Can't get new cert (passes letsdebug.net but fails certbot)

darthfett · September 14, 2021, 7:54am

Hello, I'm having a lot of trouble getting my first certificate issued. Seems like I have things set up correctly (letsdebug.net passes both domains as "All OK!"), but certbot seems to be sending GET / requests, getting the homepage, and then complaining that it's somehow "unauthorized" or "invalid".

Please help! I could probably install manually (maybe?), but I want to be sure that auto-renew will work properly.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: spaceengi.com / www.spaceengi.com

I ran this command:

sudo certbot certonly --webroot --dry-run -w /home/ec2-user/spaceengi -d spaceengi.com -d www.spaceengi.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Simulating a certificate request for spaceengi.com and www.spaceengi.com
Performing the following challenges:
http-01 challenge for spaceengi.com
http-01 challenge for www.spaceengi.com
Using the webroot path /home/ec2-user/spaceengi for all unmatched domains.
Waiting for verification...
Challenge failed for domain spaceengi.com
http-01 challenge for spaceengi.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES: - The following errors were reported by the server:
   Domain: spaceengi.com
   Type:   unauthorized
   Detail: Invalid response from http://www.spaceengi.com
   [35.85.206.135]: "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n   <meta charset=\"utf-8\">\n\n  <title>SpaceEngi - Under   Construction</title>\n  <meta name=\""

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): Rocket (Rust) 0.5.0-rc1

The operating system my web server runs on is (include version):

Amazon EC2/Lightsail (4.14.225-169.362.amzn2.x86_64)

My hosting provider, if applicable, is: namecheap

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0

MikeMcQ · September 14, 2021, 12:21pm

@darthfett Your DNS points to IP 162.255.119.16. That looks to be the default Namecheap parking page. It should instead point to your EC2 server.

Go to Namecheap and change your DNS.

Oh, and welcome

MikeMcQ · September 14, 2021, 1:18pm

Sorry @darthfett . I replied quickly before - I should know better.

I looked at this more closely and see the DNS for spaceengi.com is not pointing to your EC2 server. But, DNS for www.spaceengi.com is.

I see now that you have Namecheap redirecting from spaceengi.com to your www.spaceengi.com. But, regardless of what page I request from spaceengi.com I get the same response page. I will guess your URL redirect is not passing along the full request. I say this because your www.spaceengi.com does respond as expected. That is, it responds with your 'under construction' page with no page request and a 404 Not Found with an invalid page request (like http://www.spaceengi.com/test-page.html).

You will need to have both domain names responding correctly to any page request to get a cert for both domain names.

MikeMcQ · September 14, 2021, 2:03pm

@darthfett I think you will find moving your DNS to AWS Route53 to work much better for EC2. I had a domain name and DNS at Namecheap for years but found it tricky to get all the redirects correct - especially routing from http to https with apex to www and such. Also, Route53 A records are more versatile with AWS services compared to CNAME.

You can leave your domain name at Namecheap and just switch DNS. I do not have time this morning to assist that but, briefly, you setup Route53 pointing to EC2 and then use those DNS IP addresses in Namecheap for your domain name. It will cost 50 cents/month for Route53

rg305 · September 14, 2021, 4:12pm

The Namecheap URL Forwarding is eating part of the URL and creating a problem for LE.
Please don't use URL Forwarding with LE.

curl -Iki http://spaceengi.com/.well-known/acme-challenge/Test-File-1234
HTTP/1.1 302 Found
Server: nginx
Date: Tue, 14 Sep 2021 16:10:14 GMT
Connection: keep-alive
Location: http://www.spaceengi.com
X-Served-By: Namecheap URL Forward

[it sends all requests to: http://www.spaceengi.com]

darthfett · September 15, 2021, 5:56am

You guys were both extremely helpful, @rg305 and @MikeMcQ , definitely appears that the URL redirect was the problem, and after replacing with just pointing both directly to my IP, I was able to get a certificate. Thank you both very much for the extremely quick responses and help!

system · October 15, 2021, 5:56am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.