We are using acme.sh to renew our let's encrypt certificates and ran into problems today.
First we got some errors and ran into the rate limit for invalid requests often and therefore decided to upgrade to V2 as it was recommended anyhow.
We upgraded by running acme.sh --upgrade and updated all the URL's in our domains config to use the new v2 endpoints.
Now the acme.sh --renew -d my.domain.at --ecc runs further than before (we had some troubles where we couldn't get nonce because we were missing the /directory postfix in the Le_API variable.
Now we have the problem that we receive an unauthorized in our verification:
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from https://my.domain.at/login [...]: \"\u003c!DOCTYPE html\u003e\\n\u003chtml\u003e\\n \u003chead\u003e\\n \u003cmeta http-equiv=\\\"X-UA-Compatible\\\" content=\\\"IE=edge\\\"/\u003e\\n \u003cmeta charset=\\\"utf-8\\\"/\u003e\"",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/11110584350/BRAIDw",
"token": "my-hash",
"validationRecord": [
{
"url": "http://my.domain.at/.well-known/acme-challenge/my-hash",
"hostname": "my.domain.at",
"port": "80",
"addressesResolved": [
"X.X.X.X",
"..."
],
"addressUsed": "..."
},
{
"url": "https://my.domain.at/.well-known/acme-challenge/my-hash",
"hostname": "my.domain.at",
"port": "443",
"addressesResolved": [
"X.X.X.X",
"..."
],
"addressUsed": "..."
},
{
"url": "https://my.domain.at/login",
"hostname": "my.domain.at",
"port": "443",
"addressesResolved": [
"X.X.X.X",
"..."
],
"addressUsed": "..."
}
]
}
We have an NGINX running and we are not sure what's happening here. We shouldn't be redirected to the /login page as far as we understood.
Are we missing anything? The certificate renewal always worked flawlessly until we ran into problems today and tried to upgrade.
It turned out our NGINX configuration was wrong, we configured the required route
.well-known/acme-challengeto point to an empty folder and are asking ourselves now how that could have ever worked. ¯_(ツ)_/¯After fixing the config in NGINX everything worked as expected.