Renewal fails with invalid response

[Ninerian]

Hello, thanks for making this plugin, its really helpful.

Summary

On the renewal of an subdomain, letsencrypt fails constantly for not finding the challenge file.

Despcription

I host a sentry installation, which is served via a proxy redirect from nginx. While renewing the letsencrypt certificate, plesk is showing me an error:

Challenge marked as invalid. Details: Invalid response from http://sentry.diginetmedia.de/.well-known/acme-challenge/KnRlXy2Z8-cMBqBB1pCZYls-ABPW-T0vXPJ5ekoq4fY: "<html>...

I checked my configs, and also the nginx logs, and tested the access with a dummy file. All is serving from the correct folder.

It seems, letsencrypt isn't placing the files correctly. As the logs are now written to panel.log, but no detailed report into the letsencrypt log folder, I'm not able to reconstruct the process.

I disabled Apache in the web config. Here are my configs:

Apache http:

ProxyPass / http://localhost:9000/
ProxyPassReverse / http://localhost:9000/
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https" env=HTTPS

<IfModule mod_rewrite.c>
    RewriteEngine On

    RewriteCond %{HTTPS} off
    RewriteCond %{HTTP_HOST} ^www\.(.*)$
    RewriteRule ^(.*)$ https://%1/$1 [L,R=301]

    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>

<Directory "/var/www/vhosts/diginetmedia.de/sentry/.well-known/">
    Options None
    AllowOverride None
    Require all granted
    Header add Content-Type text/plain
</Directory>

Alias /.well-known/ /var/www/vhosts/diginetmedia.de/sentry/.well-known/

Apache https:

ProxyPass / http://localhost:9000/
ProxyPassReverse / http://localhost:9000/
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https" env=HTTPS

<Directory "/var/www/vhosts/diginetmedia.de/sentry/.well-known/">
    Options None
    AllowOverride None
    Require all granted
    Header add Content-Type text/plain
</Directory>

Alias /.well-known/ /var/www/vhosts/diginetmedia.de/sentry/.well-known/

Nginx

location ~ ^/\.well-known/ {
    root /var/www/vhosts/diginetmedia.de/sentry/;
}

location / {
    proxy_pass        http://localhost:9000;

    add_header Strict-Transport-Security "max-age=31536000";
}

[alcordier]

I'm experimenting the same issue on one of my servers. Some people said Let's Encryp now prefers IPV6 connexion if it is enable on the domain (AAAA record). This can lead to renew failing if IPV6 is not properly configured on the server.

See this comment : https://ext.plesk.com/packages/f6847e61-33a7-4104-8dc9-d26a0183a8dd-letsencrypt#comment-3312235348 or this thread https://community.letsencrypt.org/t/plesk-lets-encrypt-plugin-error-message-when-installing-letscrypt-at-a-domain/34614/5

[Ninerian]

No, this don't where the solution. I have the assumption, that the file isn't created. Is there a log file, which covers the whole process?

[alcordier]

I think you can find explanations in https://support.plesk.com/hc/en-us/articles/213403509 Look at plesk Panel log: /usr/local/psa/admin/logs/panel.log

[fabienlege]

Same error for me. The only message contained in /var/log/plesk/panel.log is :

[2017-06-20 15:52:28] ERR [panel] Échec de l&#039;installation du certificat SSL Let&#039;s Encrypt : Challenge marked as invalid. Details: Invalid response from http://park.ho5dev.com/.well-known/acme-challenge/CgmhI-vJhRI8Co0MJii4P4QCTCE5roWKqexQ95Qsvw0: &amp;quot;&amp;lt;!DOCTYPE HTML PUBLIC &amp;quot;-//IETF//DTD HTML 2.0//EN&amp;quot;&amp;gt;<br /> &amp;lt;html&amp;gt;&amp;lt;head&amp;gt;<br /> &amp;lt;title&amp;gt;404 Not Found&amp;lt;/title&amp;gt;<br /> &amp;lt;/head&amp;gt;&amp;lt;body&amp;gt;<br /> &amp;lt;h1&amp;gt;Not Found&amp;lt;/h1&amp;gt;<br /> &amp;lt;p&amp;quot;

I've checked my IPV6 and it correctly pointing to my server

[Ninerian]

So I found a solution for my problem. Here are the steps I took to investigate the process:

• Enable logging in plesk. Add the line

  [log]
  filter.priority = 7

  to the file /usr/local/psa/admin/conf/panel.ini.

• Enable logging for letsencrypt Add the line

  logRequests = true

  to the file /opt/psa/var/modules/letsencrypt/cli.ini.

• Show the log of plesk with plesk log --all

• Start letsencrypt via commandline with /usr/sbin/plesk bin extension --exec letsencrypt cli.php -d {DOMAIN} -m {EMAIL} -w {FOLDER TO SAVE CHALLENGE} -c /opt/psa/var/modules/letsencrypt/cli.ini

Now you'll see a detailed log of all the steps letsencrypt proceeds. It may help to find the source of the misbehavior.

In my case, the files where saved into a subfolder where I didn't redirected nginx to.