Acme-challenge answer is not created.
tadi1 opened this issue · 5 comments
Hello,
I hope that I am placing this in the correct area.
I recently attempted to add letsencrypt to an ASP.NET MVC app hosted on Azure using the renewer with a webjob and I have come across an issue. When I trigger the webjob, it fails when attempting to access the secret file. I have checked my slot's storage and the .well-known directory is not created. I attempted to manually add /.well-known/acme-challenge/ and then trigger the job again, but the directory is never populated.
I have added "routes.IgnoreRoute(".well-known/");" to my RouteConfig, but I would imagine that that is only needed for reading the secret back, but I may be incorrect. On a whim, I enabled FTP access, but as I have not found any mention of it anywhere, I doubt that it is needed.
I have included a portion of the output below. Please let me know if additional information is needed. Any assistance would be appreciated.
[08/14/2018 04:10:24 > 5bde0d: INFO] Access Token Hash: [HASH]
[08/14/2018 04:10:24 > 5bde0d: INFO] Refresh Token Hash: [No Refresh Token]
[08/14/2018 04:10:24 > 5bde0d: INFO] Expiration Time: 08/14/2018 05:10:23 +00:00
[08/14/2018 04:10:24 > 5bde0d: INFO] User Hash: null
[08/14/2018 04:10:24 > 5bde0d: INFO]
[08/14/2018 04:10:24 > 5bde0d: INFO] AzureLetsEncryptRenewer.exe Information: 0 : Add certificate for acmeConfig hostname www.[DOMAIN].com, [DOMAIN].com
[08/14/2018 04:10:24 > 5bde0d: INFO] AzureLetsEncryptRenewer.exe Information: 0 : RequestAndInstallInternal
[08/14/2018 04:10:24 > 5bde0d: INFO] AzureLetsEncryptRenewer.exe Information: 0 :
[08/14/2018 04:10:24 > 5bde0d: INFO] Getting AcmeServerDirectory
[08/14/2018 04:10:24 > 5bde0d: INFO] AzureLetsEncryptRenewer.exe Information: 0 : Calling Register
[08/14/2018 04:10:28 > 5bde0d: INFO] AzureLetsEncryptRenewer.exe Information: 0 : Updating Registration
[08/14/2018 04:10:28 > 5bde0d: INFO] AzureLetsEncryptRenewer.exe Information: 0 : Saving Registration
[08/14/2018 04:10:28 > 5bde0d: INFO] AzureLetsEncryptRenewer.exe Information: 0 : Saving Signer
[08/14/2018 04:10:28 > 5bde0d: INFO]
[08/14/2018 04:10:28 > 5bde0d: INFO] Authorizing Identifier www.[DOMAIN].com Using Challenge Type http-01
[08/14/2018 04:10:28 > 5bde0d: INFO] AzureLetsEncryptRenewer.exe Information: 0 : Authorizing Identifier www.[DOMAIN].com Using Challenge Type http-01
[08/14/2018 04:10:29 > 5bde0d: INFO] Answer should now be browsable at http://www.[DOMAIN].com/.well-known/acme-challenge/UlwFr3dl5Os2poVa-sLNr-[SECRET]
[08/14/2018 04:10:29 > 5bde0d: INFO] AzureLetsEncryptRenewer.exe Information: 0 : Answer should now be browsable at http://www.[DOMAIN].com/.well-known/acme-challenge/UlwFr3dl5Os2poVa-sLNr-[SECRET]
[08/14/2018 04:10:32 > 5bde0d: INFO] AzureLetsEncryptRenewer.exe Information: 0 : Checking status OK
[08/14/2018 04:10:32 > 5bde0d: INFO] Submitting answer
[08/14/2018 04:10:32 > 5bde0d: INFO] AzureLetsEncryptRenewer.exe Information: 0 : Submitting answer
[08/14/2018 04:10:33 > 5bde0d: INFO] Refreshing authorization attempt 1
[08/14/2018 04:10:33 > 5bde0d: INFO] AzureLetsEncryptRenewer.exe Information: 0 : Refreshing authorization attempt 1
[08/14/2018 04:10:35 > 5bde0d: INFO] Authorization Result: invalid
[08/14/2018 04:10:35 > 5bde0d: INFO] AzureLetsEncryptRenewer.exe Information: 0 : Auth Result invalid
[08/14/2018 04:10:35 > 5bde0d: INFO] AzureLetsEncryptRenewer.exe Error: 0 : Authorization Failed invalid
Thank you.
