Can't Create an SSL Certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.ofornecedor.com.br

I ran this command:

sudo systemctl stop apache2
sudo -H ./letsencrypt-auto certonly --standalone -d ofornecedor.com.br

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ofornecedor.com.br
Waiting for verification…
Challenge failed for domain ofornecedor.com.br
http-01 challenge for ofornecedor.com.br
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version): Apache 2

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Amazon

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): EC2

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Thanks in advance.

Hi @olivr3

looks like your domain is broken. With a curious error message ( https://check-your-website.server-daten.de/?q=ofornecedor.com.br ):

Domainname Http-Status redirect Sec. G
• http://ofornecedor.com.br/
52.67.24.180 503 0.473 S
Service Unavailable: Back-end server is at capacity
• http://ofornecedor.com.br/
54.232.236.70 503 0.467 S
Service Unavailable: Back-end server is at capacity
• http://www.ofornecedor.com.br/
52.67.24.180 503 0.464 S
Service Unavailable: Back-end server is at capacity
• http://www.ofornecedor.com.br/
54.232.236.70 503 0.466 S
Service Unavailable: Back-end server is at capacity
• https://ofornecedor.com.br/
52.67.24.180 503 2.273 S
Service Unavailable: Back-end server is at capacity
• https://ofornecedor.com.br/
54.232.236.70 503 2.153 S
Service Unavailable: Back-end server is at capacity
• https://www.ofornecedor.com.br/
52.67.24.180 503 2.157 S
Service Unavailable: Back-end server is at capacity
• https://www.ofornecedor.com.br/
54.232.236.70 503 2.180 S
Service Unavailable: Back-end server is at capacity
• http://ofornecedor.com.br/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
52.67.24.180 503 0.473 S
Service Unavailable: Back-end server is at capacity
Visible Content:
• http://ofornecedor.com.br/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
54.232.236.70 503 0.467 S
Service Unavailable: Back-end server is at capacity
Visible Content:
• http://www.ofornecedor.com.br/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
52.67.24.180 503 0.466 S
Service Unavailable: Back-end server is at capacity
Visible Content:
• http://www.ofornecedor.com.br/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
54.232.236.70 503 0.466 S
Service Unavailable: Back-end server is at capacity
Visible Content:

So nothing works.

There is an Amazon certificate.

CN=ofornecedor.com.br
	19.09.2018
	19.10.2019
expires in 161 days	
ofornecedor.com.br, *.ofornecedor.com.br - 2 entries

Looks like a proxy, that can't talk with your website.

What's your website ip address?

Loading a page with my browser there is no error message visible.

Hey JuergenAuer.

Can you try now? It should be working.

www.ofornecedor.com.br
ofornecedor.com.br

I tried a different command but no success.

ubuntu@ip-*:/opt/letsencrypt$ sudo certbot certonly --webroot --webroot-path /var/www/html --renew-by-default -d ofornecedor.com.br
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ofornecedor.com.br
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. ofornecedor.com.br (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://ofornecedor.com.br/.well-known/acme-challenge/7WtKknHY_RpIX9R1PilXvvAt15rEvVAmz5RAzH1Oj84 [54.232.236.70]: 404

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: ofornecedor.com.br
   Type:   unauthorized
   Detail: Invalid response from
   http://ofornecedor.com.br/.well-known/acme-challenge/7WtKknHY_RpIX9R1PilXvvAt15rEvVAmz5RAzH1Oj84
   [54.232.236.70]: 404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My tool is online. So use it to recheck your configuration.

Wonderful. Thanks. Will do.

I need those certificates so that I can add them in my VirtualHost file. I can’t create the certificates for some reason.

    <VirtualHost *:80>
      ServerName mydomain.com

      RewriteEngine on
      RewriteRule ^/(.*) https://mydomain.com/$1 [L,R=301,NE]
    </VirtualHost>

    <VirtualHost *:443>
      ServerName mydomain.com

      RequestHeader set X-Forwarded-Proto "https"

      SSLEngine on
      SSLCertificateFile /etc/letsencrypt/certs/cert.pem
      SSLCertificateKeyFile /etc/letsencrypt/certs/privkey.pem
      SSLCertificateChainFile /etc/letsencrypt/certs/chain.pem

      Header always set Strict-Transport-Security "max-age=15768000"

      ProxyRequests Off
      ProxyPreserveHost On

      ProxyPass / http://exp:8080/ timeout=5
      ProxyPassReverse / http://exp:8080/ timeout=5

      RewriteEngine on

      RewriteCond %{HTTP:Upgrade} =websocket [NC]
      RewriteCond %{REQUEST_URI} /admin [NC]
      RewriteRule /admin/(.*) ws://exp:8080/admin/$1 [P,L]

      RewriteCond %{HTTP_HOST} !^mydomain\.com$
      RewriteCond %{HTTP_HOST} !^$
      RewriteRule ^/(.*) https://mydomain.com/$1 [L,R]
    </VirtualHost>

    SSLProtocol all -SSLv3
    SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    SSLHonorCipherOrder on

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

There is a new check of your domain.

