infiev
October 21, 2020, 8:06pm
1
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com ), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: xn--silkebkken-hagen-zob.no
I ran this command: "Create and Install" button in CloudPanel
It produced this output: www.xn--silkebkken-hagen-zob.no: Domain could not be validated, error message: error type: urn:ietf:params:acme:error:unauthorized, error detail: Invalid response from http://www.silkebækken-hagen.no/.well-known/acme-challenge/lkpU3tMrmXDbk0G0XSRI7dDkB0j8lGgchY4u_rCfQC4 [2001:4da8:c:1b::]: "\n\n404 Not Found\n\n
Not Found \n<p"
My web server is (include version): NGINX 1.18.0
The operating system my web server runs on is (include version): Debian 10.6
My hosting provider, if applicable, is: Digital Ocean
I can login to a root shell on my machine (yes or no, or I don't know): Yes (but shouldn't be necessary on CloudPanel).
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): CloudPanel 1.0.3
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): N/A
Osiris
October 21, 2020, 8:15pm
2
You have an IPv6 address configured for your domain, but it's answering differently than your IPv4 address. Perhaps the AAAA DNS record points to a whole different server or the IPv6 address is correct, but your server is misconfigured.
2 Likes
infiev
October 21, 2020, 9:45pm
3
Thank you very much for your reply!
I have now fixed the AAAA record and it has gotten me one step further. Now, unfortunately, I get another error saying "www.xn--silkebkken-hagen-zob.no: Domain could not be validated, error message: error type: urn:ietf:params:acme:error:connection, error detail: Fetching https://silkebækken-hagen.no/.well-known/acme-challenge/qA3Xsj_iiewXX_p0hspzlyL5_y4Z2MH7kUM5IBiQYpI: Timeout during connect (likely firewall problem)"
I have opened up all ports for both IPv4 and IPv6. Can you see what the issue is now? Could there still be something wrong with the DNS?
1 Like
rg305
October 21, 2020, 10:08pm
4
DNS does not seem to be a problem now.
The HTTP challenge requests are being redirected to HTTPS.http://silkebækken-hagen.no/.well-known/acme-challenge/*https://xn--silkebkken-hagen-zob.no/.well-known/acme-challenge/*
Let's place a test file in the expected challenge folder.mkdir /whatever-root-you-have/.well-known/mkdir /whatever-root-you-have/.well-known/acme-challenge/
echo "test file" > /whatever-root-you-have/.well-known/acme-challenge/test-file-1234
[do not create a test file with any extension - this will better approximate an actual challenge file]
[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]
1 Like
infiev
October 22, 2020, 6:06am
5
The folders .well-known/acme-challenge/ were already there, and I have added a file called test-file-1234 that reads: echo "test file"
I'll also share the Vhost code here in case that helps. It is the standard CodeIgniter template in CloudPanel:
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
{{ssl_certificate_key}}
{{ssl_certificate}}
server_name www.xn--silkebkken-hagen-zob.no;
return 301 https://xn--silkebkken-hagen-zob.no$request_uri;
}
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
{{ssl_certificate_key}}
{{ssl_certificate}}
server_name xn--silkebkken-hagen-zob.no www1.xn--silkebkken-hagen-zob.no;
{{root}}
{{nginx_access_log}}
{{nginx_error_log}}
if ($bad_bot = 1) {
return 403;
}
if ($scheme != "https") {
rewrite ^ https://$host$uri permanent;
}
location ~ /.well-known {
auth_basic off;
allow all;
}
{{basic_auth}}
try_files $uri $uri/ /index.php?$args;
index index.php index.html;
location ~ \.php$ {
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
try_files $uri =404;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_param HTTPS $fastcgi_https;
{{php_fpm_listener}}
{{php_settings}}
}
location ~* ^.+\.(css|js|jpg|jpeg|gif|png|ico|gz|svg|svgz|ttf|otf|woff|eot|mp4|ogg|ogv|webm|webp|zip|swf)$ {
add_header Access-Control-Allow-Origin "*";
expires max;
access_log off;
}
if (-f $request_filename) {
break;
}
}
rg305
October 22, 2020, 6:08am
6
Doing HTTP and HTTPS in the same block is unnecessarily over complicating an otherwise simple situation.
I would try them separately as:
server {
listen 80;
listen [::]:80;
server_name www.xn--silkebkken-hagen-zob.no;
return 301 https://xn--silkebkken-hagen-zob.no$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
{{ssl_certificate_key}}
{{ssl_certificate}}
server_name xn--silkebkken-hagen-zob.no www1.xn--silkebkken-hagen-zob.no;
{{root}}
...
