Error getting validation daa: 400 invalid
Closed this issue · 3 comments
Hi,
Thanks for this. Sadly not working for me.
Running on ESXi ESXi-6.7.0-20220704001-standard.
/etc/init.d/w2c-letsencrypt start
Running 'start' action
Starting certificate renewal.
Existing cert for esxi.myDomain.com not issued by Let's Encrypt. Requesting a new one!
Generating RSA private key, 4096 bit long modulus
*************************************************************************************************************************************************************************** *************************************************************************************************************************************************************************** *************************************************************************************************************************************************************************** ****************************************************************++++
****************++++
e is 65537 (0x10001)
Serving HTTP on 0.0.0.0 port 8120 ...
Parsing account key...
Parsing CSR...
Found domains: esxi.myDomain.com
Getting directory...
Directory found!
Registering account...
Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/700469847
Creating new order...
Order created!
Verifying esxi.myDomain.com...
127.0.0.1 - - [25/Aug/2022 17:41:28] "GET /.well-known/acme-challenge/Te4bgquHPUCMnn6JbLsknwR4CmG9GXFnaxJceNRo2gk HTTP/1.1" 200 -
Traceback (most recent call last):
File "./acme_tiny.py", line 199, in <module>
main(sys.argv[1:])
File "./acme_tiny.py", line 195, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=arg s.contact, check_port=args.check_port)
File "./acme_tiny.py", line 153, in get_crt
raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for esxi.myDomain.com: {'identifier': {'type': 'dns', 'value': 'esxi.myDomain.com'}, 'expires': '2022-09-01T17:41:27Z', 'challenge s': [{'token': 'Te4bgquHPUCMnn6JbLsknwR4CmG9GXFnaxJceNRo2gk', 'validationRecord': [{'addressesResolved': ['myPublicIP'], 'url': 'http://esxi.myDomain.com/.well-known/ acme-challenge/Te4bgquHPUCMnn6JbLsknwR4CmG9GXFnaxJceNRo2gk', 'port': '80', 'addressUsed': 'myPublicIP', 'hostname': 'esxi.myDomain.com'}], 'validated': '2022-08-25T17 :41:28Z', 'status': 'invalid', 'type': 'http-01', 'url': 'https://acme-v02.api.letsencrypt.org/acme/chall-v3/146077121297/FH4vAg', 'error': {'detail': 'myPublicIP: Fetch ing http://esxi.myDomain.com/.well-known/acme-challenge/Te4bgquHPUCMnn6JbLsknwR4CmG9GXFnaxJceNRo2gk: Error getting validation data', 'type': 'urn:ietf:params:acme:error :connection', 'status': 400}}], 'status': 'invalid'}
Error: No cert obtained from Let's Encrypt. Generating a self-signed certificate.
hostd signalled.
rabbitmqproxy is not running
VMware HTTP reverse proxy signalled.
sfcbd-init: Getting Exclusive access, please wait...
sfcbd-init: Exclusive access granted.
sfcbd-init: sfcbd is not running.
vpxa signalled.
vsanperfsvc is not running.
/etc/init.d/vvold ssl_reset, PID 2104005
vvold is not running.
cat /var/log/syslog.log | grep w2c
2022-08-25T16:59:18Z jumpstart[2098915]: executing start plugin: w2c-letsencrypt
2022-08-25T16:59:18Z /etc/init.d/w2c-letsencrypt: Running 'start' action
2022-08-25T16:59:18Z /opt/w2c-letsencrypt/renew.sh: Starting certificate renewal.
2022-08-25T16:59:18Z /opt/w2c-letsencrypt/renew.sh: Existing cert for esxi.myDomain.com not issued by Let's Encrypt. Requesting a new one!
2022-08-25T17:00:02Z /opt/w2c-letsencrypt/renew.sh: Error: No cert obtained from Let's Encrypt. Generating a self-signed certificate.
2022-08-25T17:37:23Z /etc/init.d/w2c-letsencrypt: Running 'start' action
2022-08-25T17:37:23Z /opt/w2c-letsencrypt/renew.sh: Starting certificate renewal.
2022-08-25T17:37:23Z /opt/w2c-letsencrypt/renew.sh: Existing cert for esxi.myDomain.com not issued by Let's Encrypt. Requesting a new one!
2022-08-25T17:37:40Z /opt/w2c-letsencrypt/renew.sh: Error: No cert obtained from Let's Encrypt. Generating a self-signed certificate.
2022-08-25T17:41:23Z /etc/init.d/w2c-letsencrypt: Running 'start' action
2022-08-25T17:41:23Z /opt/w2c-letsencrypt/renew.sh: Starting certificate renewal.
2022-08-25T17:41:23Z /opt/w2c-letsencrypt/renew.sh: Existing cert for esxi.myDomain.com not issued by Let's Encrypt. Requesting a new one!
2022-08-25T17:41:29Z /opt/w2c-letsencrypt/renew.sh: Error: No cert obtained from Let's Encrypt. Generating a self-signed certificate.
Edit Update: Just realized I had in /etc/hosts setting the domain to a local ip to make it easier on me so got rid of that and tried again. Not just gettings stuck on verifying domain.com and log stops there as well.
And https://websistent.com/tools/open-port-check-tool/ confirms port 80 is open as expected.
