404 on Challenge File Request

[coreyward]

$ heroku run rake letsencrypt:renew
Running rake letsencrypt:renew on ⬢ my-application... up, run.6412
Creating account key...Done!
Registering with LetsEncrypt...Done!
Performing verification for www.mydomain.com:
Setting config vars on Heroku...Done!
Giving config vars time to change...Done!
Testing filename works (to bring up app)...rake aborted!
OpenURI::HTTPError: 404 Not Found
/app/vendor/bundle/ruby/2.3.0/gems/letsencrypt-rails-heroku-0.2.7/lib/tasks/letsencrypt.rake:55:in `block (3 levels) in <top (required)>'
/app/vendor/bundle/ruby/2.3.0/gems/letsencrypt-rails-heroku-0.2.7/lib/tasks/letsencrypt.rake:32:in `each'
/app/vendor/bundle/ruby/2.3.0/gems/letsencrypt-rails-heroku-0.2.7/lib/tasks/letsencrypt.rake:32:in `block (2 levels) in <top (required)>'
/app/vendor/bundle/ruby/2.3.0/gems/rake-11.2.2/exe/rake:27:in `<top (required)>'
Tasks: TOP => letsencrypt:renew
(See full trace by running task with --trace)

Line 55 is the open call:

# Get the domain name from Heroku
hostname = heroku.domain.list(heroku_app).first['hostname']
open("http://#{hostname}/#{challenge.filename}").read
puts "Done!"

[coreyward]

Issue was the actually due to line 54:

hostname = heroku.domain.list(heroku_app).first['hostname']

By grabbing the first domain indiscriminately, LRH grabbed the apex domain for my application, which actually redirects to www. using the DNS provider's server.

I was able to workaround the issue by removing the apex domain from the listing, which isn't ideal: I will need to leave it removed in order for automatic renewal to work.

[jalada]

Hmm. Surely if your apex is being handled by your DNS provider it doesn't make sense for you to tell Heroku it is responsible for that domain?

[jalada]

Also are you sure that's the issue? Surely a request to your apex domain, if redirected correctly, wouldn't have resulted in a 404?

[heyogrady]

I'm getting the same error. if I run CURL -I http://<mydomain>.com/.well-known/acme-challenge/32423, I get a 404 error.

@coreyward are you on Rails 5? I've tried to set up Let's Encrypt manually, I can't seem to get the route working with a leading dot (.well-known).

[coreyward]

@jalada I do believe that this was the issue. I ran the rake task multiple times to no avail, and after removing the bare domain from the Heroku list, ran it again successfully. I suspect the response from the domains endpoint is normalized by alphabetizing, which would result in the bare domain being first in the list.

I will typically add the bare domain to Heroku as a matter of completeness. If the client ends up making a change to their DNS records, I don't want to see non-www-prefixed requests simply fail. It also prevents confusion in the potential case of someone else adding the domain to another application in Heroku.

If this gem used the first in the list from ACME_DOMAINS, that would be better, I believe, than using the Heroku information.

@heyogrady Yes, I'm on Rails 5.

[jalada]

Thank you for the further investigation @coreyward. You’re right, it would probably be better to use the ACME_DOMAINS variable. I pinched my method from paratrooper but in hindsight it wasn’t the most appropriate.

I’ll happily accept a pull request changing it. If not I will get round to it as soon as I can ☺️ . Thanks!