[renew] - Invalid hostname in redirect target, must end in IANA registered TLD

[francescocaponio]

I have this issue, not sure if it's a duplicate of #103, seems that the error message is slightly different.

The renewal of a certificate of a private TLD fails, while the creation of a new certificate of the same domain works properly.
Boulder says Invalid hostname in redirect target, must end in IANA registered TLD.

Tested with 24.02, but it was also happening with 23.11.

I installed LabCA in november 23. Yesterday, the first certificates created with LabCA should have been renewed, but it didn't happen.
My DNS server is a OpenWRT router (IP 192.168.0.1), running DNSmasq. The domain is called internal, labca istance has a dns entry called labca.internal (IP 192.168.0.165), while one of the certificate which failed to be renewed is of an host called service.internal (IP 192.168.0.135) running certbot 2.5.0 (it's not the last version, but it's a part of a docker image called Nginx Proxy Manager, I'm not sure I can update only certbot without breaking other functionality of the webapp).

The domain mode is configured in Lockdown mode with internal domain enabled.

I'm publishing the issue here because from the logs the problem seems to be related to boulder, not at the client side.

Renewal log:

boulder-1  | 2024-02-20T08:04:30.826355+00:00Z boulder-va[4863]: 6 boulder-va 4YDX3Q8 [AUDIT] Attempting to validate HTTP-01 for "service.internal" with GET to "http://service.internal/.well-known/acme-challenge/vl1m4GHXqasti5n1_rwdE8jAKObPoaiz3FNuRGMTfck"
boulder-1  | 2024-02-20T08:04:30.827000+00:00Z boulder-va[4863]: 6 boulder-va m8ecvQE [AUDIT] Validation result JSON={"ID":"16738","Requester":4,"Hostname":"service.internal","Challenge":{"type":"http-01","status":"invalid","error":{"type":"connection","detail":"192.168.0.135: Fetching https://service.internal/.well-known/acme-challenge/vl1m4GHXqasti5n1_rwdE8jAKObPoaiz3FNuRGMTfck: Invalid hostname in redirect target, must end in IANA registered TLD","status":400},"token":"vl1m4GHXqasti5n1_rwdE8jAKObPoaiz3FNuRGMTfck","keyAuthorization":"vl1m4GHXqasti5n1_rwdE8jAKObPoaiz3FNuRGMTfck.ees0tKmXMCPwwclM2CZQb8LUQUsGVYNUr-Nu10yBgQQ","validationRecord":[{"url":"http://service.internal/.well-known/acme-challenge/vl1m4GHXqasti5n1_rwdE8jAKObPoaiz3FNuRGMTfck","hostname":"service.internal","port":"80","addressesResolved":["192.168.0.135"],"addressUsed":"192.168.0.135","resolverAddrs":["A:192.168.0.1:53","AAAA:192.168.0.1:53"]}]},"ValidationLatency":0.002,"Error":"connection :: 192.168.0.135: Fetching https://service.internal/.well-known/acme-challenge/vl1m4GHXqasti5n1_rwdE8jAKObPoaiz3FNuRGMTfck: Invalid hostname in redirect target, must end in IANA registered TLD"}
boulder-1  | 2024-02-20T08:04:30.827190+00:00Z boulder-remoteva[4725]: 6 boulder-remoteva 6Ib4wQI [AUDIT] Validation result JSON={"ID":"16738","Requester":4,"Hostname":"service.internal","Challenge":{"type":"http-01","status":"invalid","error":{"type":"dns","detail":"DNS problem: query timed out (and was canceled) looking up A for service.internal; DNS problem: query timed out (and was canceled) looking up AAAA for service.internal","status":400},"token":"vl1m4GHXqasti5n1_rwdE8jAKObPoaiz3FNuRGMTfck","keyAuthorization":"vl1m4GHXqasti5n1_rwdE8jAKObPoaiz3FNuRGMTfck.ees0tKmXMCPwwclM2CZQb8LUQUsGVYNUr-Nu10yBgQQ"},"ValidationLatency":0.002,"Error":"dns :: DNS problem: query timed out (and was canceled) looking up A for service.internal; DNS problem: query timed out (and was canceled) looking up AAAA for service.internal"}
boulder-1  | 2024-02-20T08:04:30.827359+00:00Z boulder-remoteva[4830]: 6 boulder-remoteva 07jjlgs [AUDIT] Validation result JSON={"ID":"16738","Requester":4,"Hostname":"service.internal","Challenge":{"type":"http-01","status":"invalid","error":{"type":"dns","detail":"DNS problem: query timed out (and was canceled) looking up A for service.internal; DNS problem: query timed out (and was canceled) looking up AAAA for service.internal","status":400},"token":"vl1m4GHXqasti5n1_rwdE8jAKObPoaiz3FNuRGMTfck","keyAuthorization":"vl1m4GHXqasti5n1_rwdE8jAKObPoaiz3FNuRGMTfck.ees0tKmXMCPwwclM2CZQb8LUQUsGVYNUr-Nu10yBgQQ"},"ValidationLatency":0.003,"Error":"dns :: DNS problem: query timed out (and was canceled) looking up A for service.internal; DNS problem: query timed out (and was canceled) looking up AAAA for service.internal"}

