Hello! I am trying to get a subdomain working with https so I can properly host audio provided by Icecast. I run my own icecast instance and by default it is only through http, but is able to provide the audio through ssl if configured properly on the page. I have been attempting for the past few weeks to get Let's Encrypt to provide an ssl certificate on my page that allows icecast to broadcast to 443 or similar ports, but as seen below it continues to fail when testing renewals.
I have checked my dns various times so that does not seem to be the issue.
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version): nginx 1.18.0-6.1+deb11u3
The operating system my web server runs on is (include version): Debian 11
My hosting provider, if applicable, is: Digital Ocean
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0
UnexpectedHttpResponse
WARNING
Sending an ACME HTTP validation request to radio.youaremachines.com results in unexpected HTTP response 403 Forbidden. This indicates that the webserver is misconfigured or misbehaving.
403 Forbidden
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>
Trace:
@0ms: Making a request to http://radio.youaremachines.com/.well-known/acme-challenge/letsdebug-test (using initial IP 45.55.196.154)
@0ms: Dialing 45.55.196.154
@195ms: Server response: HTTP 403 Forbidden
Thank you for fast response my friend! I do not believe I have any geo blocking going on. That 403 is something I am trying to solve now as I just a few moments ago added a .well-known file to my server based off of what other material online has said. This seems a bit better than getting a 404 over and over again though, but let me know if adding that folder manually is an issue
Adding the folder manually, with the correct owner and permissions, shouldn't cause an issue;
as in the case for a renewal the folder would already be there. The question I would be asking is why the folder wasn't created to begin with.
AAAANotWorking
ERROR
radio.youaremachines.com has an AAAA (IPv6) record (2604:a880:800:10::add:2001) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.
A timeout was experienced while communicating with radio.youaremachines.com/2604:a880:800:10::add:2001: Get "http://radio.youaremachines.com/.well-known/acme-challenge/letsdebug-test": context deadline exceeded
Trace:
@0ms: Making a request to http://radio.youaremachines.com/.well-known/acme-challenge/letsdebug-test (using initial IP 2604:a880:800:10::add:2001)
@0ms: Dialing 2604:a880:800:10::add:2001
@10000ms: Experienced error: context deadline exceeded
Thank you very much for all this. I will chill out and do some more research before going straight to production tests. I've been dealing with this for the past week so I have done quite a bit of troubleshooting with no success as you can see ):
This all stemmed when I attempted to get icecast to serve over https, because before I just had radio.youaremachines.com certified using the --nginx option and that worked like a charm
