Can't authenticate my domain


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: koalatyworks.com

I ran this command: certbot --nginx

It produced this output:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for koalatyworks.com
nginx: [error] invalid PID number "" in "/run/nginx.pid"
Cleaning up challenges
nginx: [error] invalid PID number "" in "/run/nginx.pid"
Encountered exception during recovery: 
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 126, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 1049, in perform
    self.restart()
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 859, in restart
    nginx_restart(self.conf('ctl'), self.nginx_conf)
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 1119, in nginx_restart
    "nginx restart failed:\n%s\n%s" % (out.read(), err.read()))
certbot.errors.MisconfigurationError: nginx restart failed:
b''
b''

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/error_handler.py", line 108, in _call_registered
    self.funcs[-1]()
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 310, in _cleanup_challenges
    self.auth.cleanup(achalls)
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 1068, in cleanup
    self.restart()
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 859, in restart
    nginx_restart(self.conf('ctl'), self.nginx_conf)
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", line 1119, in nginx_restart
    "nginx restart failed:\n%s\n%s" % (out.read(), err.read()))
certbot.errors.MisconfigurationError: nginx restart failed:
b''
b''
nginx restart failed:
b''
b''

My web server is (include version): nginx

The operating system my web server runs on is (include version): Ubuntu 18.10

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


#2

Maybe that isn’t where you have set the nginx pid?
find / -name nginx.pid
nginx -T | grep nginx.pid


#3

No, that’s where nginx.pid is located.

Here’s another bit of info that may prove useful: I don’t yet have a static ip address for my server. I wanted to get the email working right before I went live. It seems to me this might prevent any challenges from succeeding.


#4

Does the nginx service respond to commands:
service nginx stop
service nginx start
service nginx restart


#5

Another error message when I ran sudo service nginx restart.

● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2018-11-06 15:41:47 EST; 2h 39min ago
Docs: man:nginx(8)
Process: 7353 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=1/FAILURE)
Process: 7342 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)

Nov 06 15:41:45 grace nginx[7353]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Nov 06 15:41:45 grace nginx[7353]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Nov 06 15:41:46 grace nginx[7353]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Nov 06 15:41:46 grace nginx[7353]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Nov 06 15:41:46 grace nginx[7353]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Nov 06 15:41:46 grace nginx[7353]: nginx: [emerg] bind() to [::]:80 failed (98: Address already in use)
Nov 06 15:41:47 grace nginx[7353]: nginx: [emerg] still could not bind()
Nov 06 15:41:47 grace systemd[1]: nginx.service: Control process exited, code=exited status=1
Nov 06 15:41:47 grace systemd[1]: nginx.service: Failed with result ‘exit-code’.
Nov 06 15:41:47 grace systemd[1]: Failed to start A high performance web server and a reverse proxy server.


#6

Please show:
netstat -pant | grep -E ':80|:443'


#7

Here you go:

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 807/nginx: master p
tcp6 0 0 :::80 :::* LISTEN 807/nginx: master p


#8

Please show:
find / -name nginx
which nginx
nginx -V
service nginx status

These PID numbers must match:
more /run/nginx.pid
netstat -pant | grep -E ':80|:443'


#9

Okay, I checked, and the PID numbers matched. I tried certbot --nginx again, and basically got the same result, to wit:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for koalatyworks.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. koalatyworks.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://koalatyworks.com/.well-known/acme-challenge/5xQ7u0eCS5AomJcQFz5iVfpOkTvI_XacEr3C3CIgPWM: "\n\n<!–[if IE 7 ]><html class=“ie ie7 oldi”

IMPORTANT NOTES:

I’m still thinking part of the problem is that my domain isn’t live yet. I don’t have a static IP address for it, because I want to get it all set up first.


#10

OK this is a different error message. (better)

Please place a sample test.txt file at: http://koalatyworks.com/.well-known/acme-challenge/test.txt


#11

I hope I did this right. I created the .well-known and acme-challenge directories under /var/www/html, That’s where the index.html file lives. Then I created a test.txt file. Is that the right location?

Anyway, I re-ran certbot --nginx and got the same result.


#12

http://koalatyworks.com/ and http://www.koalatyworks.com/ serve a Gandi domain parking page.

The DNS records need to be aimed at your server for HTTP validation to work.


#13

Can I aim those DNS records at my server without a static IP address? I feel pretty clueless right now.


#14

Yeah… You just need a script to automatically check and update your server’s IP address periodically.

Thank you


#15

Look into free Dynamic DNS services.
You setup DDNS service to update your dynamic IP to their free FQDN.

You can also setup your real domain FQDN to CNAME to that free FQDN and both names with point to your automatically updated IP address.
Like:
myHomeNAS.free.domain.services.org = 1.2.3.4 (my dynamic IP)
NAS.MYDOMAIN.COM = CNAME myHomeNAS.free.domain.services.org
So both names return IP 1.2.3.4

From their you can get LE certs for either name or both names.