After one minute I configured certbot on service.internal to ask for a new certificate instead of renewing the previous one and it succeded:

boulder-1  | 2024-02-20T08:05:47.211011+00:00Z boulder-va[4904]: 6 boulder-va 45yH6AM [AUDIT] Attempting to validate HTTP-01 for "service.internal" with GET to "http://service.internal/.well-known/acme-challenge/t-OhARx9eY_cc6H751t-J3xBTrh6zXDVaRj3BhYZ_pQ"
boulder-1  | 2024-02-20T08:05:47.212184+00:00Z boulder-va[4904]: 6 boulder-va pJXQuQ8 [AUDIT] Checked CAA records for service.internal, [Present: false, Account ID: 4, Challenge: http-01, Valid for issuance: true, Found at: ""] Response=""
boulder-1  | 2024-02-20T08:05:47.216452+00:00Z boulder-remoteva[4830]: 6 boulder-remoteva 45yH6AM [AUDIT] Attempting to validate HTTP-01 for "service.internal" with GET to "http://service.internal/.well-known/acme-challenge/t-OhARx9eY_cc6H751t-J3xBTrh6zXDVaRj3BhYZ_pQ"
boulder-1  | 2024-02-20T08:05:47.217537+00:00Z boulder-remoteva[4830]: 6 boulder-remoteva pJXQuQ8 [AUDIT] Checked CAA records for service.internal, [Present: false, Account ID: 4, Challenge: http-01, Valid for issuance: true, Found at: ""] Response=""
boulder-1  | 2024-02-20T08:05:47.217659+00:00Z boulder-remoteva[4725]: 6 boulder-remoteva 45yH6AM [AUDIT] Attempting to validate HTTP-01 for "service.internal" with GET to "http://service.internal/.well-known/acme-challenge/t-OhARx9eY_cc6H751t-J3xBTrh6zXDVaRj3BhYZ_pQ"
boulder-1  | 2024-02-20T08:05:47.217593+00:00Z boulder-remoteva[4830]: 6 boulder-remoteva vY3X6Qc [AUDIT] Validation result JSON={"ID":"16739","Requester":4,"Hostname":"service.internal","Challenge":{"type":"http-01","status":"valid","token":"t-OhARx9eY_cc6H751t-J3xBTrh6zXDVaRj3BhYZ_pQ","keyAuthorization":"t-OhARx9eY_cc6H751t-J3xBTrh6zXDVaRj3BhYZ_pQ.ees0tKmXMCPwwclM2CZQb8LUQUsGVYNUr-Nu10yBgQQ","validationRecord":[{"url":"http://service.internal/.well-known/acme-challenge/t-OhARx9eY_cc6H751t-J3xBTrh6zXDVaRj3BhYZ_pQ","hostname":"service.internal","port":"80","addressesResolved":["192.168.0.135"],"addressUsed":"192.168.0.135","resolverAddrs":["A:192.168.0.1:53","AAAA:192.168.0.1:53"]}]},"ValidationLatency":0.009}
boulder-1  | 2024-02-20T08:05:47.218679+00:00Z boulder-remoteva[4725]: 6 boulder-remoteva pJXQuQ8 [AUDIT] Checked CAA records for service.internal, [Present: false, Account ID: 4, Challenge: http-01, Valid for issuance: true, Found at: ""] Response=""
boulder-1  | 2024-02-20T08:05:47.218732+00:00Z boulder-remoteva[4725]: 6 boulder-remoteva nJDjrAU [AUDIT] Validation result JSON={"ID":"16739","Requester":4,"Hostname":"service.internal","Challenge":{"type":"http-01","status":"valid","token":"t-OhARx9eY_cc6H751t-J3xBTrh6zXDVaRj3BhYZ_pQ","keyAuthorization":"t-OhARx9eY_cc6H751t-J3xBTrh6zXDVaRj3BhYZ_pQ.ees0tKmXMCPwwclM2CZQb8LUQUsGVYNUr-Nu10yBgQQ","validationRecord":[{"url":"http://service.internal/.well-known/acme-challenge/t-OhARx9eY_cc6H751t-J3xBTrh6zXDVaRj3BhYZ_pQ","hostname":"service.internal","port":"80","addressesResolved":["192.168.0.135"],"addressUsed":"192.168.0.135","resolverAddrs":["A:192.168.0.1:53","AAAA:192.168.0.1:53"]}]},"ValidationLatency":0.01}
