NetTalk Central

Author Topic: Lets Encrypt subdomain doesn't generate challenge token  (Read 5256 times)

CaseyR

  • Sr. Member
  • ****
  • Posts: 448
    • View Profile
    • Email
Lets Encrypt subdomain doesn't generate challenge token
« on: April 09, 2018, 10:02:40 AM »
Hi, Bruce

For some reason,  the Let's Encrypt functionality is not generating a challenge token for a subdomain (only tried one).   The subdomain works unsecured.  Here is the relevant log output:
[ 4/09/18-10:09:46]  The URL for the Fetch command was blank
[ 4/09/18-10:09:46]  Notify Server Challenge is Ready
[ 4/09/18-10:09:46]  LE Server will now fetch http://externaltest.resschedtest.com:80/.well-known/acme-challenge/
[ 4/09/18-10:09:46]  Challenge Token Saved C:\CJR Dev Projects\ResWebC10\web\.well-known\acme-challenge\

Doesn't make any difference if the primary domain (which does have an LE certificate) is removed from the domains list.  Happy to ask at the next user group if it is not a straight forward fix. 

Thanks

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11251
    • View Profile
Re: Lets Encrypt subdomain doesn't generate challenge token
« Reply #1 on: April 09, 2018, 10:29:26 PM »
>> Challenge Token Saved C:\CJR Dev Projects\ResWebC10\web\.well-known\acme-challenge\

the problem is before this - that line should contain a file name. So one of the steps before that is failing.
If you don't figure it out skype or email me so I can TeamViewer in and take a look. I've not seen this effect before, but adding more logging to make the (earlier) issue more obvious is always a possibility.

cheers
Bruce

CaseyR

  • Sr. Member
  • ****
  • Posts: 448
    • View Profile
    • Email
Re: Lets Encrypt subdomain doesn't generate challenge token
« Reply #2 on: April 10, 2018, 12:36:12 PM »
Thanks, Bruce

The challenge token file is not being created but I have found it has nothing to do with the entry being a subdomain.  As a dummy primary domain, externaltest.com didn't generate the file either.   A few other things I have tried include running the server app 'As administrator' and testing the to see the acme-challenge folder can be written to.  If you don't see the problem here,  we may need to do a team viewer session.  Thanks again.

The full log is below and below that the complete TRACE

[ 4/10/18-13:24:45]  The URL for the Fetch command was blank
[ 4/10/18-13:24:45]  Notify Server Challenge is Ready
[ 4/10/18-13:24:45]  LE Server will now fetch http://externaltetst.com:80/.well-known/acme-challenge/
[ 4/10/18-13:24:45]  Challenge Token Saved C:\CJR Dev Projects\ResWebC10\web\.well-known\acme-challenge\
[ 4/10/18-13:24:10]  Authorize Request externaltetst.com
[ 4/10/18-13:24:10]  Registering Account Madrigal Soft Tools Inc. at  https://acme-staging.api.letsencrypt.org/acme/new-reg
[ 4/10/18-13:24:09]  Server Response When GettingDirectory 200
[ 4/10/18-13:24:09]  Time to update the certificate
[ 4/10/18-13:24:09]  C:\CJR Dev Projects\ResWebC10\certificates\externaltetst.com.crt does not exist
[ 4/10/18-13:24:09]  Dates: resschedtest.com From:19 MAR 2018 To:17 JUN 2018
[ 4/10/18-13:24:09]  Created C:\CJR Dev Projects\ResWebC10\certificates\externaltetst.com.csr
[ 4/10/18-13:24:09]  Created C:\CJR Dev Projects\ResWebC10\certificates\externaltetst.com.key

