Changes to URL forwarding break letsencrypt

[jbolger]

Hi guys,

I have had a ZoneEdit hosted domain setup with letsencrypt for a couple of years now. My setup has a CNAME for www pointing to my web server DYN record (in case the web server IP changes), and I then use URL forwarding to redirect any requests to the root name to www. I use certbot with the Apache domain Authenticator, which puts a file in the web server for letsencrypt to validate you own the domain.

Previously ZoneEdit was redirecting root requests including the URL suffix, but since the last renewal (some time in the last month) certbot is failing to renew because zoneedit is 403'ing the letsencrypt request to the root domain with a suffix. eg:

jbolger@server:/etc/network# curl -v http://domain.com.au/.well-known/
* Connected to domain.com.au (1.1.1.1) port 80 (#0)
> GET /.well-known/ HTTP/1.1
> Host: domain.com.au
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Server: nginx/1.14.2
< Date: Sat, 04 Apr 2020 23:14:25 GMT
< Content-Type: text/html
< Content-Length: 169
< Connection: keep-alive
<
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.14.2</center>
</body>
</html>
* Connection #0 to host domain.com.au left intact

It appears to just be suffixes with a . in the URI as if I take out the URI it works fine?

jbolger@server:/etc/network# curl -v http://domain.com.au/well-known/
* Connected to domain.com.au (1.1.1.1) port 80 (#0)
> GET /well-known/ HTTP/1.1
> Host: domain.com.au
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 302 Found
< Server: nginx/1.14.2
< Date: Sat, 04 Apr 2020 23:13:53 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Location: http://www.domain.com.au/well-known/
<
* Connection #0 to host domain.com.au left intact

I think this a configuration change on your URL forwarding service & will be causing significant issues for certbot users.

Any assistance appreciated.

 

[sandy]

Hi there

Can you please try again and let me know how it goes.,

regards

 

[jbolger]

Hey Sandy,

Thanks for the reply. Unfortunately I am now getting a 404 response from your ngnix web server instead of a redirect to my URL. Let me know if you want me to do any further testing?

* Connected to domain.com.au (64.68.202.11) port 80 (#0)
> GET /.well-known/acme-challenge/---- HTTP/1.1
> Host: domain.com.au
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Server: nginx/1.14.2
< Date: Tue, 07 Apr 2020 04:29:54 GMT
< Content-Type: text/html
< Content-Length: 169
< Connection: keep-alive
<
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.14.2</center>
</body>
</html>

 

[sandy]

hi again ... sorry for the delay. please try again our Dev crew have been working on this and if you still see errors please let me know.

regards.

 

[jbolger]

Hey Sandy,

Still getting the same. If there's a private way to send you something I can send you a URL for testing.

Cheers,
Jason

 

[sandy]

Hi Jason

yes you can send me a private message, click on my Icon and select the Start Conversation option.

regards

 

[mattiasa]

Hi, did this issue get solved? I seem to have a problem just like the one described above.

 

[sandy]

hi there
would this be what you are looking for?


We've added a DYN endpoint for creating TXT records which can be used to validate letsencrypt certificates. The credentials to use are the same as for DYN updates. An example of the parameters that need to be passed:

https://dynamic.zoneedit.com/txt-create.php?host=_acme-challenge.example.com&rdata=depE1VF_xshMm1IVY1Y56Kk9Zb_7jA2VFkP65WuNgu8W