
    Expires: Sat, 24 Aug 2019 19:57:21 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Sat, 24 Aug 2019 19:57:21 GMT
    Connection: close
    ^M'
    [Sat Aug 24 19:57:21 UTC 2019] code='400'
    [Sat Aug 24 19:57:21 UTC 2019] original='{
      "type": "urn:ietf:params:acme:error:malformed",
      "detail": "Unable to update challenge :: authorization must be pending",
      "status": 400
    }'
    [Sat Aug 24 19:57:21 UTC 2019] response='{
      "type": "urn:ietf:params:acme:error:malformed",
      "detail": "Unable to update challenge :: authorization must be pending",
      "status": 400
    }'
    

    And a part of the error
    Code (Text):
    [Sat Aug 24 20:04:38 UTC 2019] www.xxxx.nl:Verify error:Invalid response from http://www.xxxx.nl/.well-known/acme-challenge/Pul7G5N9AiKS<snpipped>
     
    Last edited: Aug 25, 2019
  4. eva2000

    eva2000 Administrator Staff Member

    41,349
    9,279
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,236
    Local Time:
    4:18 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    First try running your intended SSL certificate domain through the letsdebug.net online testing tool to check for potential errors with HTTP-01 validation.

    How was the initial letsencrypt ssl certificate obtained ? Which method ?
    • Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
    • Via centmin.sh menu option 2, 22, /usr/bin/nv ?
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      -------------------------------------------------------------
      Setup full Nginx vhost + Wordpress + WP Plugins
      -------------------------------------------------------------
      
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1
      
    • Via addons/acmetool.sh ? which specific command ? examples
      Code (Text):
      ./acmetool.sh issue acme.domain.com
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com live
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com d
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com lived
      
    • What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?

    Centmin Mod Self-Signed SSL Fallback



    If you're seeing a Centmin Mod's self-signed ssl certificate instead of letsencrypt ssl certificate, then that's acmetool.sh and centminmod's fallback if letsencrypt verification fails to obtain letsencrypt ssl cert, it falls back to centmin mod self-signed ssl certificate on https port 443 side so to preserve the https nginx vhost

    Troubleshooting



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    If acme.sh auto renewals didn't happen, check output for the following commands
    Code (Text):
    grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"
    

    Code (Text):
    echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates
    

    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    

    Code (Text):
    echo | openssl s_client -connect yourdomain.com:443
    

    Without the answers to above questions and logs, there is nothing to help troubleshoot.

    SSLLabs Test



    Also run your HTTPS domain site through SSLLabs tester at SSL Server Test (Powered by Qualys SSL Labs) if it says untrusted SSL cert and prompts to continue the test, continue the test.
     
  5. EckyBrazzz

    EckyBrazzz Active Member

    587
    125
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +231
    Local Time:
    3:18 AM
    1.17.x
    10.3.x
    Code (Text):
    [URL='https://letsdebug.net/xxxxnl/57648#CloudflareCDN-Warning']CloudflareCDN[/URL]
    Warning
    The domain XXX.nl is being served through Cloudflare CDN. Any Let's Encrypt certificate installed on the origin server will only encrypt traffic between the server and Cloudflare. It is strongly recommended that the SSL option 'Full SSL (strict)' be enabled.
    https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean-

    Cloudflare was on FULL SSL.

    Install was done with option 22 and option 4 issue live cert with HTTPS default.

    Reissued as you told,
    Code (Text):
    ./acmetool.sh reissue-only domain.com live
    

    SSL Labs gives A, my other domains normally give A+
    A part of the error log shows this and the pending issue.
    Code (Text):
    www.xxxx.nl:Verify error:Invalid response from http://www.xxxx.nl/.well-known/acme-challenge/Pul7G5N9AiKS<snpipped>
    


    Will get a test domain @ dot.tk for testing. I Guess that the problem is with domain register. Yesterday I did many domains with the same install options (migrating a server again) and did not have any issues.

    FYI: Multisite WP goes as planned, some little issues, but will resolve these.
     
  6. Rake-GH

    Rake-GH Premium Member Premium Member

    30
    16
    8
    Jul 29, 2019
    USA
    Ratings:
    +22
    Local Time:
    2:18 AM
    default
    default
    I did the same thing you did and authenticated origin pulls is working but Full(Strict) SSL is not working. Full works fine.

    I ran the same troubleshooting steps with the similar result. I did not get this error tho:
    Code:
    Verify error:Invalid response from...

    One thing I noticed is that I do not have a .well-known directory...
     
  7. EckyBrazzz

    EckyBrazzz Active Member

    587
    125
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +231
    Local Time:
    3:18 AM
    1.17.x
    10.3.x
    Guess that's a little present from that "cheap" domain register. It gives 400 "Pending Authorization" but it has been registered a week ago and transfer the DNS to Cloudflare ASAP.

    Will delete it, first do a

    Code (Text):
    DROP DATABASE dbname;
    DELETE FROM mysql.user WHERE user = 'username';


    Afterwards, run the ./wp_uninstall for the domains to keep all thing nice and clean.

    Don't want any mess and left overs on my servers. Tried another domain, registered @ dot.tk they are free and did not give any problem.
     
  8. EckyBrazzz

    EckyBrazzz Active Member

    587
    125
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +231
    Local Time:
    3:18 AM
    1.17.x
    10.3.x
    Update:

    Cheap domain register told "It's Cloudflare, MIM attack, server backend and some other strange things"

    Finally, today resolved, code to move to other domains register (also difficult and some issues, support tickets) but all fine. No more problems, A+ SSL as usual.

    Lesson learned: Everything has a price tag. (except CMM, see My site running Centmin mod are just a airplane. They fly )
     
    • Informative Informative x 1
  9. eva2000

    eva2000 Administrator Staff Member

    41,349
    9,279
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,236
    Local Time:
    4:18 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Interesting so domain registrar issue ?
     
  10. EckyBrazzz

    EckyBrazzz Active Member

    587
    125
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +231
    Local Time:
    3:18 AM
    1.17.x
    10.3.x
    Yep, bought a com.br today and no problem at all with Registro.br
     
    • Like Like x 1