Cannot generate SSL Certificate

My domain is: masonserver.giize.com

I ran this command: sudo certbot --apache

It produced this output:
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: masonserver.giize.com
Type: dns
Detail: no valid A records found for masonserver.giize.com; no valid AAAA records found for masonserver.giize.com

The operating system my web server runs on is (include version): Ubuntu Server 20.04

My hosting provider, if applicable, is: Dynu

I can login to a root shell on my machine (yes or no, or I don't know): yes

I am using apache2
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.29

Try getting your site running as http first, then get https working after. Currently your site is not reachable, and if I try dig masonserver.giize.com A I get REFUSED as the error. It works via dnsviz.net though, so possibly something is still just updating.

You also won't be able to use http validation currently as your record points to an internal IP 192.168.0.102, so when let's Encrypt try to make the challenge http request to your site it will fail.

4 Likes

When I attempt to access it from my own pc it lets me in and i get no errors

Cool but Let's Encrypt don't have access to your PC, check it from a public data connection such as from your phone over 4G (not wifi).

4 Likes

Ok when i did that that is when it doesn't work. I have to be on my home network. But I am not sure why I cannot access it from outside my network.

Because you are using an IP address that is only allowed in private networks. To work on the public internet you need a public IP address.

This command should show you what yours is:

curl -4 http://ifconfig.co

Then, update your DNS with that IP address. Use the Let's Debug test site to verify before trying to get another cert

4 Likes

From here: DNS Lookup - Check DNS Records
Your DNS A record is:
A masonserver.giize.com 120 192.168.0.102
Which is a IPv4 Private network - Wikipedia as @webprofusion stated. Private network address are not routable to the Internet, but work fine on your local area network.
Most likely you want to do Port forwarding on your router for ports 80 and 443 to 192.168.0.102.
And use something like https://www.whatismyip.com/ or https://whatismyipaddress.com/ to find your Public Internet routable address, that is the IP Address that Let's Encrypt can do a HTTP-01 challenge with.
You will have to update your DNS A record too.

4 Likes

I changed the ip address and attempted the ssl certificate again and now I get this error
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: masonserver.giize.com
Type: connection
Detail: 97.119.255.243: Fetching http://masonserver.giize.com/.well-known/acme-challenge/9KZVvONSfoiER891MmnLoMZHtmP6oKwEgcwML0Q4kPM: Timeout during connect (likely firewall problem)

Also, I have port 80 and 443 forwarded to my home server do I need to change that to 192.168.0.102 and if I did how would I go about that?

I tried changing the port forwarding ip to 192.168.0.1 but got this error " Server IP address must be a LAN IP address."

Your router should send the requests to your home server IP

You could try hostname -i on that home server to check what that is

3 Likes

That does not work for me on OpenBSD 7.1

hostname -i
hostname: unknown option -- i
usage: hostname [-s] [name-of-host]
1 Like

I'm not sure poster would care about your OpenBSD :slight_smile: You can try ifconfig or various other commands. I was just hoping that worked on Ubuntu

3 Likes

Ah, linux and all those strange extensions that UNIX and POSIX don't seem to have. :roll_eyes:

4 Likes

Yes, so your router will have configuration for port forwarding to specific internal IP addresses, in this case I assume your web server is running on 192.168.0.102, so you'd forward to that. Then, use your phone browser to connection to your website, with WIFI disabled but your normal phone data enabled. Once you have that website working via a public network your Let's Encrypt http validation should work.

[Edit: note that not all ISPs allow you to host a service on port 80, if yours doesn't allow it then you'd need to use DNS validation instead.]

4 Likes

Yeah, I always use ifconfig yet some linuxes don't seem to support the fundamentals and I am not sure why.

3 Likes

I have port forwarded things to the right ip address but it still wont let me access it from outside my home network

You should check with your ISP. They may not allow use of inbound port 80 (or port 443) for home accounts.

The other thing is your DNS A record points to IP: 97.119.255.243

Make sure it's correct. Many ways to do that but this command is easy to see your public IP:

curl -4 http://ifconfig.co
and try (might not work):
curl -6 http://ifconfig.co
3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.