NetTalk Central

Author Topic: Unable to get certificate - Challenge was invalid  (Read 6408 times)

Richard I

  • Sr. Member
  • ****
  • Posts: 398
    • View Profile
    • Email
Unable to get certificate - Challenge was invalid
« on: January 06, 2019, 05:19:37 PM »
Hi,
Got past the previous error as advised in last port by  by installing MS Visual Studio and the patch, but now when I try to test a certificate download I get; Unable to get certificate - Challenge was invalid
Thanks
Richard NT 11.04
 
[ 1/07/19-14:13:44]  Hostname resolved to: 74.220.202.43
[ 1/07/19-14:13:44]  Unable to get certificate - Challenge was invalid
[ 1/07/19-14:13:44]  Status: "invalid"
[ 1/07/19-14:13:43]  Checking Status
[ 1/07/19-14:13:30]  Status: "pending"
[ 1/07/19-14:13:30]  Checking Status
[ 1/07/19-14:13:30]  Notify Server Challenge is Ready
[ 1/07/19-14:13:30]  LE Server will now fetch http://rji.timepeace.co.nz:80/.well-known/acme-challenge/JItYQ0Nl19EabaqzGyLjV2J_3f04dqM9xD-mcK1bruc
[ 1/07/19-14:13:30]  Challenge Token Saved C:\TimePeaceC10\web\.well-known\acme-challenge\JItYQ0Nl19EabaqzGyLjV2J_3f04dqM9xD-mcK1bruc
[ 1/07/19-14:13:30]  Authorize Request rji.timepeace.co.nz
[ 1/07/19-14:13:30]  Registering Account TimePeaceCA at  https://acme-staging.api.letsencrypt.org/acme/new-reg
[ 1/07/19-14:13:29]  Time to update the certificate rji.timepeace.co.nz
[ 1/07/19-14:13:29]  C:\TimePeaceC10\certificates\rji.timepeace.co.nz.crt does not exist
[ 1/07/19-14:13:29]  Setting Folders for Domain [rji.timepeace.co.nz]
[ 1/07/19-14:13:29]  Setting Folders for Domain [secure.timepeace.co.nz]
[ 1/07/19-14:13:29]  Setting Folders for Domain [rji.timepeace.co.nz]

DonRidley

  • Don Ridley
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 729
  • donaldridley2011@gmail.com
    • View Profile
    • Email
Re: Unable to get certificate - Challenge was invalid
« Reply #1 on: January 07, 2019, 03:03:05 AM »
Usually when I have this error it's because my domain:

  • * wasn't pointing to the correct IP address and or
  • * my application was being blocked by the firewall and or
  • * my port(s) were not open (80/443) to receive traffic.

I always open the Windows firewall and turn on notifications.  If you're using the Windows Server OS, it is turned off by default.  You'll be asked to allow your app through the firewall. Click "yes" and that part is done.

I use Amazon AWS EC2 virtual servers.  I setup my EC2 instance to allow traffic to ports 80 and 443.

Maybe that helps.  If you Google LetsEncrypt Challenge was invalid, you'll get tons of info on how to resolve this.  It's not a NetTalk thing.  From your log I can see that the NetTalk part of the process worked as expected.

Good luck,

Don
« Last Edit: January 07, 2019, 03:07:30 AM by DonRidley »
"Eliminate the impossible, whatever remains, however unlikely, must be the truth."

NetTalk 12.55
Clarion 11

Richard I

  • Sr. Member
  • ****
  • Posts: 398
    • View Profile
    • Email
Re: Unable to get certificate - Challenge was invalid
« Reply #2 on: January 07, 2019, 12:48:46 PM »
Thanks Don,
no Joy !
I have checked the firewall and  nominated PORTs 80 and 443 and turned on notifications.
the sub domain  rji.timepeace.co.nz is set up with port 443 as the redirect
I have setup ports 80 and 443 in the EC2 Instance and 443 as HTTPS
My earlier Post mentioned I installed visual Studio 2017 onto the Instance
Googling " LetsEncrypt Challenge was invalid "- was inconclusive cause the posts do not appear to be  using netTalk.