There you see the problem (removed the first rows):

Domainname Http-Status redirect Sec. G
• http://www.ofornecedor.com.br/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
52.67.24.180 302 https://ofornecedor.com.br/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.470 E
Visible Content: Found The document has moved here . Apache/2.4.18 (Ubuntu) Server at www.ofornecedor.com.br Port 80
• http://www.ofornecedor.com.br/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
54.232.236.70 302 https://ofornecedor.com.br/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.467 E
Visible Content: Found The document has moved here . Apache/2.4.18 (Ubuntu) Server at www.ofornecedor.com.br Port 80
• http://ofornecedor.com.br/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
52.67.24.180 404 0.470 A
Not Found
Visible Content: {“status”:404,“message”:“Page [/ofornecedor/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de] not found”}
• http://ofornecedor.com.br/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
54.232.236.70 404 0.470 A
Not Found
Visible Content: {“status”:404,“message”:“Page [/ofornecedor/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de] not found”}

Using http-01 validation Certbot creates a file in /.well-known/acme-challenge/random-filename, Letsencrypt checks that file.

There is a redirect http -> https. Normally, this isn’t a problem, Letsencrypt follows these redirects.

But you see: There is another content. Looks like JSON-output, so another application answers, not your Apache.

So you have two options:

  • remove the redirect http -> https if it is /.well-known/acme-challenge, then use the webroot (your command looks good) (or)
  • find a solution that this application answers correct. That may be impossible.

Hi,

Are you setting your server behind a load balancer by any chance?

Thank you

Hum… I see.

Do you think that my Virtualhost is the problem?

Not sure where the redirect is coming from.

LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
LoadModule proxy_wstunnel_module /usr/lib/apache2/modules/mod_proxy_wstunnel.so
LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so
<VirtualHost *:80>
   ServerName ofornecedor.com.br
   ServerAlias www.ofornecedor.com.br

   ProxyPreserveHost On
   ProxyRequests Off
   ProxyPass / http://localhost:8080/
   ProxyPassReverse / http://localhost:8080/

RewriteEngine on

   RewriteCond %{HTTP:Upgrade} =websocket [NC]
   RewriteCond %{REQUEST_URI} /admin [NC]
   RewriteRule /admin/(.*) ws://exp:8080/admin/$1 [P,L]

   RewriteCond %{HTTP_HOST} !^ofornecedor\.com\.br$
   RewriteCond %{HTTP_HOST} !^$
   RewriteRule ^/(.*) https://ofornecedor.com.br/$1 [L,R]

</VirtualHost>

I think I am.

Thank you JuergenAuer.

You were spot on.

My Virtualhost file was the issue. I was able to create the certifications.

ubuntu@ip-*:/etc/apache2/sites-available$ sudo certbot certonly --webroot --webroot-path /var/www/html --renew-by-default -d ofornecedor.com.br
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ofornecedor.com.br
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ofornecedor.com.br/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ofornecedor.com.br/privkey.pem
   Your cert will expire on 2019-08-08. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Thank you!!!

1 Like

Yep, now it works.

A new Letsencrypt certificate:

CertSpotter-Id Issuer not before not after Domain names LE-Duplicate next LE
904847284 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-10 22:23:54 2019-08-08 22:23:54 ofornecedor.com.br
1 entries duplicate nr. 1
547204809 CN=Amazon, OU=Server CA 1B, O=Amazon, C=US 2018-09-19 00:00:00 2019-10-19 12:00:00 *.ofornecedor.com.br, ofornecedor.com.br
2 entries
547352717 CN=Amazon, OU=Server CA 1B, O=Amazon, C=US 2018-09-19 00:00:00 2019-10-19 12:00:00 *.ofornecedor.com.br, www.ofornecedor.com.br
2 entries

But one problem you may not solve: This Amazon proxy system

Chain - too much certificates, don't send root certificates	
	1	CN=ofornecedor.com.br
	
	2	CN=Amazon, OU=Server CA 1B, O=Amazon, C=US
	
	3	CN=Amazon Root CA 1, O=Amazon, C=US
	
	4	CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, C=US, ST=Arizona

sends the root certificate (4), that’s too much. Servers should only send the own and the required intermediate certificates. Selecting the root is a client thing.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.