Cant get Certbot to generate new site certs

Casbot · December 31, 2019, 3:48am

We have moved an app from one place with an ip: app.c2.domain.net with ip a.b.c.d
We are now moving the app to a new place, new name, new ip: app.domain.net with ip e.f.g.h
There was an originally an “app.domain.net” running in AWS and we have changed the ip address to a new ip.

When the new server was built, letsencrypt was generically installed and the letsencrypt folder from the old nginx server was copied over top on the new server since the apps were brought over as they were originally but with new ip’s and so the certs would still be valid. So basically the app.c2.domain.net in AWS is shutoff and it’s domain records changed to the new IP addresses as they are now being hosted onsite. The original sites with app.domain.net in AWS have been changed to app.c1.domain.net and changed IP addresses. The app.domain.net records now point to the same ip addresses as the app.c2.domain.net ip’s.

However, now that we are ready to change the website names to just app.domain.net rather than app.c2.domain.net, the certbot running on the new server sees the websites in nginx, as the files in the /etc/nginx/sites-available have been created and the links to the /etc/nginx/sites-enabled have been created, but when we run certbot and choose one of the new websites, we’re getting something like the following:

Failed authorization procedure. app.domain.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://app.domain.net/.well-known/acme-challenge/kGL2q4m1YJY77qmxn9ggj1wpd2GWQOLx4zaDo50naR0 [5.195.5.197]: “<html lang=“en”><meta charset=“utf-8”><meta http-equiv=“X-UA-Compatible” content=“IE=edge”>Oops, can”

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: app.domain.net
Type: unauthorized
Detail: Invalid response from
https://app.domain.net/.well-known/acme-challenge/kGL2q4m1YJY77qmxn9ggj1wpd2GWQOLx4zaDo50naR0
[A.B.C.D: “<html lang=“en”><meta
charset=“utf-8”><meta http-equiv=“X-UA-Compatible”
content=“IE=edge”>Oops, can”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

we have already changed the DNS A records from the old ip address to the new IP address.

I cannot figure out what needs to be done to recreate all new certs for the new websites other than taking a down time, backing up the nginx files and letsencrypt files then uninstall nginx and letsencrypt, then install them from scratch again, reconfigure nginx with the new websites, and then try to run certbot to create the new certs for the three new websites.

Is there anyway to get this to work without having to uninstall everything and reinstall, since it’s not guaranteed to fix the issue and then I would just have to restore the old files back???

I need to get this fixed ASAP!!!

Any help would greatly be appreciated.

rg305 · December 31, 2019, 4:07am

This shows a couple of things:

the initial http challenge request has been redirected to https
[possibly introducing a problem]
the challenge request can’t reach the file placed in the expected challenge location

I would try placing a test file in the expected challenge location and see if you can reach it from the Internet:
http://app.domain.net/.well-known/acme-challenge/testfile

Perhaps including the complete command that was ran may help us help you.

mnordhoff · December 31, 2019, 4:04am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Casbot · December 31, 2019, 9:24am

I did some testing and was wondering if anyone can confirm my theory:
my dns A record for a site points to an ip of A.B.C.D
I try to pull from the NGINX server that is hosting the proxy for the site but it goes out the firewall as ip E.F.G.H. and the cert request fails with my original error message I posted in my original post.
Now if I have a webserver across the world with ip address of W.X.Y.Z and I create the website on it and change dns A record to W.X.Y.Z to match the server where CertBot is on, I can pull the cert.

So does this basically mean, that whatever server running the website or proxy for the website and also running CertBot on it, that the IP address of the server MUST match the IP address of the DNS A Record for the website in order to pull the certificate??

Thanks.

danb35 · December 31, 2019, 10:25am

In general, yes. There are ways around this, but they get pretty complicated.

Casbot · December 31, 2019, 10:34am

Thanks danb35…that’s what I needed to pass along to the people above.

system · January 30, 2020, 10:40am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.