[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]
rg305
October 22, 2020, 6:14am
7
Then this can be removed:
And this can be modified as case-insensitive as:
[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]
infiev
October 22, 2020, 7:23am
8
Thanks for the suggestions! I have now updated the Vhost with your changes. Unfortunately, it doesn't appear to fix the problem. I am still getting the same error message:
www.xn--silkebkken-hagen-zob.no: Domain could not be validated, error message: error type: urn:ietf:params:acme:error:connection, error detail: Fetching https://silkebækken-hagen.no/.well-known/acme-challenge/x6bg9VDKp8iCC551ZuwulgIspMA2a6-3E0XnKRQ19U0: Timeout during connect (likely firewall problem)
For reference, here is the Vhost code now:
server {
listen 80;
listen [::]:80;
server_name www.xn--silkebkken-hagen-zob.no;
return 301 https://xn--silkebkken-hagen-zob.no$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
{{ssl_certificate_key}}
{{ssl_certificate}}
server_name xn--silkebkken-hagen-zob.no www1.xn--silkebkken-hagen-zob.no;
{{root}}
{{nginx_access_log}}
{{nginx_error_log}}
if ($bad_bot = 1) {
return 403;
}
location ~* /.well-known {
auth_basic off;
allow all;
}
{{basic_auth}}
try_files $uri $uri/ /index.php?$args;
index index.php index.html;
location ~ \.php$ {
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
try_files $uri =404;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_param HTTPS $fastcgi_https;
{{php_fpm_listener}}
{{php_settings}}
}
location ~* ^.+\.(css|js|jpg|jpeg|gif|png|ico|gz|svg|svgz|ttf|otf|woff|eot|mp4|ogg|ogv|webm|webp|zip|swf)$ {
add_header Access-Control-Allow-Origin "*";
expires max;
access_log off;
}
if (-f $request_filename) {
break;
}
}
1 Like
rg305
October 22, 2020, 7:27am
9
Is port 443 open to your server?
[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]
infiev
October 22, 2020, 7:32am
10
Yes, port 443 is open. I have temporarily opened all ports in the firewall while debugging. I just double checked 443 in a port checker as well.
The document root folder listed in CloudPanel is /home/cloudpanel/htdocs/xn--silkebkken-hagen-zob.no/public
rg305
October 22, 2020, 7:35am
11
Not sure why HTTPS is failing:
But that connection implies that it read the HTTP redirection.
AND ADD:{{root}}
[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]
infiev
October 22, 2020, 7:39am
12
I'm not 100% sure I understood you correctly, but this is what I have now:
server {
listen 80;
listen [::]:80;
server_name www.xn--silkebkken-hagen-zob.no;
return 301 http://xn--silkebkken-hagen-zob.no$request_uri;
{{root}}
location ~* /.well-known {
auth_basic off;
allow all;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
{{ssl_certificate_key}}
{{ssl_certificate}}
server_name xn--silkebkken-hagen-zob.no www1.xn--silkebkken-hagen-zob.no;
{{root}}
{{nginx_access_log}}
{{nginx_error_log}}
if ($bad_bot = 1) {
return 403;
}
location ~* /.well-known {
auth_basic off;
allow all;
}
{{basic_auth}}
try_files $uri $uri/ /index.php?$args;
index index.php index.html;
location ~ \.php$ {
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
try_files $uri =404;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_param HTTPS $fastcgi_https;
{{php_fpm_listener}}
{{php_settings}}
}
location ~* ^.+\.(css|js|jpg|jpeg|gif|png|ico|gz|svg|svgz|ttf|otf|woff|eot|mp4|ogg|ogv|webm|webp|zip|swf)$ {
add_header Access-Control-Allow-Origin "*";
expires max;
access_log off;
}
if (-f $request_filename) {
break;
}
}
And it returns this error:
www.xn--silkebkken-hagen-zob.no: Domain could not be validated, error message: error type: urn:ietf:params:acme:error:connection, error detail: Fetching http://silkebækken-hagen.no/.well-known/acme-challenge/1_E7jnsjVYPXgm-CjmlMRNJAwFAIvz5ti98fgYumjCg: Timeout during connect (likely firewall problem)
rg305
October 22, 2020, 7:43am
13
Yes that is what I expected
And there is a "1" in the second line that might have been added by accident
So they both fail ! ? ! ? ! ?
[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]
rg305
October 22, 2020, 7:48am
14
On third thought...
And could be better stated this way:
#skip challenge requests and
location ^/(?!\.well-known) {
#send all other requests to HTTPS
return 301 https://$host$request_uri;
}#location
auth_basic off;
allow all;
[move {{root}} above that section]
[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]
1 Like
infiev
October 22, 2020, 8:04am
15
It works! Thank you so much for the help!
For future readers, here is the complete Vhost code:
(I have removed the 1 in the www1, but it was not added by accident; it was part of the CloudPanel template)
server {
listen 80;
listen [::]:80;
server_name xn--silkebkken-hagen-zob.no www.xn--silkebkken-hagen-zob.no;
{{root}}
#skip challenge requests and
location ^/(?!\.well-known) {
#send all other requests to HTTPS
return 301 https://$host$request_uri;
}#location
auth_basic off;
allow all;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
{{ssl_certificate_key}}
{{ssl_certificate}}
server_name xn--silkebkken-hagen-zob.no www.xn--silkebkken-hagen-zob.no;
{{root}}
{{nginx_access_log}}
{{nginx_error_log}}
if ($bad_bot = 1) {
return 403;
}
location ~* /.well-known {
auth_basic off;
allow all;
}
{{basic_auth}}
try_files $uri $uri/ /index.php?$args;
index index.php index.html;
location ~ \.php$ {
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
try_files $uri =404;
fastcgi_read_timeout 3600;
fastcgi_send_timeout 3600;
fastcgi_param HTTPS $fastcgi_https;
{{php_fpm_listener}}
{{php_settings}}
}
location ~* ^.+\.(css|js|jpg|jpeg|gif|png|ico|gz|svg|svgz|ttf|otf|woff|eot|mp4|ogg|ogv|webm|webp|zip|swf)$ {
add_header Access-Control-Allow-Origin "*";
expires max;
access_log off;
}
if (-f $request_filename) {
break;
}
}
1 Like
rg305
October 22, 2020, 8:06am
16
Glad to see it all works!
Cheers from Miami
[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]
1 Like
system
November 21, 2020, 8:06am
17
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
]
]
