Cannot create SSL certificate - unauthorized


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

*.fitchek.com

I ran this command:

sudo certbot certonly --test-cert --webroot -w /opt/marketplace/public/yegfitness -d yegfitness.fitchek.com

It produced this output:

Domain: yegfitness.fitchek.com
Type: unauthorized
Detail: Invalid response from
https://yegfitness.fitchek.com/.well-known/acme-challenge/1dv3RAGOQDz6fyvG46WIJdD9NWbnU0lx5dS7Mw-Ypac
[2606:4700:30::681f:429d]: "\n<!–[if lt IE 7]>

\n <html class=\"no-js "

My web server is (include version):

nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):

Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-45-generic x86_64)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.28.0


#2

Hi @Nate14

your domain uses Cloudflare.

You have redirects http -> https. Normally, this isn’t a problem, because Letsencrypt follows these redirects and ignores expired certificates (or certificates with the wrong domain name).

But with Cloudflare that doesn’t work, because Cloudflare blocks and sends a http status 526 (checked with https://check-your-website.server-daten.de/?q=yegfitness.fitchek.com ):

Domainname Http-Status redirect Sec. G
http://yegfitness.fitchek.com/
104.31.66.157 301 https://yegfitness.fitchek.com/ 0.263 A
http://yegfitness.fitchek.com/
104.31.67.157 301 https://yegfitness.fitchek.com/ 0.236 A
http://yegfitness.fitchek.com/
2606:4700:30::681f:429d 301 https://yegfitness.fitchek.com/ 0.243 A
http://yegfitness.fitchek.com/
2606:4700:30::681f:439d 301 https://yegfitness.fitchek.com/ 0.130 A
https://yegfitness.fitchek.com/
104.31.66.157 526 1.507 S
Origin SSL Certificate Error
https://yegfitness.fitchek.com/
104.31.67.157 526 1.460 S
Origin SSL Certificate Error
https://yegfitness.fitchek.com/
2606:4700:30::681f:429d 526 1.477 S
Origin SSL Certificate Error
https://yegfitness.fitchek.com/
2606:4700:30::681f:439d 526 1.467 S
Origin SSL Certificate Error
http://yegfitness.fitchek.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
104.31.66.157 301 https://yegfitness.fitchek.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.237 A
Visible Content: 301 Moved Permanently nginx/1.10.3 (Ubuntu)
http://yegfitness.fitchek.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
104.31.67.157 301 https://yegfitness.fitchek.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.230 A
Visible Content: 301 Moved Permanently nginx/1.10.3 (Ubuntu)
http://yegfitness.fitchek.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2606:4700:30::681f:429d 301 https://yegfitness.fitchek.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.130 A
Visible Content: 301 Moved Permanently nginx/1.10.3 (Ubuntu)
http://yegfitness.fitchek.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2606:4700:30::681f:439d 301 https://yegfitness.fitchek.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.133 A
Visible Content: 301 Moved Permanently nginx/1.10.3 (Ubuntu)
https://yegfitness.fitchek.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 526 5.476 S
Origin SSL Certificate Error
Visible Content: Error 526 Ray ID: 4b3d80ee7fcb2d35 &bull; 2019-03-07 15:11:44 UTC Invalid SSL certificate You Browser Working Berlin Cloudflare Working yegfitness.fitchek.com Host Error What happened? The origin web server does not have a valid SSL certificate. What can I do? If you’re a visitor of this website: Please try again in a few minutes. If you’re the owner of this website: The SSL certificate presented by the server did not pass validation. This could indicate an expired SSL certificate or a certificate that does not include the requested domain name. Please contact your hosting provider to ensure that an up-to-date and valid SSL certificate issued by a Certificate Authority is configured for this domain name on the origin server. Additional troubleshooting information here. Cloudflare Ray ID: 4b3d80ee7fcb2d35 &bull; Your IP : 2a01:238:301b::1229 &bull; Performance &amp; security by Cloudflare

The last block shows the error message from Cloudflare.

So if you don’t have a valid certificate, perhaps deactivate Cloudflare to create a certificate.

Or create one certificate manual with dns-01 - validation, install that, so you have a valid certificate. Two months later switch back to http-01 - validation.


#3

Thanks for the quick reply. In Cloudlfare I have Always Use HTTPS set to OFF.

This is a new URL I am creating, not a renewal of an existing certificate.

I am not an expert on this stuff, so I am not sure what dns-01 validation is.


#4

Start there:


#5

PS: If it is a new domain, isn’t it the easiest way that you first don’t use Cloudflare?

Create a certificate, then use Cloudflare.


#6

If you plan to use Cloudflare permanently, you should also consider using their origin CA rather than a Let’s Encrypt certificate, especially if you’re not very familiar with Let’s Encrypt client options for your origin hosting environment.

This is more secure in this configuration than using a Let’s Encrypt certificate, although it also makes it less convenient to switch away from Cloudflare in the future so it can slightly increase CDN lock-in.


#7

Thanks for the support, but I am still not getting ahead on this. I removed the domain from the Cloudflare CNAME and A so that it is no longer registered. I still get the same error:

Failed authorization procedure. yegfitness.fitchek.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://yegfitness.fitchek.com/.well-known/acme-challenge/M31SkTIatunhta2MmMVXo1RPuy9yaya0GJzSVktnClI [2606:4700:30::681f:429d]: "\n\n<!–[if IE 7]> <html class="no-js "


#8

There is again then Cloudflare error message with the 526 error and the typical Cloudflare error message ( https://check-your-website.server-daten.de/?q=yegfitness.fitchek.com ):

Domainname Http-Status redirect Sec. G
http://yegfitness.fitchek.com/
104.31.66.157 301 https://yegfitness.fitchek.com/ 0.060 A
http://yegfitness.fitchek.com/
104.31.67.157 301 https://yegfitness.fitchek.com/ 0.056 A
http://yegfitness.fitchek.com/
2606:4700:30::681f:429d 301 https://yegfitness.fitchek.com/ 0.066 A
http://yegfitness.fitchek.com/
2606:4700:30::681f:439d 301 https://yegfitness.fitchek.com/ 0.047 A
https://yegfitness.fitchek.com/
104.31.66.157 526 1.693 S
Origin SSL Certificate Error
https://yegfitness.fitchek.com/
104.31.67.157 526 1.566 S
Origin SSL Certificate Error
https://yegfitness.fitchek.com/
2606:4700:30::681f:429d 526 1.547 S
Origin SSL Certificate Error
https://yegfitness.fitchek.com/
2606:4700:30::681f:439d 526 1.470 S
Origin SSL Certificate Error
http://yegfitness.fitchek.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
104.31.66.157 301 https://yegfitness.fitchek.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.047 A
Visible Content:
http://yegfitness.fitchek.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
104.31.67.157 301 https://yegfitness.fitchek.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.044 A
Visible Content:
http://yegfitness.fitchek.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2606:4700:30::681f:429d 301 https://yegfitness.fitchek.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.020 A
Visible Content:
http://yegfitness.fitchek.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2606:4700:30::681f:439d 301 https://yegfitness.fitchek.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.023 A
Visible Content:
https://yegfitness.fitchek.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 526 5.483 S
Origin SSL Certificate Error
Visible Content: Error 526 Ray ID: 4b7711f57e1e2d41 &bull; 2019-03-14 14:52:13 UTC Invalid SSL certificate You Browser Working Berlin Cloudflare Working yegfitness.fitchek.com Host Error What happened? The origin web server does not have a valid SSL certificate. What can I do? If you’re a visitor of this website: Please try again in a few minutes. If you’re the owner of this website: The SSL certificate presented by the server did not pass validation. This could indicate an expired SSL certificate or a certificate that does not include the requested domain name. Please contact your hosting provider to ensure that an up-to-date and valid SSL certificate issued by a Certificate Authority is configured for this domain name on the origin server. Additional troubleshooting information here. Cloudflare Ray ID: 4b7711f57e1e2d41 &bull; Your IP : 2a01:238:301b::1229 &bull; Performance &amp; security by Cloudflare

And your connection uses a Cloudflare certificate with a lot of domain names:

CN=sni116869.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated
	05.12.2018
	14.06.2019
expires in 92 days	sni116869.cloudflaressl.com, *.affairesingleslust.date, *.amsteelgroup.com, *.asianpornstar.me, *.assew.website, *.augmea.com, *.augmea.com.tr, *.basolin.site, *.bonustarjoukset.com, *.conexusforum.com, *.derbonusschatz.com, *.dvv-volleyball.de, *.fitchek.com, *.fuckamericangirls.com, *.furmitfur.date, *.gemroyaltie.com, *.gomonterey.com, *.guvard.xyz, *.housebuild.club, *.j-spbreviews.ml, *.kfo-boessner.de, *.longroad24.eu, *.mattloveskrissy.com, *.medik-plus.com, *.musicappiphone.club, *.seitesprungohnesichere.date, *.seitu.xyz, *.shopbuyby.com, *.slifkacenter.org, *.sportsbazar.pk, *.sward.xyz, *.swingervergleichfrauen.date, *.webcam-telefonsex.net, *.xn--bner-vna1l.de, affairesingleslust.date, amsteelgroup.com, asianpornstar.me, assew.website, augmea.com, augmea.com.tr, basolin.site, bonustarjoukset.com, conexusforum.com, derbonusschatz.com, dvv-volleyball.de, fitchek.com, fuckamericangirls.com, furmitfur.date, gemroyaltie.com, gomonterey.com, guvard.xyz, housebuild.club, j-spbreviews.ml, kfo-boessner.de, longroad24.eu, mattloveskrissy.com, medik-plus.com, musicappiphone.club, seitesprungohnesichere.date, seitu.xyz, shopbuyby.com, slifkacenter.org, sportsbazar.pk, sward.xyz, swingervergleichfrauen.date, webcam-telefonsex.net, xn--bner-vna1l.de - 67 entries

#9

Yes, this domain is still pointed at Cloudflare!


#10

I had recreated the cloudflare DNS just as part of testing. I have removed it again and set Always use SSL to off. I will try again later today to make the certificate.
What should I do about all the weird domain names, especially the porn ones showing up ? Does this mean we have been hacked?


#11

That’s a normal Cloudflare certificate, one certificate with a lot of domain names.

If you don’t want that, don’t use Cloudflare.


#12

So I circling back to this after removing the A and CNAME entries from cloudflare last week. As you suggested, I should create the certificate first and then use Cloudflare. Also I am bound to using Cloudflare for the moment as that is how all the other certificates have been made, and I am in a time crunch where I don’t the cycles to try something different. However, now when I run the

sudo certbot certonly --test-cert --webroot -w /opt/marketplace/public/yegfitness -d yegfitness.fitchek.com

I get a new error:

Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for yegfitness.fitchek.com
Using the webroot path /opt/marketplace/public/yegfitness for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. yegfitness.fitchek.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: dns :: DNS problem: NXDOMAIN looking up A for yegfitness.fitchek.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: yegfitness.fitchek.com
    Type: connection
    Detail: dns :: DNS problem: NXDOMAIN looking up A for
    yegfitness.fitchek.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.


#13

Your domain doesn’t have an ip address:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
yegfitness.fitchek.com Name Error yes 1 0
www.yegfitness.fitchek.com Name Error yes 1 0

So you can’t create a certificate.

If you remove Cloudflare, you have to use another name server.


#14

You can’t use HTTP validation for a hostname that doesn’t exist.

To work around the Cloudflare “Always use SSL”/“Full (strict)” origin certificate issue, you could add the appropriate A/AAAA/CNAME records and temporarily disable Cloudflare’s CDN on the hostname (gray cloud, not orange cloud) so you can validate it and get a certificate.

Edit: Orange cloud + temporarily turning off Always use SSL would also work.


#15
  1. Always use HTTPS is set to OFF

  2. I created an A record with name beta-yegfitness that points the the public IP of my server

  3. On the DNS page of Cloudflare the cloud is Orange

In the crypto tab I have the following origin certificates

*.fitchek.com, fitchek.com (2 hosts)
2034-03-03

After about 20 minutes I run

sudo certbot certonly --test-cert --webroot -w /opt/marketplace/public/yegfitness -d yegfitness.fitchek.com

The result is:

Failed authorization procedure. yegfitness.fitchek.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: dns :: DNS problem: NXDOMAIN looking up A for yegfitness.fitchek.com


#16

beta-yegfitness and yegfitness are two different names.

Edit: If you have origin certificates from Cloudflare, why create Let’s Encrypt certificates too?

Edit: That command is using --test-cert, but the staging environment produces certificates that aren’t trusted by clients, whether they’re browsers or Cloudflare’s servers.


#17

Thanks, what a silly error on my part with the wrong names.

i am not sure why things are set p this way. I took over this legacy project from previous devs, and I am not an expert on this stuff. Just trying my best to make it work how it is setup and not cause more problems than I solve!


#18

There is again no ip address ( https://check-your-website.server-daten.de/?q=yegfitness.fitchek.com ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
yegfitness.fitchek.com Name Error yes 1 0
www.yegfitness.fitchek.com Name Error yes 1 0

So that

doesn’t produce the required result.

Use online tools to check such things.


#19

OK I made the fixes as noted, and was able to create a certificate. I then update my sites-available and sites-enabled and restarted nginx.
I turned Always Use HTTPS back to on and made sure the A entry for DNS cloud was orange

After waiting 20 minutes when I navigate to

https://beta-yegfitness.fitchek.com/

I get invalid certificate, and when I try

http://beta-yegfitness.fitchek.com/

This page (https://beta-yegfitness.fitchek.com/) is currently offline. However, because the site uses Cloudflare’s Always Online™ technology you can continue to surf a snapshot of the site. We will keep checking in the background and, as soon as the site comes back, you will automatically be served the live version. Always Online™ is powered by Cloudflare | Hide this Alert


#20

Yes, I was making problems with the names the correct domain is https://beta-yegfitness.fitchek.com