Cannot create SSL certificate - unauthorized

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

*.fitchek.com

I ran this command:

sudo certbot certonly --test-cert --webroot -w /opt/marketplace/public/yegfitness -d yegfitness.fitchek.com

It produced this output:

Domain: yegfitness.fitchek.com
Type: unauthorized
Detail: Invalid response from
https://yegfitness.fitchek.com/.well-known/acme-challenge/1dv3RAGOQDz6fyvG46WIJdD9NWbnU0lx5dS7Mw-Ypac
[2606:4700:30::681f:429d]: "\n<!–[if lt IE 7]>

My web server is (include version):

nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):

Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-45-generic x86_64)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.28.0

Hi @Nate14

your domain uses Cloudflare.

You have redirects http -> https. Normally, this isn't a problem, because Letsencrypt follows these redirects and ignores expired certificates (or certificates with the wrong domain name).

But with Cloudflare that doesn't work, because Cloudflare blocks and sends a http status 526 (checked with https://check-your-website.server-daten.de/?q=yegfitness.fitchek.com ):

The last block shows the error message from Cloudflare.

So if you don't have a valid certificate, perhaps deactivate Cloudflare to create a certificate.

Or create one certificate manual with dns-01 - validation, install that, so you have a valid certificate. Two months later switch back to http-01 - validation.

Thanks for the quick reply. In Cloudlfare I have Always Use HTTPS set to OFF.

This is a new URL I am creating, not a renewal of an existing certificate.

I am not an expert on this stuff, so I am not sure what dns-01 validation is.

Start there:

PS: If it is a new domain, isn't it the easiest way that you first don't use Cloudflare?

Create a certificate, then use Cloudflare.

If you plan to use Cloudflare permanently, you should also consider using their origin CA rather than a Let's Encrypt certificate, especially if you're not very familiar with Let's Encrypt client options for your origin hosting environment.

This is more secure in this configuration than using a Let's Encrypt certificate, although it also makes it less convenient to switch away from Cloudflare in the future so it can slightly increase CDN lock-in.

Thanks for the support, but I am still not getting ahead on this. I removed the domain from the Cloudflare CNAME and A so that it is no longer registered. I still get the same error:

Failed authorization procedure. yegfitness.fitchek.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://yegfitness.fitchek.com/.well-known/acme-challenge/M31SkTIatunhta2MmMVXo1RPuy9yaya0GJzSVktnClI [2606:4700:30::681f:429d]: "\n\n<!–[if IE 7]> <html class="no-js "

There is again then Cloudflare error message with the 526 error and the typical Cloudflare error message ( https://check-your-website.server-daten.de/?q=yegfitness.fitchek.com ):

And your connection uses a Cloudflare certificate with a lot of domain names:

CN=sni116869.cloudflaressl.com, OU=PositiveSSL Multi-Domain, OU=Domain Control Validated
	05.12.2018
	14.06.2019
expires in 92 days	sni116869.cloudflaressl.com, *.affairesingleslust.date, *.amsteelgroup.com, *.asianpornstar.me, *.assew.website, *.augmea.com, *.augmea.com.tr, *.basolin.site, *.bonustarjoukset.com, *.conexusforum.com, *.derbonusschatz.com, *.dvv-volleyball.de, *.fitchek.com, *.fuckamericangirls.com, *.furmitfur.date, *.gemroyaltie.com, *.gomonterey.com, *.guvard.xyz, *.housebuild.club, *.j-spbreviews.ml, *.kfo-boessner.de, *.longroad24.eu, *.mattloveskrissy.com, *.medik-plus.com, *.musicappiphone.club, *.seitesprungohnesichere.date, *.seitu.xyz, *.shopbuyby.com, *.slifkacenter.org, *.sportsbazar.pk, *.sward.xyz, *.swingervergleichfrauen.date, *.webcam-telefonsex.net, *.xn--bner-vna1l.de, affairesingleslust.date, amsteelgroup.com, asianpornstar.me, assew.website, augmea.com, augmea.com.tr, basolin.site, bonustarjoukset.com, conexusforum.com, derbonusschatz.com, dvv-volleyball.de, fitchek.com, fuckamericangirls.com, furmitfur.date, gemroyaltie.com, gomonterey.com, guvard.xyz, housebuild.club, j-spbreviews.ml, kfo-boessner.de, longroad24.eu, mattloveskrissy.com, medik-plus.com, musicappiphone.club, seitesprungohnesichere.date, seitu.xyz, shopbuyby.com, slifkacenter.org, sportsbazar.pk, sward.xyz, swingervergleichfrauen.date, webcam-telefonsex.net, xn--bner-vna1l.de - 67 entries

Yes, this domain is still pointed at Cloudflare!

