search

lgromanowski / acme-plugin

:lock_with_ink_pen: ACME protocol plugin for Ruby on Rails applications
https://rubygems.org/gems/acme_plugin
MIT License
187 stars 30 forks source link

Challenge verification failed! Error: urn:acme:error:unauthorized: Invalid response - We're sorry, but something went wrong (500) #58

Closed MincePie closed 8 years ago

MincePie commented 8 years ago

Please use markdown formatting for code, configuration or console output.

1. Expected behaviour

I created a brand new rails 5 app, using heroku. The only things in this app those created by following the plugin installation instructions.

I saw the comments in issue 14, and I'm unsure if step 5 should be ignored if you use heroku. I tried using it and I tried again after deleting that directory. The error message I get is the same in both cases.

2. Actual behavior

When I try heroku run rake letsencrypt_plugin, I get an error that says:

heroku run rake letsencrypt_plugin Running rake letsencrypt_plugin on ⬢ ancient-octopus-78709... up, run.6780 (Hobby) I, [2016-10-17T07:59:13.985385 #3] INFO -- : Trying to register at Let's Encrypt service... I, [2016-10-17T07:59:13.985480 #3] INFO -- : Loading private key... I, [2016-10-17T07:59:14.255357 #3] INFO -- : Acme::Client::Error::Malformed - Registration key is already in use I, [2016-10-17T07:59:14.256579 #3] INFO -- : Already registered. I, [2016-10-17T07:59:14.256646 #3] INFO -- : Sending authorization request for: www..com... I, [2016-10-17T07:59:14.504527 #3] INFO -- : Storing challenge information... I, [2016-10-17T07:59:16.688404 #3] INFO -- : Waiting for challenge status... E, [2016-10-17T07:59:18.456415 #3] ERROR -- : Challenge verification failed! Error: urn:acme:error:unauthorized: Invalid response from http://www..com/.well-known/acme-challenge/eAniFLfG_3t5HrD6zbtppzWWYz1Ay76r0GaFHQ62GLI: "<!DOCTYPE html>

We're sorry, but something went wrong (500)
jasper-lyons commented 8 years ago

Would you mine writing explicitly the steps you took to get there? e.g. (these are not instructions guaranteed to work, just an example)

rails new <app name> cd <app name> add lets_encrypt_plugin to gem file * copy gem file here (surround it with ... ) bundle edit lets_encrypt_plugin.yml * copy lets encrypt plugin here (again surround the text with ...) heroku create <app-name> heroku run rake db:migrate heroku run rake letsencrypt_plugin

Then We can know the exact state of the app and help you figure out what is wrong!

MincePie commented 8 years ago

Thanks Jasper!

My steps were:

  1. rails new myapp --database=postgresql; rake db:create; heroku create;
  2. gem 'letsencrypt_plugin'
  3. bundle
  4. create config/letsencrypt_plugin.yml:
default: &default
  endpoint: 'https://acme-v01.api.letsencrypt.org/'
  email: 'hello@mycustomdomain.com'
  domain: www.mycustomdomain.com

  # in Rails.root, path to private key
  private_key: 'key/keyfile.pem'

  # in Rails.root, path where certificates
  # will be stored (on Heroku this variable is ignored)
  output_cert_dir: 'certificates'

  # in Rails.root, path where challenge token
  # will be stored in case when DB will not be used
  challenge_dir_name: 'challenge'

production:
  <<: *default

development:
  <<: *default

test:
  <<: *default
  1. mkdir key certificates
  2. mkdir challenge
  3. rake letsencrypt_plugin:install:migrations
  4. rake db:migrate
  5. openssl genrsa 4096 > key/keyfile.pem
  6. mkdir output_cert_dir [this folder was subsequently deleted]
  7. insert the following in routes.rb: `mount LetsencryptPlugin::Engine, at: '/' # It must be at root level
  8. touch tmp/restart.txt
  9. git add -A; git commit -m "try lets encrypt again"; git push; git push heroku master
  10. heroku run rake letsencrypt_plugin [some of the suggestions in the issues list suggest doing the twice; I tried several times but keep getting the same error]

Thanks very much for your help!

jasper-lyons commented 8 years ago

Hey Mel,

This is fantastic! Thanks :)

I can see a few things that might be causing your problems so we'll work through them one by one until we've resolved your issue.

