https://bugs.contribs.org/show_bug.cgi?id=10300
--- Comment #29 from Jean-Philippe Pialasse <[email protected]> ---
(In reply to Dan Brown from comment #27)
> Thanks for the work. Two suggestions:
> 1. In the error message, rather than simply "unable to resolve DNS",
> mention the hostname that couldn't resolve.
>
> 2. Add a lookup for the hostname of the staging CA.
Will do both, by staging CA, you mean http://cert.stg-int-x1.letsencrypt.org/ ?
(In reply to Stefan Schulz from comment #28)
> I'd like to share some more information.
>
> + Done!
> + Creating fullchain.pem...
> + ERROR: An error occurred while sending get-request to
> http://cert.stg-int-x1.letsencrypt.org/ (Status 400)
>
Sad you were almost finished..
The 400 error is returnee by squid which is unable to process te url.
> Details:
> /* page displayed footer area */
> #
> <p>The following error was encountered while trying to retrieve the URL: <a
> href="/">/</a></p>
>
> <blockquote id="error">
> <p><b>Invalid URL</b></p>
> </blockquote>
>
> <p>Some aspect of the requested URL is incorrect.</p>
>
> <p>Some possible problems are:</p>
> <ul>
> <li><p>Missing or incorrect access protocol (should be <q>http://</q> or
> similar)</p></li>
> <li><p>Missing hostname</p></li>
> <li><p>Illegal double-escape in the URL-Path</p></li>
> <li><p>Illegal character in hostname; underscores are not allowed.</p></li>
> </ul>
>
> This is a message from squid. As I stated the server is behind an opnsense
> firewall, squid is enabled. DNS for the SME is the opnsense. Proxys on the
> SME are turned off. The server in the firewall proxy is unrestricted. I
> tried whitelisting of all letsencrypt domains, it didn't help.
>
> The logs on the firewall are saying:
>
> 1494978688.346 0 192.168.42.10 TAG_NONE/400 3909 GET / - HIER_NONE/-
> text/html
>
> i.e. the log while fetching the contrib says:
>
> 1494978085.681 0 192.168.42.10 TCP_HIT/200 26302 GET
> http://mirror.canada.pialasse.com/releases/9/smecontribs/i386/RPMS/
> dehydrated-0.4.0.20170205.git1163864-1.el6.sme.noarch.rpm - HIER_NONE/-
> application/octet-stream
>
What would be more usefull is the squid log of the url which create the 400
error
However i would simply whitelist the sme box ip from using the opensense squid
proxy.
Why? Because of this error, because i do not think you want to cavhe yum rpm
downloads neither its metadata as it will just slow the availability of updates
and i do not think you plan to download multiple time the rpms
> I am able to reach from outside
>
> https://servername.registereddomain.de/.well-known/acme-challenge/
>
> Index of /.well-known/acme-challenge
>
> Icon Name Last modified Size Description[DIR]
> Parent Directory -
>
> It seems to me, the status 400 error is the problem. Dig brings up:
>
> # dig http://cert.stg-int-x1.letsencrypt.org
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>>
> http://cert.stg-int-x1.letsencrypt.org
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26051
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;http://cert.stg-int-x1.letsencrypt.org. IN A
i sugger to test without the http://
>
> ;; Query time: 14 msec
> ;; SERVER: 192.168.42.10#53(192.168.42.10)
--
You are receiving this mail because:
You are the QA Contact for the bug.
_______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail [email protected]
Searchable archive at https://lists.contribs.org/mailman/public/contribteam/