I had recreated the cloudflare DNS just as part of testing. I have removed it again and set Always use SSL to off. I will try again later today to make the certificate.
What should I do about all the weird domain names, especially the porn ones showing up ? Does this mean we have been hacked?

That's a normal Cloudflare certificate, one certificate with a lot of domain names.

If you don't want that, don't use Cloudflare.

So I circling back to this after removing the A and CNAME entries from cloudflare last week. As you suggested, I should create the certificate first and then use Cloudflare. Also I am bound to using Cloudflare for the moment as that is how all the other certificates have been made, and I am in a time crunch where I don’t the cycles to try something different. However, now when I run the

sudo certbot certonly --test-cert --webroot -w /opt/marketplace/public/yegfitness -d yegfitness.fitchek.com

I get a new error:

Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for yegfitness.fitchek.com
Using the webroot path /opt/marketplace/public/yegfitness for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. yegfitness.fitchek.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: dns :: DNS problem: NXDOMAIN looking up A for yegfitness.fitchek.com

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: yegfitness.fitchek.com
  Type: connection
  Detail: dns :: DNS problem: NXDOMAIN looking up A for
  yegfitness.fitchek.com

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you’re using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

Your domain doesn't have an ip address:

So you can't create a certificate.

If you remove Cloudflare, you have to use another name server.

You can’t use HTTP validation for a hostname that doesn’t exist.

To work around the Cloudflare “Always use SSL”/“Full (strict)” origin certificate issue, you could add the appropriate A/AAAA/CNAME records and temporarily disable Cloudflare’s CDN on the hostname (gray cloud, not orange cloud) so you can validate it and get a certificate.

Edit: Orange cloud + temporarily turning off Always use SSL would also work.

1. Always use HTTPS is set to OFF

2. I created an A record with name beta-yegfitness that points the the public IP of my server

3. On the DNS page of Cloudflare the cloud is Orange

In the crypto tab I have the following origin certificates

*.fitchek.com, fitchek.com (2 hosts)
2034-03-03

After about 20 minutes I run

sudo certbot certonly --test-cert --webroot -w /opt/marketplace/public/yegfitness -d yegfitness.fitchek.com

The result is:

Failed authorization procedure. yegfitness.fitchek.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: dns :: DNS problem: NXDOMAIN looking up A for yegfitness.fitchek.com

beta-yegfitness and yegfitness are two different names.

Edit: If you have origin certificates from Cloudflare, why create Let's Encrypt certificates too?

Edit: That command is using --test-cert, but the staging environment produces certificates that aren't trusted by clients, whether they're browsers or Cloudflare's servers.

Thanks, what a silly error on my part with the wrong names.

i am not sure why things are set p this way. I took over this legacy project from previous devs, and I am not an expert on this stuff. Just trying my best to make it work how it is setup and not cause more problems than I solve!

There is again no ip address ( https://check-your-website.server-daten.de/?q=yegfitness.fitchek.com ):

So that

doesn't produce the required result.

Use online tools to check such things.

OK I made the fixes as noted, and was able to create a certificate. I then update my sites-available and sites-enabled and restarted nginx.
I turned Always Use HTTPS back to on and made sure the A entry for DNS cloud was orange

After waiting 20 minutes when I navigate to

https://beta-yegfitness.fitchek.com/

I get invalid certificate, and when I try

http://beta-yegfitness.fitchek.com/

This page (https://beta-yegfitness.fitchek.com/) is currently offline. However, because the site uses Cloudflare’s Always Online™ technology you can continue to surf a snapshot of the site. We will keep checking in the background and, as soon as the site comes back, you will automatically be served the live version. Always Online™ is powered by Cloudflare | Hide this Alert

Yes, I was making problems with the names the correct domain is https://beta-yegfitness.fitchek.com