  1. If you look at this line in the code for long enough you'll see that, if the challenge_dir_name key (in letsencrypt_plugin.yml) is set to any value, then the plugin will attempt to store the challenge key (the thing that lets lets encrypt know you control the domain) in a file.

    On Heroku this is a problem as Heroku's dynos (the servers) are ephemeral. This means that the plugin will try to store the challenge on the file system and then when it goes to look for it, it is not there (this probably causes the Challenge verification failed! Error).

    To fix this, remove challenge_dir_name: 'challenge' from your letsencrypt_plugin.yml. It should then look like:

    default: &default
endpoint: 'https://acme-v01.api.letsencrypt.org/'
email: 'hello@mycustomdomain.com'
domain: www.mycustomdomain.com

# in Rails.root, path to private key
private_key: 'key/keyfile.pem'

# in Rails.root, path where certificates
# will be stored (on Heroku this variable is ignored)
output_cert_dir: 'certificates'

production:
<<: *default

development:
<<: *default

test:
<<: *default

  2. After step 13 (github thinks it's step 9) you'll need to provision a database and migrate it on heroku. Those commands look like this:

    Provision a database on heroku heroku addons:create heroku-postgresql:hobby-basic

    Migrate that database heroku run rake db:migrate

Now when you run heroku run rake letsencrypt_plugin, your certificates should be output to the command line. You will need to copy these into file before you can use them.

Extra: It's not particularly safe to store your key file in git as someone could scrap your repository for the key and use it to revoke your certificate or impersonate your site. You can embed the key directly into the file or read it from an environment variable if you'd like. First lets see if the above steps get things working for you :).

MincePie commented 8 years ago

Hi Jasper,

Thanks so much for this help. 

I’ve changed the config file as you suggested and generated the keys. I saved the first four into files in the certificates folder of my app. I also pasted the

 www..com-cert.pem 

www..com-key.pem as the certificate and key in my heroku SSL settings page.

The heroku settings page now shows as: Your certificate www..com expires on January 17, 2017

I changed the DNS settings to use herokudns instead of herokuapp.

I still can’t open the page though - that might be because the changes haven’t yet propagated. I’ll keep trying and let you know. Hopefully this has got it sorted.

Thanks so much again for the help.

Mel

On 18 October 2016 at 8:58:19 PM, Jasper Lyons (notifications@github.com) wrote:

Hey Mel,

This is fantastic! Thanks :)

I can see a few things that might be causing your problems so we'll work through them one by one until we've resolved your issue.

If you look at this line in the code for long enough you'll see that, if the challenge_dir_name key (in letsencrypt_plugin.yml) is set to any value, then the plugin will attempt to store the challenge key (the thing that lets lets encrypt know you control the domain) in a file.

On Heroku this is a problem as Heroku's dynos (the servers) are ephemeral. This means that the plugin will try to store the challenge on the file system and then when it goes to look for it, it is not there (this probably causes the Challenge verification failed! Error).

To fix this, remove challenge_dir_name: 'challenge' from your letsencrypt_plugin.yml. It should then look like:

default: &default endpoint: 'https://acme-v01.api.letsencrypt.org/' email: 'hello@mycustomdomain.com' domain: www.mycustomdomain.com

in Rails.root, path to private key

private_key: 'key/keyfile.pem'

in Rails.root, path where certificates

will be stored (on Heroku this variable is ignored)

output_cert_dir: 'certificates'

production: <<: *default

development: <<: *default

test: <<: *default

After step 13 (github thinks it's step 9) you'll need to provision a database and migrate it on heroku. Those commands look like this:

Provision a database on heroku heroku addons:create heroku-postgresql:hobby-basic

Migrate that database heroku run rake db:migrate

Now when you run heroku run rake letsencrypt_plugin, your certificates should be output to the command line. You will need to copy these into file before you can use them.

Extra: It's not particularly safe to store your key file in git as someone could scrap your repository for the key and use it to revoke your certificate or impersonate your site. You can embed the key directly into the file or read it from an environment variable if you'd like. First lets see if the above steps get things working for you :).

