Http-01 Validation fails with wrong responder action

ViToRiO92 commented 3 months ago

The script seems really cool, but i was not able to get it running without modifications.

Netscaler Version: NS13.0 92.21.nc Tested with version: master 2.15.0 and dev 2.25.0

Script Error

when i run the script i get the following error:

2024-05-27 15:18:11:4154    DEBUG   [ORDERVALIDATION]   Listing PAOrderItems
2024-05-27 15:18:11:4154    DEBUG   [ORDERVALIDATION]   {"fqdn":"testdomain.de","status":"invalid","expires":"2024-06-03T13:17:57Z","HTTP01Status":"invalid","DNS01Status":null}
2024-05-27 15:18:11:4310    DEBUG   [ORDERVALIDATION]   {"fqdn":"sts.testdomain.de","status":"invalid","expires":"2024-06-03T13:17:57Z","HTTP01Status":"invalid","DNS01Status":null}
2024-05-27 15:18:11:4310    DEBUG   [ORDERVALIDATION]   {"fqdn":"www.testdomain.de","status":"invalid","expires":"2024-06-03T13:17:57Z","HTTP01Status":"invalid","DNS01Status":null}
2024-05-27 15:18:11:4310    DEBUG   [ORDERVALIDATION]   Items still pending: False
2024-05-27 15:18:23:1029    INFO    [ORDERVALIDATION]   Still 0 "pending" items left. Waiting an extra 5 seconds.
2024-05-27 15:18:23:1185    DEBUG   [ORDERVALIDATION]   Loop ended no pending items left.
2024-05-27 15:18:24:7435    DEBUG   [ORDERVALIDATION]   Listing PAOrderItems
2024-05-27 15:18:24:7435    DEBUG   [ORDERVALIDATION]   {"fqdn":"testdomain.de","status":"invalid","expires":"2024-06-03T13:17:57Z","HTTP01Status":"invalid","DNS01Status":null}
2024-05-27 15:18:24:7592    DEBUG   [ORDERVALIDATION]   {"fqdn":"sts.testdomain.de","status":"invalid","expires":"2024-06-03T13:17:57Z","HTTP01Status":"invalid","DNS01Status":null}
2024-05-27 15:18:24:7592    DEBUG   [ORDERVALIDATION]   {"fqdn":"www.testdomain.de","status":"invalid","expires":"2024-06-03T13:17:57Z","HTTP01Status":"invalid","DNS01Status":null}
2024-05-27 15:18:24:7748    ERROR   [ORDERVALIDATION]   Unfortunately there are invalid items. Failed Records:
2024-05-27 15:18:24:7748    DEBUG   [ORDERVALIDATION]   {"fqdn":"testdomain.de","status":"invalid","expires":"2024-06-03T13:17:57Z","HTTP01Status":"invalid","DNS01Status":null}
2024-05-27 15:18:24:7905    DEBUG   [ORDERVALIDATION]   {"fqdn":"sts.testdomain.de","status":"invalid","expires":"2024-06-03T13:17:57Z","HTTP01Status":"invalid","DNS01Status":null}
2024-05-27 15:18:24:7905    DEBUG   [ORDERVALIDATION]   {"fqdn":"www.testdomain.de","status":"invalid","expires":"2024-06-03T13:17:57Z","HTTP01Status":"invalid","DNS01Status":null}
2024-05-27 15:18:24:8373    ERROR   [ORDERVALIDATION]   Error: {"type":"urn:ietf:params:acme:error:unauthorized","detail":"The key authorization file from the server did not match this challenge. Expected \"nX3Rsk6aMPSIpBV7bX0Let--ThtQu_H5pQsciinazZE.CXgnRMX76gizFpndNeFlZb7qIf8p-ooiISA5Lc0Pq4Q\" (got \"\\r\\nnX3Rsk6aMPSIpBV7bX0Let--ThtQu_H5pQsciinazZE.CXgnRMX76gizFpndNeFlZb7qIf8p-ooiISA5Lc0Pq4Q\")","status":403}
2024-05-27 15:18:24:8373    ERROR   [ORDERVALIDATION]   ValidationRecord: {"url":"http://testdomain.de/.well-known/acme-challenge/nX3Rsk6aMPSIpBV7bX0Let--ThtQu_H5pQsciinazZE","hostname":"testdomain.de","port":"80","addressesResolved":["1.2.3.4"],"addressUsed":"1.2.3.4"}
2024-05-27 15:18:24:8842    ERROR   [ORDERVALIDATION]   Error: {"type":"urn:ietf:params:acme:error:unauthorized","detail":"The key authorization file from the server did not match this challenge. Expected \"93nnX7uUUQd2Qx7JUa41fmAq08qcFILQOvlUhcM7Q-g.CXgnRMX76gizFpndNeFlZb7qIf8p-ooiISA5Lc0Pq4Q\" (got \"\\r\\n93nnX7uUUQd2Qx7JUa41fmAq08qcFILQOvlUhcM7Q-g.CXgnRMX76gizFpndNeFlZb7qIf8p-ooiISA5Lc0Pq4Q\")","status":403}
2024-05-27 15:18:24:8842    ERROR   [ORDERVALIDATION]   ValidationRecord: {"url":"http://sts.testdomain.de/.well-known/acme-challenge/93nnX7uUUQd2Qx7JUa41fmAq08qcFILQOvlUhcM7Q-g","hostname":"sts.testdomain.de","port":"80","addressesResolved":["1.2.3.4"],"addressUsed":"1.2.3.4"}
2024-05-27 15:18:24:9310    ERROR   [ORDERVALIDATION]   Error: {"type":"urn:ietf:params:acme:error:unauthorized","detail":"The key authorization file from the server did not match this challenge. Expected \"y2nftIyxEnU98rv16UhPfpgUW4XJYvmxFumieGX8sEo.CXgnRMX76gizFpndNeFlZb7qIf8p-ooiISA5Lc0Pq4Q\" (got \"\\r\\ny2nftIyxEnU98rv16UhPfpgUW4XJYvmxFumieGX8sEo.CXgnRMX76gizFpndNeFlZb7qIf8p-ooiISA5Lc0Pq4Q\")","status":403}
2024-05-27 15:18:24:9310    ERROR   [ORDERVALIDATION]   ValidationRecord: {"url":"http://www.testdomain.de/.well-known/acme-challenge/y2nftIyxEnU98rv16UhPfpgUW4XJYvmxFumieGX8sEo","hostname":"www.testdomain.de","port":"80","addressesResolved":["1.2.3.4"],"addressUsed":"1.2.3.4"}
2024-05-27 15:18:24:9467    ERROR   [INVOKE-REGISTERERROR]  [1] There are some invalid items

