Technical Forum
Ask questions.
Discover Answers.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- DevCentral
- Technical Forum
- Failure creating certificate acme challenge 404 er...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Failure creating certificate acme challenge 404 error in BIG-IP F5 WAF
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
16-May-2021 21:02
We have more than 600 government websites behind the BIG-IP system. We have done almost 60% of certificates created and offloaded. Suddenly we couldn't create any certificate and got the below error. This error not only for one website. Now we can't renew or create a new certificate.
We use fanceg/letsencrypt -in GitHub to integrates Let's Encrypt with BigIP ( GitHub - fanceg/letsencrypt-bigip).
INFO: Using main config file /etc/dehydrated/configProcessing verugal.ds.gov.lk
- Signing domains...
- Generating private key...
- Generating signing request...
- Requesting new certificate order from CA...
- Received 1 authorizations URLs from the CA
- Handling authorization for verugal.ds.gov.lk
- 1 pending challenge(s)
- Deploying challenge tokens...
- Responding to challenge for verugal.ds.gov.lk authorization...
- Cleaning challenge tokens...
- Challenge validation has failed : (
- ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01"
- ["status"] "invalid"
- ["error","type"] "urn:ietf:params:acme:error:unauthorized"
- ["error","detail"] "Invalid response from http://verugal.ds.gov.lk/.well-known/acme-challenge/CnhSunPlqtFks1odEZVDOs_0OScqWBzf_xDejAo14WE 1 [43.224.124.166]: 404"
- ["error","status"] 403
- ["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"Invalid response from http://verugal.ds.gov.lk/.well-known/acme-challenge/CnhSunPlqtFks1odEZVDOs_0OScqWBzf_xDejAo14WE 1 [43.224.124.166]: 404","status":403}
- ["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12995442889/eoq1dQ"
- ["token"] "CnhSunPlqtFks1odEZVDOs_0OScqWBzf_xDejAo14WE"
- ["validationRecord",0,"url"] "http://verugal.ds.gov.lk/.well-known/acme-challenge/CnhSunPlqtFks1odEZVDOs_0OScqWBzf_xDejAo14WE 1"
- ["validationRecord",0,"hostname"] "verugal.ds.gov.lk"
- ["validationRecord",0,"port"] "80"
- ["validationRecord",0,"addressesResolved",0] "43.224.124.166"
- ["validationRecord",0,"addressesResolved"] ["43.224.124.166"]
- ["validationRecord",0,"addressUsed"] "43.224.124.166"
- ["validationRecord",0] {"url":"http://verugal.ds.gov.lk/.well-known/acme-challenge/CnhSunPlqtFks1odEZVDOs_0OScqWBzf_xDejAo14WE","ho..."}
- ["validationRecord"] [{"url":"http://verugal.ds.gov.lk/.well-known/acme-challenge/CnhSunPlqtFks1odEZVDOs_0OScqWBzf_xDejAo14WE","ho..."}]
- ["validated"] "2021-05-10T04:46:36Z")
- Processing vrc.bopepoddala.ds.gov.lk
- Signing domains...
- Generating private key...
- Generating signing request...
- Requesting new certificate order from CA...
- Received 1 authorizations URLs from the CA
- Handling authorization for vrc.bopepoddala.ds.gov.lk
- 1 pending challenge(s)
- Deploying challenge tokens...
- Responding to challenge for vrc.bopepoddala.ds.gov.lk authorization...
- Cleaning challenge tokens...
- Challenge validation has failed : (
- ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01"
- ["status"] "invalid"
- ["error","type"] "urn:ietf:params:acme:error:unauthorized"
- ["error","detail"] "Invalid response from http://vrc.bopepoddala.ds.gov.lk/.well-known/acme-challenge/v9qnpu7SA8F5xFQjk0VgltT__yVviLmyGftlvTAK... [43.224.124.166]: 404"
- ["error","status"] 403
- ["error"] {"type":"urn:ietf:params:acme:error:unauthorized","detail":"Invalid response from http://vrc.bopepoddala.ds.gov.lk/.well-known/acme-challenge/v9qnpu7SA8F5xFQjk0VgltT__yVviLmyGftlvTAK... [43.224.124.166]: 404","status":403}
- ["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12995448812/pq_1KA"
- ["token"] "v9qnpu7SA8F5xFQjk0VgltT__yVviLmyGftlvTAKY9Y"
- ["validationRecord",0,"url"] "http://vrc.bopepoddala.ds.gov.lk/.well-known/acme-challenge/v9qnpu7SA8F5xFQjk0VgltT__yVviLmyGftlvTAK..."
- ["validationRecord",0,"hostname"] "vrc.bopepoddala.ds.gov.lk"
- ["validationRecord",0,"port"] "80"
- ["validationRecord",0,"addressesResolved",0] "43.224.124.166"
- ["validationRecord",0,"addressesResolved"] ["43.224.124.166"]
- ["validationRecord",0,"addressUsed"] "43.224.124.166"
- ["validationRecord",0] {"url":"http://vrc.bopepoddala.ds.gov.lk/.well-known/acme-challenge/v9qnpu7SA8F5xFQjk0VgltT__yVviLmyGftlvTAK..."}
- ["validationRecord"] [{"url":"http://vrc.bopepoddala.ds.gov.lk/.well-known/acme-challenge/v9qnpu7SA8F5xFQjk0VgltT__yVviLmyGftlvTAK..."}]
- ["validated"] "2021-05-10T04:46:58Z")
Can anyone help me out with this issue? Are there any process changes or updates in letsencrypt site or BIG-IP intigrations? Due to this lots of government websites affected!
Labels:
- Labels:
-
Application Delivery
-
Security
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
17-May-2021 03:28
For such issues like "of government websites affected!" also raise a TAC case as this is a comunity website that does not have SLA.
404 error could be related to lest encrypt issue not F5, check the the forums:
https://community.letsencrypt.org/t/404-not-found-when-creating-certificate/93743
https://community.letsencrypt.org/t/cant-generate-cert-404-not-found/104184/2
Also lets encrypt has limits as it is a free service and maybe not the best for government websites:
https://letsencrypt.org/docs/rate-limits/
Related Content
- Replacing Two HA Platforms with HA VEs in Technical Forum
- CNAME Monitoring in Technical Forum
- Creating a CSR and Key from LTM in Technical Forum
- BIGIP AUTHENTICATION USING WINDOWS VIRTUAL SMART CARDS AND LDAP CLIENT CERT in Technical Forum
- REMOTE AUTHENTICATION OF BIGIP THROUGH LDAP AND LDAPS ( MICROSOFT AD) in Technical Forum