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

MincePie commented 8 years ago

Hi again,

I can see from running heroku domains that my ssl heroku app name (…herokudns.com) is the DNS target for mycustomdomain.com. I can also see that ‘host mycustomdomain.com’ returns as an alias for my heroku app name.

However, when I try to render the page using mycustomdomain.com (also tried www.mycustomdomain.com and https://www.mycustomdomain.com) I get an error that says:

  • Chrome:  This site can’t be reached

www.mycustomdomain.com’s server DNS address could not be found. Try running Network Diagnostics. DNS_PROBE_FINISHED_NXDOMAIN

  • Safari:

safari can’t open the page because safari can’t find the server.

Any ideas about how to solve this?

Thanks again On 19 October 2016 at 2:30:21 PM, Melanie (melanieonthego@gmail.com) wrote:

Hi Jasper,

Thanks so much for this help. 

I’ve changed the config file as you suggested and generated the keys. I saved the first four into files in the certificates folder of my app. I also pasted the

 www..com-cert.pem 

www..com-key.pem as the certificate and key in my heroku SSL settings page.

The heroku settings page now shows as: Your certificate www..com expires on January 17, 2017

I changed the DNS settings to use herokudns instead of herokuapp.

I still can’t open the page though - that might be because the changes haven’t yet propagated. I’ll keep trying and let you know. Hopefully this has got it sorted.

Thanks so much again for the help.

Mel

On 18 October 2016 at 8:58:19 PM, Jasper Lyons (notifications@github.com) wrote:

Hey Mel,

This is fantastic! Thanks :)

I can see a few things that might be causing your problems so we'll work through them one by one until we've resolved your issue.

If you look at this line in the code for long enough you'll see that, if the challenge_dir_name key (in letsencrypt_plugin.yml) is set to any value, then the plugin will attempt to store the challenge key (the thing that lets lets encrypt know you control the domain) in a file.

On Heroku this is a problem as Heroku's dynos (the servers) are ephemeral. This means that the plugin will try to store the challenge on the file system and then when it goes to look for it, it is not there (this probably causes the Challenge verification failed! Error).

To fix this, remove challenge_dir_name: 'challenge' from your letsencrypt_plugin.yml. It should then look like:

default: &default endpoint: 'https://acme-v01.api.letsencrypt.org/' email: 'hello@mycustomdomain.com' domain: www.mycustomdomain.com

in Rails.root, path to private key

private_key: 'key/keyfile.pem'

in Rails.root, path where certificates

will be stored (on Heroku this variable is ignored)

output_cert_dir: 'certificates'

production: <<: *default

development: <<: *default

test: <<: *default

After step 13 (github thinks it's step 9) you'll need to provision a database and migrate it on heroku. Those commands look like this:

Provision a database on heroku heroku addons:create heroku-postgresql:hobby-basic

Migrate that database heroku run rake db:migrate

Now when you run heroku run rake letsencrypt_plugin, your certificates should be output to the command line. You will need to copy these into file before you can use them.

Extra: It's not particularly safe to store your key file in git as someone could scrap your repository for the key and use it to revoke your certificate or impersonate your site. You can embed the key directly into the file or read it from an environment variable if you'd like. First lets see if the above steps get things working for you :).

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

lgromanowski commented 8 years ago

Hi again,

I can see from running heroku domains that my ssl heroku app name (…herokudns.com) is the DNS target for mycustomdomain.com. I can also see that ‘host mycustomdomain.com’ returns as an alias for my heroku app name.

However, when I try to render the page using mycustomdomain.com (also tried www.mycustomdomain.com and https://www.mycustomdomain.com) I get an error that says:

  • Chrome: This site can’t be reached

www.mycustomdomain.com’s server DNS address could not be found. Try running Network Diagnostics. DNS_PROBE_FINISHED_NXDOMAIN

I'm sorry but this is not related to letsencrypt plugin - please check your DNS configuration.

I'm not a Heroku user, but here are some articles about DNS settings:

https://devcenter.heroku.com/articles/custom-domains http://stackoverflow.com/questions/14125175/setup-heroku-and-godaddy https://www.namecheap.com/support/knowledgebase/article.aspx/9737/2208/how-to-point-a-domain-to-the-heroku-app

Please reopen this issue if you will have working application on Heroku and you will be sure that the issue is in letsencrypt plugin.