Closed anestevemo closed 3 years ago
certeraio
commented
3 years ago Hi @anestevemo Looks like these are HTTP-01 validation, is that correct? Are you able to hit that endpoint to see if traffic can flow to it? Looks like you altered the domain before posting (please correct me if I'm wrong). If so, is it really trying to hit the .well-known via HTTPS? I thought it would do it over HTTP by default.
anestevemo
commented
3 years ago Hi @certeraio,
Thanks for the quick response, yes, that's not the real domain, but it's correctly configured, with a standard Let's Encrypt local renovation work perfect.
With the intention of test the access to the "/.well-known/acme-challenge/" path, I created it manually inside the "wwwroot" directory, then added a "test.txt" file and I was able to download it from the server that allocates "mydomain.example" with "wget https://mycerteraserver.com/.well-known/acme-challenge".
I'm using your redirection:
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
rewrite /.well-known/acme-challenge/(.*) https://mycerteraserver.com/.well-known/acme-challenge/$1 break;
}
Regards, Toni.
certeraio
commented
3 years ago The way it should work is like this (please double check and confirm). Let's use the two servers:
You should place the rewrite rule on mydomain.example to forward all /.well-known/acme-challenge/* traffic to your certera server (try using HTTP instead of HTTPS. Even though Let's Encrypt should work with HTTPS, when an expired cert is being used, if you don't yet have a cert, this can be a problem as there's no connection that can be established. Best to use HTTP to make sure it always works, I'll update the documentation examples).
error obtaining certificate: BadRequest urn:ietf:params:acme:error:connection Fetching https://mycerteraserver.com/.well-known/acme-challenge/YJ8o-u2TvjKqiR41hpJLGOzw9VrGVltiQDNX6i7eqU: Error getting validation data
This error message should have had the mydomain.example domain, not mycerteraserver.com in it (unless Let's Encrypt followed the rewrite/redirect and is displaying the "last" endpoint is saw). One good way to test/validate things is to put a test.txt file in mycerteraserver.com/.well-known/acme-challenge/test.txt and see if you can reach that using mydomain.example.com/.well-known/acme-challenge/test.txt. mydomain should forward/redirect to mycerteraserver.com Try that out with both HTTP and HTTPS.
Let me know how that goes and we can continue from there.
Cheers!
Hi again,
I read all your documentation and even all the github posts, I also followed all the configurations mentioned in "https://docs.certera.io/#home".
Said this, I'm trying to renew some certificates, but I've only managed to renew one of them... no matter what I do, I can't renew any other certificate even with the same vhost configuration on the same machine.
I've already activated debug logs, but they do not provide any useful information.
dbug: Certera.Web.Services.CertificateAcquirer[0] [mydomain.example] - starting certificate acquisition dbug: Certera.Web.Services.CertificateAcquirer[0] [mydomain.example] - creating ACME order dbug: Certera.Web.AcmeProviders.CertesAcmeProvider[0] Order created: https://acme-v02.api.letsencrypt.org/acme/order/102358678/6260472891 dbug: Certera.Web.Services.CertificateAcquirer[0] [mydomain.example] - requesting ACME validation dbug: Certera.Web.Services.CertificateAcquirer[0] [mydomain.example] - completing order dbug: Certera.Web.AcmeProviders.CertesAcmeProvider[0] 1 incomplete authorizations. dbug: Certera.Web.AcmeProviders.CertesAcmeProvider[0] 1 incomplete authorizations. dbug: Certera.Web.AcmeProviders.CertesAcmeProvider[0] 0 incomplete authorizations. fail: Certera.Web.Services.CertificateAcquirer[0] [mydomain.example] - error obtaining certificate: BadRequest urn:ietf:params:acme:error:connection Fetching https://mycerteraserver.com/.well-known/acme-challenge/YJ8o-u2TvjKqiR41hpJLGOzw9VrGVltiQDNX6i7eqU: Error getting validation data dbug: Certera.Web.Services.CertificateAcquirer[0] [mydomain.example] - done
I do not understand how is it possible that only one certificate avoided the error "Error getting validation data".
¿Is there any other procedure to follow in order to troubleshoot this issue?
Thanks in advance, Kind regards, Toni.