it seems that the token did not match. but why?

Manual Netscaler config

i deepdived in your script and rebuild the responder action and policy manually in the netscaler gui. Then i requested a certificate with posh-acme and run in the exact same error:

Responder Action

Type
- RespondWith
Expression
- "HTTP/1.0 200 OK \r\n\r\nQygeNEHJwDX-jK4Kv0vRUAQZsK10sJjulCiNPvGyuQg.LZVA5i6kR9wyXv6wzjBdifnOV95ZS3P9zun18oCHSbM"

Responder Policy

Expression
- HTTP.REQ.URL.CONTAINS(".well-known/acme-challenge/QygeNEHJwDX-jK4Kv0vRUAQZsK10sJjulCiNPvGyuQg")

POSH-ACME Error

$data = Get-PAOrder -Refresh -MainDomain testdomain.de | Get-PAAuthorization
$data.challenges.error.detail
The key authorization file from the server did not match this challenge. Expected "C_nIgGS62Ih2WGo1v3VEejx2K-uvXfDRaHZM615lr2U.LZVA5i6kR9wyXv6wzjBdifnOV95ZS3P9zun18oCHSbM" (got "\r\nC_nIgGS62Ih2WGo1v3VEejx2K-uvXfDRaHZM615lr2U.LZVA5i6kR9wyXv6wzjBdifnOV95ZS3P9zun18oCHSbM")

Browser behaviour

When i open the challenge URL in the browser i notice that the page is downloading a file instead of presenting a html page.

Solution

Responder Action

if i set the content-type to text/html in the expression, the browser is not downloading the file and is just presenting a page. when i run now POSH-ACME the valiation is also working.

Type
- RespondWith
Expression
- "HTTP/1.0 200 OK" +"\r\nContent-Type: text/html\r\n\r\n" + "QygeNEHJwDX-jK4Kv0vRUAQZsK10sJjulCiNPvGyuQg.LZVA5i6kR9wyXv6wzjBdifnOV95ZS3P9zun18oCHSbM"

Is it possible that the behaviour of netscaler NS13.0 92.21.nc is different than with older versions and there need to be an ajustment in the responder action?

I need to ajust line 4186 to make your script work: old:

$ADCKeyAuthorization = "HTTP/1.0 200 OK\r\n\r\n$($KeyAuth)"

new:

$ADCKeyAuthorization = "HTTP/1.0 200 OK\r\nContent-Type: text/html\r\n\r\n$($KeyAuth)"

j81blog commented 2 months ago

I have it like that a couple of years now without issues. Have it running with several customers and other community people. It was tested with from v9 in the early days until 14.1. But I will have to look at it. Could be that the browser require this change. As far as I know this is not needed for the LE request.

j81blog commented 2 months ago

If you like, you can test the latest dev version v2.26.0

ViToRiO92 commented 1 month ago

I tried your update with v2. 26.0 it is working for me. Thank!

j81blog / GenLeCertForNS