- I assume
[DOMAIN],[HASH]etc. are not the actual configured values, rather placeholders for your actual values? - Could you share the full logs? Specifically, I would expect some ERROR entries after your failed authorization (like here).
Thank you for responding!
Yes, [DOMAIN] and [HASH] were simply there to obscure some of the actual data.
One thing to note is that I originally attempted to set this up using the configuration script. I am not sure if I did something incorrectly, but it added the app settings to the AppService and not to the WebApp. If I am reading the setup instructions correctly, the settings need to be added to either a WebApp dedicated to the renewal, or to an existing WebApp. Eventually, I added the settings to the an existing WebApp. I have not yet removed them from the AppService, but I do not think that those values are being used based on the changes in output that I have seen when modifying the WebApp's settings. Of course, I could be incorrect about this.
Also, I think that I read something that said that the creation/renewal will not work if all traffic is forced over HTTPS, is that correct? I generally have a rule enabled to do this using my site's global filters, but I have disabled it while attempting to get this to work.
I have attached a log to this message. Please let me know if there is anything else that I can provide.
Thank you.
errors.txt
Hi @tadi1,
Regarding configuration, I'm not sure what you mean about the script updating the AppService configuration. The WebApp is an AppService.
- Perhaps you could attach some screenshots or provided more details so I can understand this differentiation.
- The script should work, if you tell me exactly how you invoked it I should be able to help.
- The renewal WebJob will only pick up configuration from the dedicated renewal WebApp. Quoting from the docs:
Note that these settings should be configured on the Web App where the letsencrypt-webapp-renewer WebJob is deployed (NOT on the Web Apps to be renewed)
Regarding the error you're getting, it's a pretty common one, but it could have various causes.
- You are right, the challenge required HTTP access to the challenge answer URL.
- Looking at the logs, the most interesting line to me is
The Lets Encrypt ACME server was probably unable to reach http://www.mcar-admin.com/.well-known/acme-challenge/evzOI57mZUAaLD9Bmmt7UAtKFslqRnUNfMHJQbNV-sc view error report from Lets Encrypt at https://acme-v01.api.letsencrypt.org/acme/authz/AA4wlls2HnidzVN-nOw9E1t0IZebuWQyg-C8CUt-b5k. - If you go to that error report you'll see
detail: "Invalid response from http://www.mcar-admin.com/.well-known/acme-challenge/evzOI57mZUAaLD9Bmmt7UAtKFslqRnUNfMHJQbNV-sc: "<!DOCTYPE html> <html> <head> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-sc"", status: 403. So it looks like your server is returning 403 (forbidden). - This looks like your issue: sjkp/letsencrypt-siteextension#150
- If the above doesn't help, try and see if any of the other similar ones is of any help: https://github.com/sjkp/letsencrypt-siteextension/search?q=Unable+to+reach&type=Issues
Hi @ohadschn,
Thank you again for your assistance.
Something that you said above pointed me to something else that made me realize where I had messed up :). When I decided to move this site to Azure, I created an App Service Plan. I then added an App Service under it. This is where I messed up... I then created a slot to deploy the site to. I did not realize that this was not required until now. I saw the information on setting up the renewer to renew the certificate for a slot, but I did not realize that I was actually attempting this as the slot is listed as a Web App, not a slot, on the dashboard, not a slot. So of course, this is why I could not find the directory; I was looking under the slot and not the App Service itself.
So, today, I went back to the App Service (which is where the script added its settings) and checked its file system and found the .well-known directory and everything that you would expect to find underneath it. I pushed the site to the App Service and triggered the WebJob and it passed on the staging environment. I disabled letsencrypt:AcmeBaseUri by renaming it and I triggered the job again and it passed.
This is what I get for working on projects late at night!
Thank you again for you assistance and also for your work on this project.
Glad to hear it's all sorted!
BTW Simon (creator of letsencrypt-siteextension) deserves most of the credit, I just wrapped his library :)