knnubt05oc.kuenn.co
Type: unauthorized
Detail: Invalid response from http://knnubt05oc.kuenn.co/.well-known/acme-challenge/RjQ7ggZiNZbReYGR1F48td-apUlJDSF7omTrUzlgTiI:
"
<html lang="
<p>To fix these errors, please make sure that your domain name was<br>
entered correctly and the DNS A record(s) for that domain<br>
contain(s) the right IP address.<br>
root@5b195ee1c011:/tmp#</p>
</li>
</ul>
<p>My operating system is (include version): Ubuntu 16.04.1 LTS</p>
<p>My web server is (include version): nginx version: nginx/1.10.0 (Ubuntu)</p>
<p>My hosting provider, if applicable, is: Digital Ocean</p>
<p>I can login to a root shell on my machine (yes or no, or I don’t know): yes</p>
<p>I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no, i am using ssh</p>
thank you for the hint. solved the problem now.
My Resolution:
- i need to turn back ON listen for Port 80. My original intend
was to eliminate any non-secure connection. Now, it seem not
possible.... : (
refer to below sections of my nginx default config file
# vi /etc/nginx/sites-available/default
:
server {
client_max_body_size 10M;
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
:
One question,
is there plan for Letsencrypt to support HTTPS validation?
regards,
kuenn
There's a challenge type - TLS-SNI-01 - that works via HTTPS/port 443. However, this challenge type currently requires you to either use apache (for which a certbot plugin that automates the validation exists) or stop your existing web server for a few seconds so that certbot (with the standalone plugin) can listen on port 443. The good news is that a certbot plugin for nginx is being worked on and is going to use this challenge type, so you could probably switch to this if you want to with one of the upcoming releases (sorry, no ETA ).
For some discussion on why the HTTP-01 challenge type does not work via HTTPS, and why it might not really be all that bad to listen on port 80 for a HTTPS-only site anyway, see this old thread: