search

golang / go

The Go programming language
https://go.dev
BSD 3-Clause "New" or "Revised" License
123.04k stars 17.54k forks source link

x/crypto/acme: Bad error description if website reject authorization query #32747

Open rekby opened 5 years ago

rekby commented 5 years ago
  1. Website reject authorization from Lets encrypt with 403 error.
  2. Lets encrypt can't authorize domain and return error.
  3. Library error return description ""acme: authorization error for : " in err.Error() after WaitAuthorization <-- PROBLEM

Ideal description in error I see as: "acme: authorization error for 'domain': website reject authorization error with 403 status"

fmt.Printf("%#v", err)
&acme.AuthorizationError{URI:"https://acme-staging.api.letsencrypt.org/acme/challenge/XXX/YYY", Identifier:"", Errors:[]error(nil)}

curl https://acme-staging.api.letsencrypt.org/acme/challenge/XXX/YYY

{
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:unauthorized",
    "detail": "Invalid response from http://ZZZ/.well-known/acme-challenge/HfS3oxj9D7WXST1VKtnDMxeLxTvgn62oLWwYWw-SplQ [XXX]: \"\u003c!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\"\u003e\\n\u003chtml\u003e\u003chead\u003e\\n\u003ctitle\u003e403 Forbidden\u003c/title\u003e\\n\u003c/head\u003e\u003cbody\u003e\\n\u003ch1\u003eForbidden\u003c/h1\u003e\\n\u003cp\"",
    "status": 403
  },
  "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/XXX/YYY",
  "token": "ASD-ASD",
  "validationRecord": [
    {
      "url": "http://XXX/.well-known/acme-challenge/AAA",
      "hostname": "XXX",
      "port": "80",
      "addressesResolved": [
        "YYY"
      ],
      "addressUsed": "ZZZ"
    }
  ]
}
x1ddos commented 5 years ago

The above JSON is from a single challenge resource. The AuthorizationError is constructed from the whole authorization resource, not a single challenge.

Could you post the failed authorization resource? It should be available somewhere at https://acme-staging.api.letsencrypt.org/acme/authz/xxx.

rekby commented 5 years ago 
{
  "identifier": {
    "type": "dns",
    "value": "XXX"
  },
  "status": "invalid",
  "expires": "2019-07-02T11:39:09Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/XXX/XXX",
      "token": "humF-jopUK1o9DmA-w2v1HhrbyIxTv4YmUp1wVc7rZA"
    },
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/XXX/XXX",
      "token": "zTTr2H00bDEG4RdIZBWj35MCZhmS7-EDNTASZd-0wWw"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:unauthorized",
        "detail": "Invalid response from http://XXX/.well-known/acme-challenge/BNx06A619GgwYep4ZQGSbCcA_Mo0uaPgj1W9asdwh3k [YYY]: \"\u003c!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\"\u003e\\n\u003chtml\u003e\u003chead\u003e\\n\u003ctitle\u003e403 Forbidden\u003c/title\u003e\\n\u003c/head\u003e\u003cbody\u003e\\n\u003ch1\u003eForbidden\u003c/h1\u003e\\n\u003cp\"",
        "status": 403
      },
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/XXX/XXX",
      "token": "BNx06A619GgwYep4ZQGSbCcA_Mo0uaPgj1W9asdwh3k",
      "validationRecord": [
        {
          "url": "http://XXX/.well-known/acme-challenge/BNx06A619GgwYep4ZQGSbCcA_Mo0uaPgj1W9asdwh3k",
          "hostname": "XXX",
          "port": "80",
          "addressesResolved": [
            "YYY"
          ],
          "addressUsed": "YYY"
        }
      ]
    }
  ],
  "combinations": [
    [
      0
    ],
    [
      1
    ],
    [
      2
    ]
  ]
}