-
-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verify error:Invalid response from [domain] #867
Comments
if you already have a http server running using port 80, you cant run standalone, unless you use pre/post hook to stop it |
why not paste the |
Yes, sorry, Neil. I guess that would help. So, you mean what I get in output after running this?
I just want to make sure I'm using it right. That gives me a lot of output, including the contents of my websites' 404 template, and the usage instructions of Ncat. |
While I'm waiting on confirmation about using I used the "Standalone mode" commands for multiple domains when first setting up the certificates a while back and then the renewal commands indicated above when renewing certs and I never had a problem before. I created a doc for the process, which worked last time I renewed certs... But the website is an Apache server, and I maintain certs for multiple domains on the server. Should I be using the Apache mode commands now, or does it matter? |
The standalone mode conflicts with webroot/or apache mode. see: Yes, give me the outpu of BTW, when you use acme.sh --renew -d example.com acme.sh knows how many domains in the cert need to renew. |
Thanks, Neil. I have to step away for a while but I will follow up later. |
Ok, Neil. It's long. I changed the account username and domain, but otherwise it's all
|
Thanks. But I'm not sure what you mean. I run acme.sh on the web host's server (Apache). The port is something different than 80. But I have wondered if setting everything up as Standalone was a mistake, but it never seemed to be an issue before. I've only started getting this error now on this latest attempt to renew. |
@wion you mean you run apache on a different port other than 80/443? |
@wion The standalone mode should not work at all, because it needs to listen at 80 port, which is already used by your apache server. |
All I can tell you is that I followed this instruction from start to finish about a year ago to setup certs on my web host (WebFaction) using acme.sh and it worked: And I successfully updated the certs using the same tutorial the last time I renewed them. So between now and 80 days ago, something has changed somewhere, whether at the web host end or acme.sh. Okay, thanks. It seems what you and Fernando are telling me is I need to reconfigure the way I have acme.sh setup, and subsequently rewrite/edit my tutorial with respect to webroot or Apache mode. Can you confirm... Do I just delete all existing certificates in the /certificates directory, and then run new commands? Or must I delete the existing install of acme.sh entirely and start from scratch? |
On your README page, under the Apache mode section, it says:
Those two lines, particularly the parts I put in bold, are contradictory. If I'm using an Apache server (which I'm setup with on WebFaction), which mode should I use — webroot or apache? |
The answer is: either. You can use either way. If you use apache mode, you must be root, but it's not required for webroot mode. |
Yes, correct. you can just delete the domain folder. |
Thanks Neil. WebFaction suggests I use their API to "work around it", which I wouldn't know the first thing about. Or to use "the other" script, LetsEncrypt-WebFaction... I'll give it a shot using your other modes. If I still run into trouble, I'll try that other script, since it does seem to be designed specifically for my web host. |
I am running in the same issue. I think there is a problem with the composition of the URL that is used. To me it seems that ": " is added to one of the URLs and then it does not work. The file however does exist inside the webroot ("ECXhqL9PzbAD2Zam6ituHZBv7uCjjY6Lb0lIuyhHOto" without ": " at the end. See below:
|
@bmmeijers
|
|
@bmmeijers And please upgrade to the latest version first, then you can also try with the acme.sh --upgrade
acme.sh --issue -d example.com --nginx --test --debug 2 |
Ok, herewith the log file: log.txt See around line 204, the URL contains ": " at the end, so: That gives a 404 (not strange, the file is not there)! But if I go to (so manually remove ": " from the end): http://rambonnetgroep.nl/.well-known/acme-challenge/WjtpQaDK5_TRzEAgyUegUMnbC8sdNVWP6ax-_esbDmQ It is there... Does this mean that acme.sh gives a wrong URL to let's encrypt? Note, that this set up has been running for >6 months without problems before. It broke this night, when the cron job that is scheduled gave me the same error message. I do have another domain setup and for this domain the problem does not occur (actually it was renewed by the cron job. |
@baiyangliu |
It's not, because of the 404 reported the URL has to be incorrect. Question is: where is the URL composed? |
@bmmeijers I checked the log, the url is good. |
How does this error message then comes into existence: """ |
@bmmeijers |
Do you see anything else that then goes (obviously) wrong? |
@bmmeijers I just visited the url: curl http://rambonnetgroep.nl/.well-known/acme-challenge/WjtpQaDK5_TRzEAgyUegUMnbC8sdNVWP6ax-_esbDmQ It's not 404 error. Can you please try with |
@bmmeijers your domain have both ipv4 and ipv6 resolved. The CA visited the ipv6 address, it's 404 error. curl -6 http://rambonnetgroep.nl/.well-known/acme-challenge/WjtpQaDK5_TRzEAgyUegUMnbC8sdNVWP6ax-_esbDmQ This is a policy change of the CA, they prefer ipv6 than ipv4. |
If your website is not accessable at the ipv6 address, you can remove the ipv6 record of the domain. |
Thanks for finding that out! It does make sense that it then works for the other domain, as this other domain does not have a DNS entry for IPv6. I adapted my nginx configuration (to also listen on ipv6) and now it works! |
Just a note that my situation was probably different. I have it working now, following Neil's recommendation to delete old certs, and create new ones using webroot mode. Unfollowing now. |
I confirm. The verification is done first by IPv6, and then by IPv4, if IPv6 is specified in the domain settings. I faced the same problem when I had to order a new certificate. |
Hi Neil,
Something seems to have changed since the last time I renewed certs. This time around I'm getting an error.
I run this command:
But then it errors after the "Standalone mode server" line:
I am trying to troubleshoot it with the web host too, but they're not finding the issue. At first they thought it was because of my http --> https redirect rules, but when these are commented out in .htaccess, the error still happens.
I've looked at
--debug
but I'm not knowledgeable enough with this kind of thing to know if there's anything there or not.Any suggestions?
The text was updated successfully, but these errors were encountered: