Hi all,

I have created a certificate with this domain www.claudiaotger.com and work it perfectly. This domain is my web page.

Later on I have tried to create a certificate for a subdomanin of api.claudiaotger.com This is my API for the web page.

I followed the same steps as the other domain.

1st) sudo certbot certonly --webroot --webroot-path=/home/node/formclaudiaotger -d api.claudiaotger.com

And I got this error message:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for api.claudiaotger.com
Using the webroot path /home/node/formclaudiaotger for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Unable to clean up challenge directory /home/node/formclaudiaotger/.well-known/acme-challenge
Failed authorization procedure. api.claudiaotger.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://api.claudiaotger.com/.well-known/acme-challenge/yRvz7sL8QAp0EY5jZ45-A-tZ_VHQFgpyo4ynO8Ch7BY: "

404 Not Found

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: api.claudiaotger.com
  Type: unauthorized
  Detail: Invalid response from
  http://api.claudiaotger.com/.well-known/acme-challenge/yRvz7sL8QAp0EY5jZ45-A-tZ_VHQFgpyo4ynO8Ch7BY:
  "

  404 Not Found

  404 Not Found

  ---

  "

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

The AAAA record is not set up for any of my domains.

I tried to create a text file in the folder .well-known/acme-challenge/text.tx
And It´s not accecible from a browser

Please could anybody kindly help me.

Thanks in advance.

You probably need to configure nginx to not pass that path through to your node application.

If you have trouble doing this, post the relevant section of your nginx config and I’m sure one of our resident nginx experts would be happy to help.

Another (possibly easier) method would be to use the --nginx plugin instead of --webroot.

sudo certbot --nginx -d api.claudiaotger.com

or if you don’t want it to try to install the certificate automatically:

sudo certbot certonly --nginx -d api.claudiaotger.com

Since this is where the challenge files are expected to be found, try placing a test.txt file at:
/home/node/formclaudiaotger/.well-known/acme-challenge/test.txt
To ensure that file is accessible from the Internet.

mkdir /home/node/formclaudiaotger/.well-known
mkdir /home/node/formclaudiaotger/.well-known/acme-challenge
echo "just a test" > /home/node/formclaudiaotger/.well-known/acme-challenge/test.txt

Hi,

I tried to do the echo command with sudo and I got an error of Permission denied. And I have created the test.txt with sudo nano.

I don’t understand why.

Thanks!

I tried the second method
sudo certbot certonly --nginx -d api.claudiaotger.com

And I received the following error message:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not choose appropriate plugin: The requested nginx plugin does not appear to be installed
The requested nginx plugin does not appear to be installed

I already installed a certificate for the webpage www.claudiaotger.com

Thanks.

What operating system are you using, and how did you install certbot? You might need to install the nginx plugin separately. For example if you installed certbot with apt-get, try: sudo apt-get install python-certbot-nginx

If you want to try the webroot plugin instead: I don't see the test.txt file at http://api.claudiaotger.com/.well-known/acme-challenge/test.txt, so probably something in your configuration is causing nginx not to serve files from that web root. If you want to use the --webroot method you'll have to fix that first.

see: linux - How to append to a file as sudo? - Super User

Hi jmorahan

I’m using Ubuntu 16.0.4 with a AWS instance.

The nginx configuration file looks like this:

server{
listen 80;
listen [::]:80;
server_name api.claudiaotger.com;

    #location para comprobacion de letsencrypt
    location ~ /.well-know {
           allow all;
    }

    location / {
            proxy_set_header Host $http_host;
            proxy_pass http://127.0.0.1:3000/;
            proxy_redirect off;
    }

}

I'm more of an Apache guy, but I think you need something like
root /home/node/formclaudiaotger/;
in that block (and also spell well-known correctly)

I still think --nginx should be easier though...

Hi jmorahan

In the config file of my web, this domain has SSL certification working correctly, page looks like this:
server{
listen 80 default_server;
listen [::] default_server ipv6only=on;
server_name claudiaotger.com www.claudiaotger.com;
return 301 https://claudiaotger.com$request_uri;

}

server {

    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    ssl_certificate /etc/letsencrypt/live/claudiaotger.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/claudiaotger.com/privkey.pem;

    root /home/web/html;

    index index.html index.html;

    server_name localhost;

    location ~ /.well-know {
            allow all;
    }

    location / {
            try_files $uri $uri/ =404;
    }

}

As you can see in the file is set well-know instead of well-known and it worked perfectly.

Thanks in advance

So in that file you have:

root /home/web/html;

which tells nginx where to serve files from. You need something similar in the other one:

root /home/node/formclaudiaotger/;

or wherever you want the web root to be. I think you can put it inside the location block if you don’t want it to affect the rest of the site.

Hi jmorahan!!

I could get the certificate!! It was the root parameter!!

Many thanks!!!

Now I have the problem that the browser says that the connection is not private

The ngnix xonfig file looks like this:

server{
listen 80;
listen [::]:80;
server_name api.claudiaotger.com;
return 301 https://api.claudiaotger.com$request_uri;
}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;

     # ruta a los certificados
     ssl_certificate /etc/letsencrypt/live/api.claudiaotger.com/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/api.claudiaotger.com/privkey.pem;

    # carpeta donde debe buscar los ficheros
    root /home/node/formclaudiaotger/views;


    # archivo a cargar por defecto
     index index.ejs;

    # location para comprobacion de letsencrypt
    location ~ /.well-know {
           allow all;
    }

si solicitan una url /, enviamos a la app de nodeform la peticion

    location / {
            proxy_set_header Host $http_host;
            proxy_pass http://127.0.0.1:3000/;
            proxy_redirect off;
    }

}

Is anything worng?

Do you mean https://api.claudiaotger.com?
The certificate presented to the browser is valid only for claudiaotger.com and www.claudiaotger.com.

Do you need to add server_name api.claudiaotger.com; to the second server block (for port 443) too?

Hi jmorahan,

I thinks it´s not need it. Because in the other ngnix config file it´s not added it and it works perfectly.

redirigimos de http a https siempre

server{
listen 80 default_server;
listen [::] default_server ipv6only=on;
server_name claudiaotger.com www.claudiaotger.com;
return 301 https://claudiaotger.com$request_uri;

}

server {

    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    # ruta a los certificados
    ssl_certificate /etc/letsencrypt/live/claudiaotger.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/claudiaotger.com/privkey.pem;

    # carpeta donde debe buscar los ficheros
    root /home/web/html;


    # archivos a cargar por defecto
    index index.html index.html;

    # nombre del servidor
    server_name localhost;

    #location para comprobacion de letsencrypt
    location ~ /.well-know {
            allow all;
    }

    # reglas de carga
    location / {
            try_files $uri $uri/ =404;
    }

}

Hi bytecamp,

It´s what I saw. When I have created the certificate I think it has been created a new one. How can I create a specific certificate for https://api.claudiaotger.com?

I did it with this command:
sudo certbot certonly --webroot --webroot-path=/home/node/formclaudiaotger -d api.claudiaotger.com

Hi bytecamp,

I have renewed the certificate just in case aparently worked fine:

udo certbot certonly --webroot --webroot-path=/home/node/formclaudiaotger -d api.claudiaotger.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/api.claudiaotger.com.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for api.claudiaotger.com
Using the webroot path /home/node/formclaudiaotger for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Unable to clean up challenge directory /home/node/formclaudiaotger/.well-known/acme-challenge

IMPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/api.claudiaotger.com/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/api.claudiaotger.com/privkey.pem
  Your cert will expire on 2018-02-22. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot
  again. To non-interactively renew all of your certificates, run
  "certbot renew"

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
  Donating to EFF: https://eff.org/donate-le

But if you go to https://api.claudiaotger.com says that message:

Your connection is not private
Attackers might be trying to steal your information from api.claudiaotger.com (for example, passwords, messages or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID

Any suggestion?

Thanks in advance

Try it anyway. I think it will work.

nginx uses the server_name to determine which server block to use, and uses that in turn to select which certificate to use. If you don’t specify the server_name then it uses the default, which will probably be correct for one of your sites, but not the other(s). (at least that’s how Apache works, but I suspect nginx does the same)

It worked!!! Many thanks!!!