Forums

SSL certificate - ERROR: Challenge is invalid!

Hi guys. I'm having this problem and is just blowing my mind. I followed this tutorial: https://help.pythonanywhere.com/pages/LetsEncrypt/ very carefully and several times, also tried getting the ssl certificate with zerossl but surprisingly it returns the same annoying error. I suppose it's something related to some setting i am missing, i don't know but pleeeeease, help me.

The error specifically is: "CAA record for leoprada.pythonanywhere.com prevents issuance"

This is the log of the followed steps:

:::06:52 ~ $ pip3.6 install --user --upgrade pythonanywhere

Looking in links: /usr/share/pip-wheels Requirement already up-to-date: pythonanywhere in ./.local/lib/python3.6/site-packages (0.7.4) Requirement already satisfied, skipping upgrade: docopt in /usr/lib/python3.6/site-packages (from pythonanywhere) (0.6.2) Requirement already satisfied, skipping upgrade: python-dateutil in /usr/lib/python3.6/site-packages (from pythonanywhere) (2.7.3) Requirement already satisfied, skipping upgrade: requests in /usr/lib/python3.6/site-packages (from pythonanywhere) (2.19.1) Requirement already satisfied, skipping upgrade: six>=1.5 in /usr/lib/python3.6/site-packages (from python-dateutil->pythonanywhere) (1.11.0) Requirement already satisfied, skipping upgrade: urllib3<1.24,>=1.21.1 in /usr/lib/python3.6/site-packages (from requests->pythonanywhere) (1.23) Requirement already satisfied, skipping upgrade: certifi>=2017.4.17 in /usr/lib/python3.6/site-packages (from requests->pythonanywhere) (2018.8.13) Requirement already satisfied, skipping upgrade: chardet<3.1.0,>=3.0.2 in /usr/lib/python3.6/site-packages (from requests->pythonanywhere) (3.0.4) Requirement already satisfied, skipping upgrade: idna<2.8,>=2.5 in /usr/lib/python3.6/site-packages (from requests->pythonanywhere) (2.7)

Cloning into '/home/leoprada/dehydrated'... remote: Enumerating objects: 8, done. remote: Counting objects: 100% (8/8), done. remote: Compressing objects: 100% (7/7), done. remote: Total 1922 (delta 1), reused 5 (delta 1), pack-reused 1914 Receiving objects: 100% (1922/1922), 637.08 KiB | 0 bytes/s, done. Resolving deltas: 100% (1200/1200), done. Checking connectivity... done.

:::06:53 ~ $ echo WELLKNOWN=/home/leoprada/letsencrypt/wellknown > ~/letsencrypt/config
:::06:54 ~ $ cd ~/letsencrypt
:::06:54 ~/letsencrypt $ ~/dehydrated/dehydrated --register --accept-terms

INFO: Using main config file /home/leoprada/letsencrypt/config

  • Generating account key...
  • Registering account key with ACME server...
  • Done!

    :::06:55 ~/letsencrypt $ ~/dehydrated/dehydrated --config ~/letsencrypt/config --cron --domain leoprada.pythonanywhere.com --out ~/letsencrypt --challenge http-01
    

INFO: Using main config file /home/leoprada/letsencrypt/config

  • Creating chain cache directory /home/leoprada/letsencrypt/chains Processing leoprada.pythonanywhere.com
  • Creating new directory /home/leoprada/letsencrypt/leoprada.pythonanywhere.com ...
  • Signing domains...
  • Generating private key...
  • Generating signing request...
  • Requesting new certificate order from CA...
  • Received 1 authorizations URLs from the CA
  • Handling authorization for leoprada.pythonanywhere.com
  • 1 pending challenge(s)
  • Deploying challenge tokens...
  • Responding to challenge for leoprada.pythonanywhere.com authorization...
  • Cleaning challenge tokens...
  • Challenge validation has failed :( ERROR: Challenge is invalid! (returned: invalid) (result: { "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:caa", "detail": "CAA record for leoprada.pythonanywhere.com prevents issuance", "status": 403 }, "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/gfgIzxEv1_uSyuzVXIuTXVME37Pv9_G6RlQDYVBGrJ8/10046421169", "token": "KAZMr-Tkp7bflgQUTR9x8p7lXx4HbZisc6Uw7eXGpVg", "validationRecord": [ { "url": "http://leoprada.pythonanywhere.com/.well-known/acme-challenge/KAZMr-Tkp7bflgQUTR9x8p7lXx4HbZisc6Uw7eXGpVg", "hostname": "leoprada.pythonanywhere.com", "port": "80", "addressesResolved": [ "35.173.69.207" ], "addressUsed": "35.173.69.207" } ] })

You cannot apply a Let's Encrypt certificate to a .pythonanywhere.com domain. You also don't need to. PythonAnywhere already provides a certificate for your web app.