Failure creating certificate acme challenge 404 error in BIG-IP F5 WAF

Question

We have more than 600 government websites behind the BIG-IP system. We have done almost 60% of certificates created and offloaded. Suddenly we couldn't create any certificate and got the below error. This error not only for one website. Now we can't renew or create a new certificate.

We use fanceg/letsencrypt -in GitHub to integrates Let's Encrypt with BigIP ( GitHub - fanceg/letsencrypt-bigip).

INFO: Using main config file /etc/dehydrated/configProcessing verugal.ds.gov.lk

Signing domains...
Generating private key...
Generating signing request...
Requesting new certificate order from CA...
Received 1 authorizations URLs from the CA
Handling authorization for verugal.ds.gov.lk
1 pending challenge(s)
Deploying challenge tokens...
Responding to challenge for verugal.ds.gov.lk authorization...
Cleaning challenge tokens...
Challenge validation has failed : (
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01"
["status"] "invalid"
["error","type"] "urn:ietf:params:acme:error:unauthorized"
["error","detail"] "Invalid response from http://verugal.ds.gov.lk/.well-known/acme-challenge/CnhSunPlqtFks1odEZVDOs_0OScqWBzf_xDejAo14WE 1 [43.224.124.166]: 404"
["error","status"] 403
["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"Invalid response from http://verugal.ds.gov.lk/.well-known/acme-challenge/CnhSunPlqtFks1odEZVDOs_0OScqWBzf_xDejAo14WE 1 [43.224.124.166]: 404","status":403}
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12995442889/eoq1dQ"
["token"] "CnhSunPlqtFks1odEZVDOs_0OScqWBzf_xDejAo14WE"
["validationRecord",0,"url"] "http://verugal.ds.gov.lk/.well-known/acme-challenge/CnhSunPlqtFks1odEZVDOs_0OScqWBzf_xDejAo14WE 1"
["validationRecord",0,"hostname"] "verugal.ds.gov.lk"
["validationRecord",0,"port"] "80"
["validationRecord",0,"addressesResolved",0] "43.224.124.166"
["validationRecord",0,"addressesResolved"] ["43.224.124.166"]
["validationRecord",0,"addressUsed"] "43.224.124.166"
["validationRecord",0] {"url":"http://verugal.ds.gov.lk/.well-known/acme-challenge/CnhSunPlqtFks1odEZVDOs_0OScqWBzf_xDejAo14WE","hostname":"verugal.ds.gov.lk","port":"80","addressesResolved":["43.224.124.166"],"addressUsed":"43.224.124.166"}
["validationRecord"] [{"url":"http://verugal.ds.gov.lk/.well-known/acme-challenge/CnhSunPlqtFks1odEZVDOs_0OScqWBzf_xDejAo14WE","hostname":"verugal.ds.gov.lk","port":"80","addressesResolved":["43.224.124.166"],"addressUsed":"43.224.124.166"}]
["validated"] "2021-05-10T04:46:36Z")
Processing vrc.bopepoddala.ds.gov.lk
Signing domains...
Generating private key...
Generating signing request...
Requesting new certificate order from CA...
Received 1 authorizations URLs from the CA
Handling authorization for vrc.bopepoddala.ds.gov.lk
1 pending challenge(s)
Deploying challenge tokens...
Responding to challenge for vrc.bopepoddala.ds.gov.lk authorization...
Cleaning challenge tokens...
Challenge validation has failed : (
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01"
["status"] "invalid"
["error","type"] "urn:ietf:params:acme:error:unauthorized"
["error","detail"] "Invalid response from http://vrc.bopepoddala.ds.gov.lk/.well-known/acme-challenge/v9qnpu7SA8F5xFQjk0VgltT__yVviLmyGftlvTAKY9Y [43.224.124.166]: 404"
["error","status"] 403
["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"Invalid response from http://vrc.bopepoddala.ds.gov.lk/.well-known/acme-challenge/v9qnpu7SA8F5xFQjk0VgltT__yVviLmyGftlvTAKY9Y [43.224.124.166]: 404","status":403}
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12995448812/pq_1KA"
["token"] "v9qnpu7SA8F5xFQjk0VgltT__yVviLmyGftlvTAKY9Y"
["validationRecord",0,"url"] "http://vrc.bopepoddala.ds.gov.lk/.well-known/acme-challenge/v9qnpu7SA8F5xFQjk0VgltT__yVviLmyGftlvTAKY9Y"
["validationRecord",0,"hostname"] "vrc.bopepoddala.ds.gov.lk"
["validationRecord",0,"port"] "80"
["validationRecord",0,"addressesResolved",0] "43.224.124.166"
["validationRecord",0,"addressesResolved"] ["43.224.124.166"]
["validationRecord",0,"addressUsed"] "43.224.124.166"
["validationRecord",0] {"url":"http://vrc.bopepoddala.ds.gov.lk/.well-known/acme-challenge/v9qnpu7SA8F5xFQjk0VgltT__yVviLmyGftlvTAKY9Y","hostname":"vrc.bopepoddala.ds.gov.lk","port":"80","addressesResolved":["43.224.124.166"],"addressUsed":"43.224.124.166"}
["validationRecord"] [{"url":"http://vrc.bopepoddala.ds.gov.lk/.well-known/acme-challenge/v9qnpu7SA8F5xFQjk0VgltT__yVviLmyGftlvTAKY9Y","hostname":"vrc.bopepoddala.ds.gov.lk","port":"80","addressesResolved":["43.224.124.166"],"addressUsed":"43.224.124.166"}]
["validated"] "2021-05-10T04:46:58Z")

Can anyone help me out with this issue? Are there any process changes or updates in letsencrypt site or BIG-IP intigrations? Due to this lots of government websites affected!

nikoolayy1 · Answer

For such issues like "of government websites affected!" also raise a TAC case as this is a comunity website that does not have SLA.

404 error could be related to lest encrypt issue not F5, check the the forums:

https://community.letsencrypt.org/t/404-not-found-when-creating-certificate/93743

https://community.letsencrypt.org/t/cant-generate-cert-404-not-found/104184/2

Also lets encrypt has limits as it is a free service and maybe not the best for government websites:

https://letsencrypt.org/docs/rate-limits/

Forum Discussion

Failure creating certificate acme challenge 404 error in BIG-IP F5 WAF

1 Reply

Recent Discussions

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Unwinding the Benefits of Investing in White Label Crypto Wallet

SMTP profile not visible & showing

About AWAF "Redirect URLs" in "Responses and Blocks"

F5 iRule to replace host to path

Related Content

Building an OpenSSL Certificate Authority - Creating Your Root Certificate

Building an OpenSSL Certificate Authority - Creating ECC Certificates

Building an OpenSSL Certificate Authority - Creating Your Intermediary Certificate

Creating, Importing and Assigning a CA Certificate Bundle

Create Your Own Certificate Authority