DNS Challenge Failure with ACME | BadResponseError: Unexpected status code 400

[palmtown]

Hello,

I attempted to use this package, but it fails to request ACME to respond to the DNS challenge. The process initiates successfully by placing a certificate order and selecting the dns-01 challenge type. However, when the package attempts to configure the ACME challenge response, it encounters repeated BadResponseError: Unexpected status code 400 errors when contacting https://registration.libp2p.direct/.

This issue persists across multiple attempts, preventing successful certificate issuance. Please advise on how to resolve this problem.

Exhibit 1

  acme-client RESP 200 post https://acme-v02.api.letsencrypt.org/acme/authz/2236407055/477961695675 +205ms
  acme-client [auto] Placed certificate order successfully, received 1 identity authorizations +0ms
  acme-client [auto] Resolving and satisfying authorization challenges +0ms
  acme-client [auto] [k51qzi5uqu5dlbzi1q8v1tj36yc9ny94s7nho3zlal5qj9q7hpgdzuceblltdj.libp2p.direct] Found 1 challenges, selected type: dns-01 +0ms
  acme-client [auto] [k51qzi5uqu5dlbzi1q8v1tj36yc9ny94s7nho3zlal5qj9q7hpgdzuceblltdj.libp2p.direct] Trigger challengeCreateFn() +0ms
  acme-client [auto] Waiting for challenge valid status +1ms
  libp2p:auto-tls asking https://registration.libp2p.direct/v1/_acme-challenge to respond to the acme DNS challenge on our behalf +57s
  libp2p:auto-tls dialback public addresses: /ip4/44.223.222.244/tcp/4001/p2p/12D3KooWPiwiFNMQZfrvipGxUNrK8avHSvR6HLeKLzQg5LhEr3eN, /ip4/44.223.222.244/tcp/4003/ws/p2p/12D3KooWPiwiFNMQZfrvipGxUNrK8avHSvR6HLeKLzQg5LhEr3eN, /ip6/2600:1f18:61b0:cb00:f2fa:48aa:208e:8843/tcp/4001/p2p/12D3KooWPiwiFNMQZfrvipGxUNrK8avHSvR6HLeKLzQg5LhEr3eN, /ip6/2600:1f18:61b0:cb00:f2fa:48aa:208e:8843/tcp/4004/ws/p2p/12D3KooWPiwiFNMQZfrvipGxUNrK8avHSvR6HLeKLzQg5LhEr3eN +0ms
  libp2p:auto-tls:error contacting https://registration.libp2p.direct/ failed on attempt 0 - BadResponseError: Unexpected status code 400
  libp2p:auto-tls:error     at ClientAuth.doAuthenticatedFetch (file:///home/nodejs/libp2p/node_modules/@libp2p/http-fetch/dist/src/auth/client.js:125:19)
  libp2p:auto-tls:error     at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
  libp2p:auto-tls:error     at async ClientAuth.authenticatedFetch (file:///home/nodejs/libp2p/node_modules/@libp2p/http-fetch/dist/src/auth/client.js:59:36)
  libp2p:auto-tls:error     at async AutoTLS.configureAcmeChallengeResponse (file:///home/nodejs/libp2p/node_modules/@ipshipyard/libp2p-auto-tls/dist/src/auto-tls.js:272:26)
  libp2p:auto-tls:error     at async Object.challengeCreateFn (file:///home/nodejs/libp2p/node_modules/@ipshipyard/libp2p-auto-tls/dist/src/auto-tls.js:248:25)
