[Solved] Unable to verify [domainname] (status: invalid)

Problem Description

I’m seeing an issue on only one of the servers we have running Sympl that seems to prevent it from getting a certificate from LetsEncrypt. This seems to apply to all domains regardless of whether that server has successfully been granted a certificate previously.

Any Error Messages

On the console with --verbose enabled I get:

Requesting verification for example.com from https://acme-v02.api.letsencrypt.org/directory
!! Unable to verify example.com (status: invalid)
!! Check http://example.com/.well-known/acme-challenge/Gt3Nq-Pq5gRYBDvhXUitQ59YlvCt7l_JosIiQhfAVtM works.

Domain name example.com is to redact the actual domain but all of the domains are live and from what I can see the challenge file is created and accessible. There doesn’t seem to be anything obvious that I can see is wrong and I can’t find anything that matches this on the LetsEncrypt forums…

Just to add that I see the following in the logs for the domain:

52.28.236.88 - - [01/Mar/2020:19:32:28 +0000] “GET /.well-known/acme-challenge/zcFzPhJ_7udxHC6rxCr4FLRzSlTh9bRPsE3W6-GRN08 HTTP/1.1” 403 532 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
52.15.254.228 - - [01/Mar/2020:19:32:28 +0000] “GET /.well-known/acme-challenge/zcFzPhJ_7udxHC6rxCr4FLRzSlTh9bRPsE3W6-GRN08 HTTP/1.1” 403 532 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
34.222.229.130 - - [01/Mar/2020:19:32:29 +0000] “GET /.well-known/acme-challenge/zcFzPhJ_7udxHC6rxCr4FLRzSlTh9bRPsE3W6-GRN08 HTTP/1.1” 403 532 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
64.78.149.164 - - [01/Mar/2020:19:32:29 +0000] “GET /.well-known/acme-challenge/zcFzPhJ_7udxHC6rxCr4FLRzSlTh9bRPsE3W6-GRN08 HTTP/1.1” 200 292 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”

The 403 response codes make me suspect I’ve got something misconfigured along the way but I can’t make the connection to what I need to actually do to fix things :cold_sweat:

Environment

  • Sympl Version [9.0]:
  • Debian Version [Stretch]:
  • Hardware Type? [Virtual]
  • Sympl Testing Version? [No]

The easiest way to diagnose this is to create a file in htdocs/.well-known/acme-challenge/ with a random name and see if you can browse to it - you’ll likely get an error message from whatever is redirecting the traffic.

Note that Let’s Encrypt are now doing checks from multiple locations, so if you have DNS out of date/mismatched somewhere, or have load balancing/producing going on, you may run into trouble if all the remote locations can’t see the file.

From the log, 3 of the 4 attempts failed, which suggest something odd, but let us know how you get on!

I’ve given the random file in the /.well-known/acme-challenge folder a try and it’s accessible (tried from a few connections) but I’m still getting the “Unable to verify” error and the logs are showing the same 3 out of 4 failed attempts. Is there any way to see more of what’s going on when running sympl-ssl? I’ve tried --debug but that doesn’t show any more of the response from Let’s Encrypt. I’m still researching so hopefully I’ll find something but if you’ve got any suggestions to help my search it would be much appreciated :slight_smile:

Just to be sure, I’ve tried a couple of the test servers running Sympl 9, and it’s getting certs okay.

Not at present - the new version in development will have pretty verbose debug logging and write logs covering the interaction with Let’s Encrypt, but the current Ruby one is rather short on diagnostic logging for the thing that needs it more than anything.

It probably isn’t DNS related, as all 4 of the attempts look to be getting there, so it may be something intercepting the traffic, like a .htaccess rewrite, basic-auth or similar (although theres elements in the apache configuration to prevent that), but that doesn’t explain why one works and the others don’t.

If you want to send me a private message with the domain info, I can take a closer look (click my name, and then ‘Message’).

As a matter of interest is the server that’s in difficultly hosted with MB or elsewhere?

The affected server was hosted on AWS - just worked out what the problem was and will post an update shortly :slight_smile:

So your mention of DNS earlier made me think, and I went back and looked at anything that could be DNS related - and realised that we had mod_defensible installed and, a few weeks ago, had set it up for stricter filtering because of a spike in malicious traffic against WordPress sites. That stricter setting was blocking a couple of cloud providers that Let’s Encrypt was using to test the site. Disabled mod_defensible and the certificates are now being issued!

Thanks for giving me the tip that led to the answer :slight_smile: Much appreciated!

Which AWS product? Lightsail?

Sorry, yes Lightsail.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.