Edit 2: Trying on ESXi-7.0U3f-20036589-standard
First thing I noticed:
esxcli software vib install -v /tmp/w2c-letsencrypt-esxi.vib -f
Remote end closed connection without response
[will@esxi2:~] esxcli software vib install -v /tmp/w2c-letsencrypt-esxi.vib -f
Installation Result
Message: Host is not changed.
Reboot Required: false
VIBs Installed:
VIBs Removed:
VIBs Skipped: web-wack-creations_bootbank_w2c-letsencrypt-esxi_1.0.0-0.0.0
So it did work despiste the first error.
Sadly same problem.
For privacy, I switched out my real public IP with myPublicIP my domain with myDomain.
Using Cloudflare to set my A record.
Thanks for the help,
Will
Regarding ESXi ESXi-6.7.0-20220704001-standard:
Let's Encrypt usually retrieves the challenge multiple times from different servers, so you should see multiple log lines like: 127.0.0.1 - - [25/Aug/2022 17:41:28] "GET /.well-known/acme-challenge/Te4bgquHPUCMnn6JbLsknwR4CmG9GXFnaxJceNRo2gk HTTP/1.1" 200 -
I'd assume you see 400 Bad Request instead of a second log line because of a DNS-related issue on your end. Do you have an AAAA record set on your domain as well? Is the A record the only one? If yes and either of them doesn't point to the same target as the first A record, you may see the error as you do.
Regarding ESXi-7.0U3f-20036589-standard:
What's the log output there? Did you have a certificate afterwards? It may have been issued while Remote end closed connection without response was written to stdout. Message: Host is not changed. is expected output if the package was successfully installed. Please also check https://github.com/w2c/letsencrypt-esxi/wiki/Troubleshooting#no-lets-encrypt-certificate-after-installation
I plan to take another look at this...
But.. Just had my system crash. Not sure why yet, just happened and now after boot up I can't access the web console.
OK fixed.
Noticed new rui.crt and rui.key was created in last few mins and bad self signed.
-
I deleted
/etc/vmware/ssl/rui.crtandetc/vmware/ssl/rui.key -
Then ran
generate-certificateswhich re-created the self signed cert key. -
Restarted services via
/sbin/services.sh restartand now web console back online as expected.
Success! 🥇
[will@esxi:~] /etc/init.d/w2c-letsencrypt start
Running 'start' action
Starting certificate renewal.
Existing cert for esxi.mydomain.com not issued by Let's Encrypt. Requesting a new one!
Generating RSA private key, 4096 bit long modulus
********************************************************************************************************************************************************************************************************************************************************************************************++++
******************************************************************************************************************************************************************************************++++
e is 65537 (0x10001)
Serving HTTP on 0.0.0.0 port 8120 (http://0.0.0.0:8120/) ...
Parsing account key...
Parsing CSR...
Found domains: esxi.mydomain.com
Getting directory...
Directory found!
Registering account...
Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/773171596
Creating new order...
Order created!
Verifying esxi.mydomain.com...
127.0.0.1 - - [15/Oct/2022 20:19:27] "GET /.well-known/acme-challenge/tSXffOByr_HF5V-6Xcyrea4xFj0rb-p3DoqO726FfzM HTTP/1.1" 200 -
127.0.0.1 - - [15/Oct/2022 20:19:28] "GET /.well-known/acme-challenge/tSXffOByr_HF5V-6Xcyrea4xFj0rb-p3DoqO726FfzM HTTP/1.1" 200 -
127.0.0.1 - - [15/Oct/2022 20:19:28] "GET /.well-known/acme-challenge/tSXffOByr_HF5V-6Xcyrea4xFj0rb-p3DoqO726FfzM HTTP/1.1" 200 -
127.0.0.1 - - [15/Oct/2022 20:19:28] "GET /.well-known/acme-challenge/tSXffOByr_HF5V-6Xcyrea4xFj0rb-p3DoqO726FfzM HTTP/1.1" 200 -
127.0.0.1 - - [15/Oct/2022 20:19:29] "GET /.well-known/acme-challenge/tSXffOByr_HF5V-6Xcyrea4xFj0rb-p3DoqO726FfzM HTTP/1.1" 200 -
esxi.mydomain.com verified!
Signing certificate...
Certificate signed!
Success: Obtained and installed a certificate from Let's Encrypt.
logger: Invalid PID 'Usage: fsvmsockrelay '
logger: Invalid PID '{start|stop|status|restart} [--vmci VMCI_ID]'
hostd signalled.
watchdog-lsud[2150450]: Terminating watchdog process with PID 2150084
lsud stopped
lsud started
VMware HTTP reverse proxy signalled.
sfcbd-init[2150532]: args ('')
sfcbd-init[2150532]: Getting Exclusive access, please wait...
sfcbd-init[2150532]: Exclusive access granted.
sfcbd-init[2150543]: args ('ssl_reset')
sfcbd-init[2150543]: Getting Exclusive access, please wait...
sfcbd-init[2150543]: Exclusive access granted.
sfcbd-init[2150543]: sfcbd is not running.
logger: Invalid PID 'Usage: vdfsd '
logger: Invalid PID '{start|stop|status|restart|'
vpxa signalled.
vsanperfsvc is not running.
/etc/init.d/vvold ssl_reset, PID 2150652
vvold is not running.
Looks like a typo/bug somewhere with the Invalid PID lines?
Anyways, it's all working today. Thank you so much!