  libp2p:auto-tls:error     at async /home/nodejs/libp2p/node_modules/acme-client/src/auto.js:113:17
  libp2p:auto-tls:error     at async Promise.all (index 0)
  libp2p:auto-tls:error     at async module.exports (/home/nodejs/libp2p/node_modules/acme-client/src/auto.js:168:9)
  libp2p:auto-tls:error     at async AutoTLS.loadOrCreateCertificate (file:///home/nodejs/libp2p/node_modules/@ipshipyard/libp2p-auto-tls/dist/src/auto-tls.js:187:21)
  libp2p:auto-tls:error     at async AutoTLS.fetchCertificate (file:///home/nodejs/libp2p/node_modules/@ipshipyard/libp2p-auto-tls/dist/src/auto-tls.js:145:31) +0ms
  libp2p:auto-tls asking https://registration.libp2p.direct/v1/_acme-challenge to respond to the acme DNS challenge on our behalf +21s
  libp2p:auto-tls dialback public addresses: /ip4/44.223.222.244/tcp/4001/p2p/12D3KooWPiwiFNMQZfrvipGxUNrK8avHSvR6HLeKLzQg5LhEr3eN, /ip4/44.223.222.244/tcp/4003/ws/p2p/12D3KooWPiwiFNMQZfrvipGxUNrK8avHSvR6HLeKLzQg5LhEr3eN, /ip6/2600:1f18:61b0:cb00:f2fa:48aa:208e:8843/tcp/4001/p2p/12D3KooWPiwiFNMQZfrvipGxUNrK8avHSvR6HLeKLzQg5LhEr3eN, /ip6/2600:1f18:61b0:cb00:f2fa:48aa:208e:8843/tcp/4004/ws/p2p/12D3KooWPiwiFNMQZfrvipGxUNrK8avHSvR6HLeKLzQg5LhEr3eN +1ms
  libp2p:auto-tls:error contacting https://registration.libp2p.direct/ failed on attempt 1 - BadResponseError: Unexpected status code 400
  libp2p:auto-tls:error     at ClientAuth.doAuthenticatedFetch (file:///home/nodejs/libp2p/node_modules/@libp2p/http-fetch/dist/src/auth/client.js:125:19)
  libp2p:auto-tls:error     at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
  libp2p:auto-tls:error     at async ClientAuth.authenticatedFetch (file:///home/nodejs/libp2p/node_modules/@libp2p/http-fetch/dist/src/auth/client.js:59:36)
  libp2p:auto-tls:error     at async AutoTLS.configureAcmeChallengeResponse (file:///home/nodejs/libp2p/node_modules/@ipshipyard/libp2p-auto-tls/dist/src/auto-tls.js:272:26)
  libp2p:auto-tls:error     at async Object.challengeCreateFn (file:///home/nodejs/libp2p/node_modules/@ipshipyard/libp2p-auto-tls/dist/src/auto-tls.js:248:25)
  libp2p:auto-tls:error     at async /home/nodejs/libp2p/node_modules/acme-client/src/auto.js:113:17
  libp2p:auto-tls:error     at async Promise.all (index 0)
  libp2p:auto-tls:error     at async module.exports (/home/nodejs/libp2p/node_modules/acme-client/src/auto.js:168:9)
  libp2p:auto-tls:error     at async AutoTLS.loadOrCreateCertificate (file:///home/nodejs/libp2p/node_modules/@ipshipyard/libp2p-auto-tls/dist/src/auto-tls.js:187:21)
  libp2p:auto-tls:error     at async AutoTLS.fetchCertificate (file:///home/nodejs/libp2p/node_modules/@ipshipyard/libp2p-auto-tls/dist/src/auto-tls.js:145:31) +21s

