English
Chinese (Simplified)
French
German
Italian
Japanese
Russian
Spanish
Vietnamese
LetsEncrypt stopped working with error: : 403 Invalid response
-
Running latest version of MDaemon and whenever the LetsEncrypt script runs I get the following error:
An error occurred during the LetsEncrypt process. The error message is: Error: The challenge did not complete. Host Name: nortonconsultants.com nortonconsultants.com www.nortonconsultants.com Error Code: 403 Error Type: urn:ietf:params:acme:error:unauthorized Error Detail: 13.236.64.40: Invalid response from https://www.nortonconsultants.com/.well-known/acme-challenge/K5fmWTXsfziUcDKTEZHNCN6gT6va2Dy5nHXI2vkJGwE: 404
I've checked the LetsEncrypt log and the process appears to run just fine, including creating the challenge file, and then stops at the "Submitting the ACME challenge for dns:nortonconsultants.com for verification" stage
Any ideas?
-
Let's Encrypt requires that every host name on the certificate complete a challenge to prove ownership. Our script uses HTTP challenges and to complete them it places a file in a specific location and then Let's Encrypt attempts to retrieve the content of the file via HTTP. The Log indicates that www.nortonconsultants.com is listed on the certificate and is failing the challenge. You can verify this by going to https://www.nortonconsultants.com/.well-known/acme-challenge/K5fmWTXsfziUcDKTEZHNCN6gT6va2Dy5nHXI2vkJGwE.
I suspect that www.nortonconsultants.com doesn't point to your mail server so the challenge can't complete. Try removing www.nortonconsultants.com from the list of host names.
-
Hi Arron, thanks for your reply - I missed that!
I really don't know where it's getting www.nortonconsultants.com from since the host name of the mail domain is just "nortonconsultants.com" (I have not added any Alternate Host Names in Update - this field is blank). The 'Subject' and 'Subject Alternative Names' for SSL certificates for Mdaemon, Webmain and Remote Admin are all just "nortonconsultants.com"
Any ideas where to look for that invalid entry?
-
I suspect that www.nortonconsultants.com doesn't point to your mail server so the challenge can't complete. Try removing www.nortonconsultants.com from the list of host names.
I would if I could.. but the alternate host names field is blank.
Let's Encrypt requires that every host name on the certificate complete a challenge to prove ownership.
So I guess the simpler question might be: Where is it getting these extra host names from??
I've looked everywhere..
-
@Cameron Hello, Arron is out of the office at the moment, so I am following up on this.
If you look on the page that you configure Let's Encrypt on, it shows the command line it will run at the bottom. If you look there, does it show the -AlternativeHostNames switch there, and if so what is after that entry?
-
Hi Leigh,
The -AlternativeHostNames switch is not showing. If I add "nortonconsultants.com", it errors out as expected. If I add the erroneous "www.nortonconsultants.com" host name as an alternative, the switch shows up in the command line and if I then run the script I get an identical error to my first post so I know the -AlternativeHostNames switch is working fine.
The command line being run is:
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass "C:\MDaemon\LetsEncrypt\LetsEncrypt.ps1" -To postmaster@nortonconsultants.com - RemoveOldCertificates
It seems to me the system is picking up some additional host names from somewhere else (I've checked MDaemon.ini and it's not from there). Any ideas where that might be?
-
@Cameron Can you check your Windows Scheduled Tasks and see if maybe someone added a task to run it from there perhaps?
-
Also, in MDaemon, under Setup | Domain Manager, expand the domain and click on Host name & IP. For "SMTP host name" what is the entry in there?
-
@Leigh
1. There are no Windows Scheduled Taks on this machine
2. the "SMTP host name" is "nortonconsultants.com"
"nortonconsultants.com" is also our Primary Domain Name. It's a long shot, but could this possibly relate to a previous issue I had where Arron suggested we could use the same MDaemon host name as our primary domain name with no issues? That certainly got our email problem fixed, but perhaps this is a DNS issue of some sort and the LetsEncrypt script is doing some kind of DNS query to our ISP's DNS server instead of the local one?
If not, where are the additional host names coming from??
-
Cameron,
What http port is Webmail running on? Check in Webmail Settings | Web Server in MDaemon Remote Administrator, and see what is set for "Run MDaemon Webmail server using this TCP port (requires restart):"
By default, MDaemon uses 3000, but Let's Encrypt requires you to respond on port 80 for HTTP and 443 for SSL. Is Webmail using port 80?
-
Hi Leigh, apologies for the delay responding. Webmail is definitely using Port 3000.
I tried disabling Webmail and running the script again, but it didn't like that either! (Error: Wordclient must be enabled)
I am starting to think this is a DNS issue : MDaemon making a request on the wrong DNS Server.
-
Please run the Let's Encrypt script again and zip a copy of the entire log that is created along with a copy of your MDaemon\app\MDaemon.ini file and your MDaemon\App\Domains.dat file and upload them to us.
You can upload the log to https://mdaemon.sharefile.com/r-rc3922c1eed334d4dbf5e34f0bd04ccd6. Be sure to click the upload button after you select the file.
-
Hi Arron - done
-
I don't know why www.nortonconsultants.com is being returned as part of the challenge, however, I don't think it matters. As far as I can tell nortonconsultants.com and www.nortonconsultants.com both point to the same IP and when I use a browser the same web page is loaded for both. This leads me to believe that the challenge for nortonconsultants.com and www.nortonconsultants.com with both fail, they both appear to point to the same place.
In order for LetsEncrypt to complete the challenge, webmail must be running on port 80 for HTTP and 443 for HTTPS.
What is the FQDN for the server running MDaemon? What host name(s) are users using to access MDaemon?
The FQDN configured in MDaemon should be a host name that resolves to the public IP address of the mail server. Currently the FQDN in MDaemon is set to nortonconsultants.com, but as far as I can tell, that does not point to your MDaemon server.
-
Hi Arron, thanks for your help this far.
Our MDaemon server is hosted on our intranet behind a firewall and pulls mail from our ISP at mail.nortonconsultants.com. Webmail is running on the default port 3000, not port 80 (that would be our intranet host). The FQDN of this server is nc-mel3.nortonconsultants.com.
Does that help? Presumably I'm missing something in our setup.
-
I do not find any DNS records for nc-mel3.nortonconsultants.com available on the internet, but lets assume that is the name you want to you. Here are the steps you'll need to go through.
1. Create DNS records so that nc-mel3.nortonconsultants.com can be resolved to the public IP address of the MDaemon server.
2. Open port 80, and possibly 443, on your firewall so the traffic can reach the MDaemon server
3. Change webmail in MDaemon to listen on port 80 and 443. (Main | Webmail Settings, and Main | Webmail Settings | SSL & HTTPS)
4. Change the FQDN in MDaemon to nc-mel3.nortonconsultants.com ( Main | Domain Manager | Select the Default Domain, set the value in the SMTP host name field).
5. Run the Let's Encrypt script.Taking these steps should make webmail available on the internet so that the HTTP challenge can be completed. To test it before you run the script, just open a browser on a computer that is not on the same network and try to go to http://nc-mel3.nortonconsultants.com.
-
Thanks, Arron! I'll give it a go.
