getssl
getssl copied to clipboard
Error during secondary validation
Version: 2.49 OS: Debian
Started receiving this error when trying to renew a domain cert:
Upgraded to v2 (changed https://acme-staging.api.letsencrypt.org to https://acme-staging-v02.api.letsencrypt.org)
Registering account
Verify each domain
Verifying DOMAIN.com
copying challenge token to /PATH-TO/DOMAIN.com/.well-known/acme-challenge/-xvcbRT5qoVusdKnQDOXfPoYvjvGAXMQDTpQfs4XntM
sending request to ACME server saying we're ready for challenge
checking if challenge is complete
Pending
checking if challenge is complete
getssl: DOMAIN.com:Verify error: "detail": "During secondary validation: 2a06:98c1:3121::1: Invalid response from http://DOMAIN.com/.well-known/acme-challenge/-xvcbRT5qoVusdKnQDOXfPoYvjvGAXMQDTpQfs4XntM: 403",
The well-known file is viewable from a browser.
Detail log extract:
...
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 21 Apr 2024 15:19:47 GMT
Content-Type: application/json
Content-Length: 194
Connection: keep-alive
Boulder-Requester: 6163656
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Link: <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12092680974>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12092680974/ERokzg
Replay-Nonce: _O0fw7ZkbdMMIHWGmg6pWlxlilztJkhzSerLoCba8EAIF8dy4xo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
response { "type": "http-01", "status": "pending", "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12092680974/ERokzg", "token": "kXlWl32Yw3zGqylFJ3y3Y6uEXWG2ZpC-vRTRfQoOLbY"}
code 200
response status = pending
Pending
sleep 5 secs before testing verify again
checking if challenge is complete
url https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12092680974/ERokzg
using KID=https://acme-staging-v02.api.letsencrypt.org/acme/acct/6163656
payload =
responseHeaders HTTP/1.1 100 Continue
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 21 Apr 2024 15:19:52 GMT
Content-Type: application/json
Content-Length: 1018
Connection: keep-alive
Boulder-Requester: 6163656
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Link: <https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/12092680974>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12092680974/ERokzg
Replay-Nonce: _O0fw7ZkyWZK2p_O0Chn-5vpsYv_dFSLOfE8x4ltVNAWh7lzZwU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
response { "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "During secondary validation: 2a06:98c1:3120::1: Invalid response from http://DOMAIN.com/.well-known/acme-challenge/kXlWl32Yw3zGqylFJ3y3Y6uEXWG2ZpC-vRTRfQoOLbY: 403", "status": 403 }, "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/12092680974/ERokzg", "token": "kXlWl32Yw3zGqylFJ3y3Y6uEXWG2ZpC-vRTRfQoOLbY", "validationRecord": [ { "url": "http://DOMAIN.com/.well-known/acme-challenge/kXlWl32Yw3zGqylFJ3y3Y6uEXWG2ZpC-vRTRfQoOLbY", "hostname": "DOMAIN.com", "port": "80", "addressesResolved": [ "172.67.172.39", "104.21.47.196", "2606:4700:3034::6815:2fc4", "2606:4700:3036::ac43:ac27" ], "addressUsed": "2606:4700:3034::6815:2fc4", "resolverAddrs": [ "A:10.0.32.88:27567", "AAAA:10.0.32.89:20459" ] } ], "validated": "2024-04-21T15:19:46Z"}
code 200
response status = invalid
getssl: DOMAIN.com:Verify error: "detail": "During secondary validation: 2a06:98c1:3120::1: Invalid response from http://DOMAIN.com/.well-known/acme-challenge/kXlWl32Yw3zGqylFJ3y3Y6uEXWG2ZpC-vRTRfQoOLbY: 403",
Traceback
main() line 3468 called
fulfill_challenges() line 1525 called
check_challenge_completion() line 546 called
error_exit() line 1304 called traceback