search

icing / mod_md

Let's Encrypt (ACME) in Apache httpd
https://icing.github.io/mod_md/
Apache License 2.0
337 stars 27 forks source link

Unable to create certificate on windows #220

Closed sridharb1 closed 4 years ago

sridharb1 commented 4 years ago

I am using mod_md v2.2.7 from Apache 2.4.43 from apachelounge.com.

I am trying to configure a couple of hosts. But I am getting the following errors.

Apache log: [Thu Jun 25 20:26:05.131666 2020] [md:error] [pid 12916:tid 4] ACME server authz: challenge 'invalid' for vidyasridhar.no-ip.org at https://acme-v02.api.letsencrypt.org/acme/authz-v3/5471419350. Exact response was: {"identifier":{"type":"dns","value":"vidyasridhar.no-ip.org"},"status":"invalid","expires":"2020-07-02T14:55:58Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"Invalid response from http://vidyasridhar.no-ip.org/.well-known/acme-challenge/xDZiHoccWDQV26wxi6gqk4mNI0rplRjWhhbyUujj9zA [210.18.181.30]: \" \\n 404 Not Found</T\"","status":403},"url":"<a rel="noreferrer nofollow" target="_blank" href="https://acme-v02.api.letsencrypt.org/acme/chall-v3/5471419350/qqgfcg","token":"xDZiHoccWDQV26wxi6gqk4mNI0rplRjWhhbyUujj9zA","validationRecord":[{"url":"http://vidyasridhar.no-ip.org/.well-known/acme-challenge/xDZiHoccWDQV26wxi6gqk4mNI0rplRjWhhbyUujj9zA","hostname":"vidyasridhar.no-ip.org","port":"80","addressesResolved":["210.18.181.30"],"addressUsed":"210.18.181.30">https://acme-v02.api.letsencrypt.org/acme/chall-v3/5471419350/qqgfcg","token":"xDZiHoccWDQV26wxi6gqk4mNI0rplRjWhhbyUujj9zA","validationRecord":[{"url":"http://vidyasridhar.no-ip.org/.well-known/acme-challenge/xDZiHoccWDQV26wxi6gqk4mNI0rplRjWhhbyUujj9zA","hostname":"vidyasridhar.no-ip.org","port":"80","addressesResolved":["210.18.181.30"],"addressUsed":"210.18.181.30</a>"}]}]}</p> <p>The same error is for another domain that I am trying to use as well, but I have not shown it because the information is simply repeated.</p> <p>md-status: <a rel="noreferrer nofollow" target="_blank" href="https://github.com/icing/mod_md/files/4832183/errors.txt">errors.txt</a></p> <p>Is it because there is already a certificate (says that it expires 2020-07-02)?</p> <p>Also, how do I set the name property in the conf file? I am referring to the "name": "vidyasridhar.no-ip.org".</p> <p>Thanks, Sridhar</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/icing"><img src="https://avatars.githubusercontent.com/u/15102?v=4" />icing</a> commented <strong> 4 years ago</strong> </div> <div class="markdown-body"> <p>Thanks for the details. As I read it, the ACME validation is not allowed to access the url <code>http://vidyasridhar.no-ip.org/.well-known/acme-challenge/xDZiHoccWDQV26wxi6gqk4mNI0rplRjWhhbyUujj9zA</code> on your server (it gets status 403 which is HTTP for <code>access denied</code>).</p> <p><code>mod_md</code> is designed to handle these resources before common user authentication happens. Do you have other security modules, such as mod_security installed or is there a proxy in front of your server that does authentication?</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/icing"><img src="https://avatars.githubusercontent.com/u/15102?v=4" />icing</a> commented <strong> 4 years ago</strong> </div> <div class="markdown-body"> <p>The other cause could be your ISP that denies access to port 80 in general. Some are known to do so.</p> <p>The alternative is to setup the TLS-ALPN authenticaton which only uses port 443. Look in the README for some how-tos.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/sridharb1"><img src="https://avatars.githubusercontent.com/u/13346687?v=4" />sridharb1</a> commented <strong> 4 years ago</strong> </div> <div class="markdown-body"> <p>Thank you for the prompt response.