[achingbrain]

Can you share your libp2p config please?

[NiKrause]

I'd assume the libp2p node's IP is not routable (behind NAT), upnp isn't enabled or not working on the local router or not added in the libp2p config.

[palmtown]

Hello @silkroadnomad

Thanks for your update. Note that this server was hosted on AWS, and was assigned a routable IPv4 public addresses. You may note the IP 44.223.222.244 belongs to AWS. Given that I opened the ports, the server was reachable from the internet.

Nonetheless, is this package working for you?

[achingbrain]

Given that the server returns a 400, it means something is wrong or missing in your node setup.

Can you share your libp2p config please?

[palmtown]

Hello @achingbrain

Thanks for your assistance. Absolutely, here you go;

const node = await createLibp2p({
  privateKey,
  addresses: {
    listen: [
      '/ip4/0.0.0.0/tcp/0/ws', // https://www.npmjs.com/package/@ipshipyard/libp2p-auto-tls
      '/p2p-circuit',
      '/ip4/0.0.0.0/tcp/4001',
      '/ip4/0.0.0.0/tcp/4002/wss',
      '/ip4/0.0.0.0/udp/4003/webrtc',
      '/ip6/::/tcp/4001',
      '/ip6/::/tcp/4002/wss',
      '/ip6/::/udp/4003/webrtc',
    ],
    announceFilter: (addrs) => {
      return addrs.filter((addr) => {
        const nodeAddress = addr.nodeAddress();
        return isPrivateIp(nodeAddress.address) !== true;
      });
    },
  },
  connectionManager: {
    inboundConnectionThreshold: 100,
    maxIncomingPendingConnections: 100,
    maxConnections: 500,
  },
  connectionGater: {
    denyDialMultiaddr(multiaddr) {
      const nodeAddress = multiaddr.nodeAddress();
      return isPrivateIp(nodeAddress.address) === true;
    },
  },
  transports: [tcp(), webSockets(), webRTC(), circuitRelayTransport()],
  streamMuxers: [yamux()],
  connectionEncrypters: [noise()],
  /*relay: {
    enabled: true,
    hop: {
      enabled: true,
      active: true,
    },
  },
  config: {
    dht: {
      enabled: true,
    },
  },*/
  services: {
    circuitRelay: circuitRelayServer(),
    identify: identify({
      agentVersion: 'js-libp2p-bootstrapper',
    }),
    identifyPush: identifyPush(),
    ping: ping(),
    dcutr: dcutr(),
    aminoDHT: kadDHT({
      clientMode: false,
      protocol: '/ipfs/kad/1.0.0',
      peerInfoMapper: removePrivateAddressesMapper,
    }),
    autoNAT: autoNAT(),
    autoTLS: autoTLS({
      autoConfirmAddress: true,
    }),
    keychain: keychain(),
    pubsub: gossipsub({
      doPX: true,
      allowPublishToZeroTopicPeers: true,
    }),
  },
});

[NiKrause]

Hello @silkroadnomad

Thanks for your update. Note that this server was hosted on AWS, and was assigned a routable IPv4 public addresses. You may note the IP 44.223.222.244 belongs to AWS. Given that I opened the ports, the server was reachable from the internet.

Nonetheless, is this package working for you?
Hi @palmtown yes and no, I was successfully using the auto-tls-example.

Then, on the same node, same IP, I installed a new libp2p node with new config and peerId, I got retry errors, too many tries, or something similar. It made we wait for 700 seconds or minutes, I don't remember exactly. See: #2

I guess I should have just taken the certs or keys, the auto-tls example produced for me, and everything would have been fine. I ended up installing a classic nginx+сertbot. Wiill check into auto-tls again later on.

I saw your anounce addresses, they don't look familiar to me. Where did you find them? Shouldn't the address of the domain be given by auto+tls through an upgrade by the auto-tls package? Apologies for all the guessing here.

[achingbrain]

I got retry errors, too many tries, or something similar. It made we wait for 700 seconds or minutes

There is rate limiting on the live Let's Encrypt service, it's possible you were hitting this. You can use their staging setup for testing - it isn't rate limited (but also doesn't give you valid certs).

Pass https://acme-staging-v02.api.letsencrypt.org/directory for the acmeDirectory init setting for @ipshipyard/auto-tls:

autoTLS({
  acmeDirectory: 'https://acme-staging-v02.api.letsencrypt.org/directory'
})

• https://letsencrypt.org/docs/staging-environment/
• https://ipshipyard.github.io/js-libp2p-auto-tls/interfaces/AutoTLSInit.html

[palmtown]

I saw your anounce addresses, they don't look familiar to me. Where did you find them?

Good question, the announce is specific to my deployment and should not be included in your configuration. I removed it to avoid confusion for others.