InitSideBySide failed create an activation context. Error: 1814
[st] [netTalk][thread=1] [ 4/10/18-13:24:09]  Created C:\CJR Dev Projects\ResWebC10\certificates\externaltetst.com.key
InitSideBySide failed create an activation context. Error: 1814
[st] [netTalk][thread=1] [ 4/10/18-13:24:09]  Created C:\CJR Dev Projects\ResWebC10\certificates\externaltetst.com.csr
InitSideBySide failed create an activation context. Error: 1814
[st] Mar 19 21:16:28 2018 GMT
[st] Jun 2=17 3=21:16:28 4=2018 5=GMT
[st] [netTalk][thread=1] [ 4/10/18-13:24:09]  Dates: resschedtest.com From:19 MAR 2018 To:17 JUN 2018
[st] [netTalk][thread=1] not exists C:\CJR Dev Projects\ResWebC10\certificates\externaltetst.com.crt
[st] [netTalk][thread=1] [ 4/10/18-13:24:09]  C:\CJR Dev Projects\ResWebC10\certificates\externaltetst.com.crt does not exist
[st] [netTalk][thread=1] [ 4/10/18-13:24:09]  Time to update the certificate
[st] [netTalk][thread=1] NetAcme.PageReceived  self.state=1
[st] [netTalk][thread=1] NetSimple.ErrorTrap 0 Server Response When GettingDirectory 200 NetAcme.PageReceived
[st] [netTalk][thread=1] [ 4/10/18-13:24:09]  Server Response When GettingDirectory 200
[st]
[st] [netTalk][thread=1] NetAcme.PageReceived  self.state=1
InitSideBySide failed create an activation context. Error: 1814
InitSideBySide failed create an activation context. Error: 1814
InitSideBySide failed create an activation context. Error: 1814
[st] [netTalk][thread=1] [ 4/10/18-13:24:10]  Registering Account Madrigal Soft Tools Inc. at  https://acme-staging.api.letsencrypt.org/acme/new-reg
[st] [netTalk][thread=1] NetAcme.PageReceived  self.state=2
InitSideBySide failed create an activation context. Error: 1814
[st] [netTalk][thread=1] [ 4/10/18-13:24:10]  Authorize Request externaltetst.com
[st] [netTalk][thread=1] NetAcme.PageReceived  self.state=3
[st] [netTalk][thread=1] NetAcme.HTTPChallenge
[st] [netTalk][thread=1] [ 4/10/18-13:24:45]  Challenge Token Saved C:\CJR Dev Projects\ResWebC10\web\.well-known\acme-challenge\
[st] [netTalk][thread=1] [ 4/10/18-13:24:45]  LE Server will now fetch http://externaltetst.com:80/.well-known/acme-challenge/
[st] [netTalk][thread=1] NetAcme.ChallengeReady :: URI=
InitSideBySide failed create an activation context. Error: 1814
[st] [netTalk][thread=1] [ 4/10/18-13:24:45]  Notify Server Challenge is Ready
[st] [netTalk][thread=1] NetSimple.ErrorTrap -15 The URL for the Fetch command was blank NetWebClient.Fetch
[st] [netTalk][thread=1] [ 4/10/18-13:24:45]  The URL for the Fetch command was blank

CaseyR

  • Sr. Member
  • ****
  • Posts: 448
    • View Profile
    • Email
Re: Lets Encrypt subdomain doesn't generate challenge token
« Reply #3 on: April 11, 2018, 02:08:45 PM »
A little more information:

Tracing back through the NetAcme.HTTPChallenge procedure I found the contents of the ThisPage String Theory object that is used as the feeder for the other String Theory objects used create the challenge token contains only "HTTP/1.0 200 OK".  That looks like a lot less than the other ST objects need to generate the token.

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11251
    • View Profile
Re: Lets Encrypt subdomain doesn't generate challenge token
« Reply #4 on: April 12, 2018, 06:19:12 AM »
>> That looks like a lot less than the other ST objects need to generate the token.

I agree. There should be a lot more in the response there. And that's why it is failing.
In the 10.20 build I've added a switch so the entire conversation with LE can be written out to debugview, which will ultimately explain what is going on I think.

That build should be out within the next few days... (but email me, and I can send you an interim file to test.)

cheers
Bruce