Cannot create SSL certificate - unauthorized

You can’t use HTTP validation for a hostname that doesn’t exist.

To work around the Cloudflare “Always use SSL”/“Full (strict)” origin certificate issue, you could add the appropriate A/AAAA/CNAME records and temporarily disable Cloudflare’s CDN on the hostname (gray cloud, not orange cloud) so you can validate it and get a certificate.

Edit: Orange cloud + temporarily turning off Always use SSL would also work.

  1. Always use HTTPS is set to OFF

  2. I created an A record with name beta-yegfitness that points the the public IP of my server

  3. On the DNS page of Cloudflare the cloud is Orange

In the crypto tab I have the following origin certificates

*.fitchek.com, fitchek.com (2 hosts)
2034-03-03

After about 20 minutes I run

sudo certbot certonly --test-cert --webroot -w /opt/marketplace/public/yegfitness -d yegfitness.fitchek.com

The result is:

Failed authorization procedure. yegfitness.fitchek.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: dns :: DNS problem: NXDOMAIN looking up A for yegfitness.fitchek.com

beta-yegfitness and yegfitness are two different names.

Edit: If you have origin certificates from Cloudflare, why create Let's Encrypt certificates too?

Edit: That command is using --test-cert, but the staging environment produces certificates that aren't trusted by clients, whether they're browsers or Cloudflare's servers.

Thanks, what a silly error on my part with the wrong names.

i am not sure why things are set p this way. I took over this legacy project from previous devs, and I am not an expert on this stuff. Just trying my best to make it work how it is setup and not cause more problems than I solve!

There is again no ip address ( https://check-your-website.server-daten.de/?q=yegfitness.fitchek.com ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
yegfitness.fitchek.com Name Error yes 1 0
www.yegfitness.fitchek.com Name Error yes 1 0

So that

doesn't produce the required result.

Use online tools to check such things.

OK I made the fixes as noted, and was able to create a certificate. I then update my sites-available and sites-enabled and restarted nginx.
I turned Always Use HTTPS back to on and made sure the A entry for DNS cloud was orange

After waiting 20 minutes when I navigate to

https://beta-yegfitness.fitchek.com/

I get invalid certificate, and when I try

http://beta-yegfitness.fitchek.com/

This page (https://beta-yegfitness.fitchek.com/) is currently offline. However, because the site uses Cloudflare’s Always Online™ technology you can continue to surf a snapshot of the site. We will keep checking in the background and, as soon as the site comes back, you will automatically be served the live version. Always Online™ is powered by Cloudflare | Hide this Alert

Yes, I was making problems with the names the correct domain is https://beta-yegfitness.fitchek.com

http://beta-yegfitness.fitchek.com/ mostly works for me. The page loads. Some of the images and such are 404 Not Found errors.

https://beta-yegfitness.fitchek.com/ returns a Cloudflare invalid origin certificate error.

What certificate is being used on the origin now? How is it configured?

Could you turn off Cloudflare on the subdomain temporarily so we can check it?

Or share your non-Cloudflare - ip address.

Then I can check it - ip + hostname.

1 Like

174.117.43.114

Your public IP address

hostname: fitchek-server

The hostname is the domain name.

The result - https://check-your-website.server-daten.de/?q=174.117.43.114&h=beta-yegfitness.fitchek.com

You have a 90 day - certificate:

CN=beta-yegfitness.fitchek.com 
	18.03.2019
	16.06.2019
expires in 90 days	beta-yegfitness.fitchek.com - 1 entry

But it's the Fake Certificate:

Chain (complete)	
	1	CN=beta-yegfitness.fitchek.com
	
	2	CN=Fake LE Intermediate X1

So create a new certificate, but don't use the test system.

If the certificate is valid, then you should have a Grade I (some content errors), but not a certificate error.

OK I did as you said and re-ran (without test):

sudo certbot certonly --webroot -w /opt/marketplace/public/yegfitness -d beta-yegfitness.fitchek.com

It asked me to keep or renew and replace, so I choose renew and replace

2: Renew & replace the cert (limit ~5 per 7 days)

and the response:

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for beta-yegfitness.fitchek.com

Using the webroot path /opt/marketplace/public/yegfitness for all unmatched domains.

Waiting for verification…

Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:

/etc/letsencrypt/live/beta-yegfitness.fitchek.com/fullchain.pem

Your key file has been saved at:

/etc/letsencrypt/live/beta-yegfitness.fitchek.com/privkey.pem

Your cert will expire on 2019-06-16. To obtain a new or tweaked

version of this certificate in the future, simply run certbot

again. To non-interactively renew all of your certificates, run

“certbot renew”

Still doesn’t work however, still get invalid SSL certificate

If you use certonly, the certificate isn't installed.

Perhaps the file is replaced. But then you have to reload / restart your webserver.

PS: There

https://crt.sh/?q=beta-yegfitness.fitchek.com

is your new certificate.

So install it and recheck your domain.

Looks like you have fixed the error. Checking your ip + domainname as hostname lists now

CN=beta-yegfitness.fitchek.com
	18.03.2019
	16.06.2019
expires in 89 days	beta-yegfitness.fitchek.com - 1 entry

And the domain beta-yegfitness.fitchek.com has four Cloudflare ip addresses and a big Cloudflare certificate:

CN=sni116869.cloudflaressl.com, OU=PositiveSSL Multi-Domain, 
OU=Domain Control Validated
	05.12.2018
	14.06.2019
expires in 87 days

Some missing files ... Grade I.

A post was split to a new topic: How to setup HTTP to HTTPS redirection?

Thanks for all the help, your support has been amazing, I just want to absolutely clear on the next step before i do something wrong (again):

When you say

There ends your post.

So your question is invisible.

Thanks for all the help, your support has been amazing, I just want to absolutely clear on the next step before i do something wrong (again):
When you say:

https://crt.sh/?q=beta-yegfitness.fitchek.com

is your new certificate.

So install it and recheck your domain.

Do you mean that I should run

sudo certbot --webroot -w /opt/marketplace/public/yegfitness -d beta-yegfitness.fitchek.com ?

and then restart nginx?

Note that the site is now working, but I think there might be multiple certificates, so not sure which one is in use

Thanks!

Nate

No, the problem is already solved.

See post

Check the result of https://check-your-website.server-daten.de/?q=174.117.43.114&h=beta-yegfitness.fitchek.com

There you see: Your internal ip address 174.117.43.114 checked with your domain name as hostname -> the certificate is valid.

That's like a browser connect a website: First, the browser has to find the ip address. Then the browser connects the ip address and sends the domain name as hostname.

So Cloudflare is able to connect your site via https.

And check https://check-your-website.server-daten.de/?q=beta-yegfitness.fitchek.com - then you see your Cloudflare - ip and your Cloudflare certificate.

The first is the internal view, the second is that, what visitors see.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.