</p> <p>I do not have mod_security. I am able to access <a href="http://vidyasridhar.no-ip.org/.well-known/acme-challenge/">http://vidyasridhar.no-ip.org/.well-known/acme-challenge/</a></p> <p>I created a test file called testfile.txt and I am able to view that.</p> <p>However, what is strange is that the contents of the file is changing. It contains gYV5uJWEDjikGxVpnv4bBkzmSMfDN3y5IUnDfLdK9J0.F-rtkc_GNZ3tB9AlOOI_ZqkQWLB5hCo07q6O3-_muig which is the same content that is returned by <a href="http://vidyasridhar.no-ip.org/.well-known/acme-challenge/xDZiHoccWDQV26wxi6gqk4mNI0rplRjWhhbyUujj9zA">http://vidyasridhar.no-ip.org/.well-known/acme-challenge/xDZiHoccWDQV26wxi6gqk4mNI0rplRjWhhbyUujj9zA</a></p> <p>When I created that file, I just had 12345 for testing purposes.</p> <p>What could be happening here?</p> <p>BTW, I had been using win-acme before and I had gotten it to work. That's why I suspected that the certificate may still be there (says 2020-07-02) and that could be causing a problem. All this started when I wanted to add a new domain and I got the same problem with win-acme and I decided to try it with mod_md.</p> <p>Thanks.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/sridharb1"><img src="https://avatars.githubusercontent.com/u/13346687?v=4" />sridharb1</a> commented <strong> 4 years ago</strong> </div> <div class="markdown-body"> <p>Added some more logging, but getting the same error. This is an extract from apache's error_log. Please help.</p> <p><a href="https://github.com/icing/mod_md/files/4835346/error_log.txt">error_log.txt</a></p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/icing"><img src="https://avatars.githubusercontent.com/u/15102?v=4" />icing</a> commented <strong> 4 years ago</strong> </div> <div class="markdown-body"> <p>If you experience the same problem with 2 acme clients, as I understand you, the problem is probably not in a particular client. General acme problems are best discussed at <a href="https://community.letsencrypt.org">https://community.letsencrypt.org</a> where there are several very helpful people with lots of experience.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/sridharb1"><img src="https://avatars.githubusercontent.com/u/13346687?v=4" />sridharb1</a> commented <strong> 4 years ago</strong> </div> <div class="markdown-body"> <p>Yes, same problem with multiple clients (win-acme, certbot and now, mod_md). Will try that forum as you suggested. Thanks.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/sridharb1"><img src="https://avatars.githubusercontent.com/u/13346687?v=4" />sridharb1</a> commented <strong> 4 years ago</strong> </div> <div class="markdown-body"> <p>I wanted to note that this turned out to be a problem with the ISP modem running a webserver on port 80 so that "external" clients couldn't navigate to the web server. This was not "visibile" because when I requested the same URL from "internal" machines, I was getting the correct result as the internal router was sending the request correctly to the webserver without touching the modem (which acted as an external gateway). Thank @icing for the help.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/icing"><img src="https://avatars.githubusercontent.com/u/15102?v=4" />icing</a> commented <strong> 4 years ago</strong> </div> <div class="markdown-body"> <p>You're welcome! And thanks for the follow up here.</p> </div> </div> <div class="page-bar-simple"> </div> <div class="footer"> <ul class="body"> <li>© <script> document.write(new Date().getFullYear()) </script> Githubissues.</li> <li>Githubissues is a development platform for aggregating issues.</li> </ul> </div> <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script> <script src="/githubissues/assets/js.js"></script> <script src="/githubissues/assets/markdown.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script> <script> hljs.highlightAll(); </script> </body> </html>