When I try localhost:80 on the Instance from Firefox - the address defaults to https://localhost
and if on a remote pc I try rji.timepeace.co.nz it too defaults to https: because I have set the port 443  as https in the  Instance
The browser error is
This site can?t provide a secure connection 3.83.103.153 uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.

I now note I am getting an error in the logging tab:
ERROR: 10048 Unable to Listen on TCP Port 80 (WSAEADDRINUSE) Address already in use. Only one usage of each socket address (protocol/IP address/port) is normally permitted. This error occurs if an application attempts to bind a socket to an IP address/port that has already been used for an existing [listed by NetErrorStr]

Ive watched Webinar 205 , again, in the hope I missed something.....
Cheers
Richard

Jane

  • Sr. Member
  • ****
  • Posts: 371
  • Expert on nothing with opinions on everything.
    • View Profile
    • Email
Re: Unable to get certificate - Challenge was invalid
« Reply #3 on: January 07, 2019, 08:12:19 PM »
Don't know if this means anything...
but http://rji.timepeace.co.nz/.well-known/acme-challenge/   (without the actual LE name) gives an index page saying:
    Apache Server at rji.timepeace.co.nz Port 80



The full URL brings up a 404 page.  And the "server" part of the header says "nginx/1.14.1" 



Is that actually your folder on your C:\ drive shown earlier in the log?

Since your log indicates that LE was unable to do the challenge (which it will try to do on port 80), this might be why. 


Richard I

  • Sr. Member
  • ****
  • Posts: 398
    • View Profile
    • Email
Re: Unable to get certificate - Challenge was invalid
« Reply #4 on: January 07, 2019, 10:53:26 PM »
Hi Jane,
rji.timepeace.co.nz
is a subdomain of my website www.timepeace.co.nz
All I did was create it  on hostmonster.com and gave it a port number

So resumably I should then use the actual website www.timepeace.co.nz
?
Cheers
Richard

Richard I

  • Sr. Member
  • ****
  • Posts: 398
    • View Profile
    • Email
Re: Unable to get certificate - Challenge was invalid
« Reply #5 on: January 07, 2019, 10:56:50 PM »
Jame , further to-
Bruce uses Subdomains - presumably from this they have a content ?
R

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11247
    • View Profile
Re: Unable to get certificate - Challenge was invalid
« Reply #6 on: January 07, 2019, 11:59:12 PM »
Hi Richard,

I don't think it's helpful to think of "domains" or "subdomains". There's really no distinction between the two.
Any DNS entry (www.capesoft.com, or le.capesoft.com) is created equal. It needs to point to the IP address of the server that will host the site.

You need to run the NetTalk WebServer - with the LetsEncrypt support - on the actual server for it to work. You can't run it from "somewhere else".

Cheers
Bruce


DonRidley

  • Don Ridley
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 729
  • donaldridley2011@gmail.com
    • View Profile
    • Email
Re: Unable to get certificate - Challenge was invalid
« Reply #7 on: January 08, 2019, 03:05:21 AM »
Hello Richard,

Ok, you have an account with hostmonster.com where timepeace.co.nz is hosted.

You created a sub-domain rji.

Why the terms sub vs domain doesn't matter is they're all just DNS A Name records.  Even "www" is just a sub domain of a domain.  Each A Name record should point to your deployment IP address with no port number.  I know with AWS Route53, adding the port number with an A Name record is not allowed. Not saying you did that but just an FYI.

"Challenge was Invalid" means that when LetsEncrypt "challenges" your server, what LetsEncrypt's server is looking for either cannot be found (a 404 perhaps) or doesn't match what they are expecting to find. 

Make sure Windows IIS is not running on the deployment machine. 

ERROR: 10048 Unable to Listen on TCP Port 80 (WSAEADDRINUSE) tells me something else is running and using that port.  Could be IIS or your NT server wasn't shutdown completely.  Check your Task Manager for that.

I know this can be frustrating but it will be worth it in the end.  The NT LetsEncrypt feature works great once all the pieces are in place.  In fact, every couple of months, I'll check on my deployment servers and find that my certificates were updated while I was asleep. 

Don
"Eliminate the impossible, whatever remains, however unlikely, must be the truth."

NetTalk 12.55
Clarion 11