Can't access my website via https

rg305 · May 5, 2018, 1:35am

OK that part makes sense.

Production and Staging are completely different IPs.
Can you connect to staging?
Can staging connect to you?

Do you have firewall logs you can check?

NasKar · May 5, 2018, 1:36am

Can not sure how to do that can you give me an example command?

NasKar · May 5, 2018, 1:39am

So if my domain is example.ddns.net I should do the command
certbot certonly --webroot -w /usr/local/www -d example.ddns.net

rg305 · May 5, 2018, 1:39am

check your LE logs:
grep http /var/log/letsencrypt/letsencrypt.log | grep directory | grep staging

NasKar · May 5, 2018, 1:42am

rg305 · May 5, 2018, 1:43am

curl https://acme-staging-v02.api.letsencrypt.org/directory

Do you see html content or does it time out?

NasKar · May 5, 2018, 1:45am

{
"keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "Staging Environment - Let's Encrypt"
},
"newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
"r1pi8zUBdGI": "Adding random entries to the directory",
"revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"

rg305 · May 5, 2018, 1:47am

That is good.
That means you can get to staging.

The problem must be when staging tries to get back to you.
…
Check your names here: https://letsdebug.net/

NasKar · May 5, 2018, 1:48am

says there is no problem
All OK

rg305 · May 5, 2018, 1:50am

at https://letsdebug.net/your.domain/numbers
click “Show verbose information.” just below the green box.
Show the first blue box “LetsEncryptStaging”

NasKar · May 5, 2018, 1:52am

Challenge update failures for example.ddns.net in order https://acme-staging-v02.api.letsencrypt.org/acme/order/5751349/763852
acme: error code 403 “urn:ietf:params:acme:error:unauthorized”: Invalid response from http://example.ddns.net/.well-known/acme-challenge/nFqy9H5XKKrHv3c4fjwDSC9z3AOYFsh1ZyrkUbKGQ18: “<html>
<head><title>404 Not Found</title></head>
<body bgcolor=“white”>
<center><h1>404 Not Found</h1></center>
<hr><center>”

rg305 · May 5, 2018, 1:53am

cant see all the tags.
edit your post (click the pencil icon) and add \ in front of all <
make all <
look like \<

NasKar · May 5, 2018, 1:55am

HTTPCheck
DEBUG
Requests made to the domain
Request to: example.ddns.net/x.x.x.x, Result: [Address Type=IPv4,Response Code=404,Server=nginx], Issue:

rg305 · May 5, 2018, 1:58am

I think I’ve come as far as I can go on this.
We would have to check the staging environment logs for your specific domain/IP.
And I don’t have access to either of those.
Maybe @schoen can help figure this one out for you.

NasKar · May 5, 2018, 2:01am

Am I being overly paranoid by not sharing my domain name?Can I private message it to you so its not searchable on the site?

rg305 · May 5, 2018, 2:03am

Yeah.
But that would only be half of the required pieces.
So, it’s really not that important right now (at least not to me).
In order for LE to help you will have to give them some info - you could do it in private message though and still maintain your paranoia level at 100%

rg305 · May 5, 2018, 2:05am

If you like.
I could try some basic tests.
To which, I would ask that you place a TEST.TXT file in the challenge folder.

But my connections would come from different IPs.
So I’m not sure it would show anything - especially if it didn’t fail
Like the production system; it didn’t fail either.

NasKar · May 5, 2018, 2:05am

so if I run the command
certbot certonly --staging --webroot -w /usr/local/www -d <domain_name>
I should get a congratulations message but the certificates won’t be saved if it works properly?

rg305 · May 5, 2018, 2:07am

It would be “saved” as normal.
But the “certonly” would keep it from replacing a working cert.
Certonly means just get the cert and do nothing else.

All certs are kept, production, staging, even expired ones are all in the archive folder.

ls -l /etc/letsenrypt/archive/<your.domain>/
You should see multiple cert#.pem, chain#.pem, fullchain#.pem and privkey#.pem files
The symlinks in the
ls -l /etc/letsenrypt/live/<your.domain>/
would show you which of those # versions in now in use.

NasKar · May 5, 2018, 2:23am

Interesting. I ran my script again and got the same error with certbot command in the script. Then I ran the command in the jail not from the script and got.
Congratulations! Your certificate and chain have been saved at: