Cannot get certificates


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is ecinternetimports.com

I ran this command: I am uysing Certify SSL on IIS

It produced this output:2019-01-09 07:44:05.831 -04:00 [INF] Validation of the required challenges did not complete successfully. Fetching http://ecinternetimports.com/.well-known/acme-challenge/QY94yUWp0ggapIrOYx4YeOPEvJUtE14wKBf7VTss_oY: Timeout after connect (your server may be slow or overloaded)

My web server is (include version): IIS

The operating system my web server runs on is (include version): Windows server 2019

My hosting provider, if applicable, is:Me

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):No

I bought this domain a few weeks ago and since then on linux and windows I cannot get a certificate. I was able to succesfully get a cert for breautech.com on linux and www2.breautech.com on my IIS machine but for some reason this domain does not want to get a certificate.

The error listed above is the one I am currently getting and sometimes I get a likely a firewall issue.

I tried manuall with the file and I can access the files in the acme-challenge folder from the web interface and see the characters.
I can see the app creating the files in the acme-challenge folder
Website is available external via http and https ports are open
Currently this is the only website on that web server ( I removed the rest for testing purpose)

on my dns side CheapDomain.com I have a A Record @ pointing to 174.113.27.176 and domain forwarding pointing to http://ecinternetimports.com

I tried doing a txt validation via DNS and it wont pickup the txt record like they dont exist (eventough I created them last night on my dns cpanel and do a txtlookup they dont show up).

any help or point me in the right direction would be appreciated.

thanks


#2

Hi @breaup

that

Host T IP-Address is auth. ∑ Queries ∑ Timeout
ecinternetimports.com A 174.113.27.176 yes 2 0
A 184.168.131.241 yes 2 0
AAAA yes
www.ecinternetimports.com C ecinternetimports.com yes 1 0
A 174.113.27.176 yes
A 184.168.131.241 yes

looks like you have a wrong configuration.

If you have one server with one ip address, it doesn’t work with two ip addresses.

And there are different answers (this is always bad) ( https://check-your-website.server-daten.de/?q=ecinternetimports.com ):

Domainname Http-Status redirect Sec. G
http://ecinternetimports.com 301 http://ecinternetimports.com 0.360 L
http://ecinternetimports.com/
184.168.131.241 301 http://ecinternetimports.com 3.364 D
http://www.ecinternetimports.com/
184.168.131.241 301 http://ecinternetimports.com 0.347 D
http://ecinternetimports.com/
174.113.27.176 200 0.687 H
http://www.ecinternetimports.com/
174.113.27.176 200 0.677 H
https://ecinternetimports.com/
174.113.27.176 301 http://ecinternetimports.com/ 3.194 N
Certificate error: RemoteCertificateNameMismatch
https://www.ecinternetimports.com/
174.113.27.176 301 http://www.ecinternetimports.com/ 2.960 N
Certificate error: RemoteCertificateNameMismatch
https://ecinternetimports.com/
184.168.131.241 -14 10.027 T
Timeout - The operation has timed out
https://www.ecinternetimports.com/
184.168.131.241 -14 10.030 T
Timeout - The operation has timed out

The ip 184.168.131.241 answers with a http-redirect, https has a timeout. The other ip sends a 200 or a wrong certificate.

This “domain forwarding” looks wrong, remove it, so you have only the 174.113.27.176 ip.


#3

Thanks for the reply I removed the forward earlier and just tried again and got this error now : 2019-01-09 11:27:31.387 -04:00 [INF] Validation of the required challenges did not complete successfully. Invalid response from http://ecinternetimports.com/.well-known/acme-challenge/md1VnJNQBlLrFvG3pLsYeGME_5d5OBFz3z5jRAMssT0: “\r\n<html xmlns=“http://www.w3.org/1999/xhtml”>\r\n<script type=“text/javascript”>window.NREUM||”

I opened a support ticket with my DNS Provider as for all the domains I have on my acount they all have that 2nd ip address as a A Record and I cannot modify it. So I just looking to see why, thanks for pointing this out.

Al tough my domain breautech.com does have the same configuration as this one and that one I was able to generate certificates for it. any idea ?

thanks again


#4

Now it’s better, but not good:

Your non-www has a direct loop, the page redirects to the same url. So it’s a loop. The www redirects to the non-www and ends in the same loop.

So check these redirects, a loop is always terrible.

But I don’t use Certify SSL, so it’s possible that Certify has created these redirects.

The domain has the same problems. Two different ip addresses, different redirects.

https://breautech.com/
54.39.98.193

has a 200 (ok),

https://breautech.com/
184.168.131.241
Timeout - The operation has timed out

has a timeout. And a redirect

http://www.breautech.com/
184.168.131.241
	301
	https://BreauTech.com

lowercase -> uppercase is curious.


#5

Thanks for pointing me in the right direction, I do have it figured out now. so removing the Forward reset my A Records and parked the domain which I did not notice right away till I tried it again later in a browser. I delete all the A REcord and re added the proper one, waited the TTL and tried again and it worked.

Thanks for the help much appreciated


closed #6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.