boulder-1  | 2024-02-20T08:05:47.218876+00:00Z boulder-va[4904]: 6 boulder-va gs24oQs [AUDIT] Validation result JSON={"ID":"16739","Requester":4,"Hostname":"service.internal","Challenge":{"type":"http-01","status":"valid","token":"t-OhARx9eY_cc6H751t-J3xBTrh6zXDVaRj3BhYZ_pQ","keyAuthorization":"t-OhARx9eY_cc6H751t-J3xBTrh6zXDVaRj3BhYZ_pQ.ees0tKmXMCPwwclM2CZQb8LUQUsGVYNUr-Nu10yBgQQ","validationRecord":[{"url":"http://service.internal/.well-known/acme-challenge/t-OhARx9eY_cc6H751t-J3xBTrh6zXDVaRj3BhYZ_pQ","hostname":"service.internal","port":"80","addressesResolved":["192.168.0.135"],"addressUsed":"192.168.0.135","resolverAddrs":["A:192.168.0.1:53","AAAA:192.168.0.1:53"]}]},"ValidationLatency":0.011}
boulder-1  | 2024-02-20T08:05:48.220943+00:00Z boulder-ra[4947]: 6 boulder-ra 5q6e8wY FinalizationCaaCheck JSON={"Requester":4,"Reused":1}
boulder-1  | 2024-02-20T08:05:48.224226+00:00Z boulder-ca[4887]: 6 boulder-ca 9sOxpAw [AUDIT] Signing precert: serial=[12345678-redacted] regID=[4] names=[service.internal] csr=[.....]
boulder-1  | 2024-02-20T08:05:48.229518+00:00Z boulder-ca[4887]: 6 boulder-ca iubsjgE [AUDIT] Signing precert success: serial=[12345678-redacted] regID=[4] names=[service.internal] precertificate=[.....]
boulder-1  | 2024-02-20T08:05:48.233916+00:00Z boulder-ca[4930]: 6 boulder-ca hezZ_g8 [AUDIT] Signing cert: serial=[12345678-redacted] regID=[4] names=[service.internal] precert=[.....]
boulder-1  | 2024-02-20T08:05:48.236278+00:00Z boulder-ca[4930]: 6 boulder-ca jZvv_g4 [AUDIT] Signing cert success: serial=[12345678-redacted] regID=[4] names=[service.internal] certificate=[.....]
boulder-1  | 2024-02-20T08:05:48.241546+00:00Z boulder-ra[4947]: 6 boulder-ra xpqj0wc [AUDIT] Certificate request - successful JSON={"ID":"RRr1ZMR2z0m-p6ZWi1VC87x5DTRBbA3TXa1Ujqm2zVY","Requester":4,"OrderID":16741,"SerialNumber":"12345678-redacted","VerifiedFields":["subject.commonName","subjectAltName"],"CommonName":"service.internal","Names":["service.internal"],"NotBefore":"2024-02-20T07:05:48Z","NotAfter":"2024-05-20T07:05:47Z","RequestTime":"2024-02-20T08:05:48.218371531Z","ResponseTime":"2024-02-20T08:05:48.241505498Z","Authorizations":{"service.internal":{"ID":"16739","ChallengeType":"http-01"}}}

[hakwerk]

Thank you for the very detailed information in your issue report! This should be very helpful for me to fix the issue.

The error message "... must end in IANA registered TLD" only gets produced in one place, so I just need to figure out how to inject the Lockdown domain(s) there

[hakwerk]

This is now fixed in the latest release (v24.03)