Can't validate "www" for domains


#1

Please fill out the fields below so we can help you better.

My domain is: mlcnfriends.com boredguy.showersnet.com

I ran this command: certbot certonly --webroot -w /usr/local/www/nginx -d mlcnfriends.com -d www.mlcnfriends.com

It produced this output: Failed authorization procedure. www.mlcnfriends.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to mclnfriends.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.mlcnfriends.com
    Type: connection
    Detail: Could not connect to mclnfriends.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My operating system is (include version): FreeBSD 10.3

My web server is (include version): nginx (latest)

My hosting provider, if applicable, is: self hosted

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I’m having a bit of trouble getting the certificate for the www prefix for my domains. I have successfully obtained certificates for mlcnfriends.com and boredguy.showersnet.com. When I add the www prefix to either URL it fails. I have a redirect to https set up on both domains with SSL termination handled by an nginx proxy. The certificate renewall process also works from cron for both domains. I have the A record set up at namecheap for www for both domains and it does resolve correctly so I’m stumped as to why it won’t work. Any help you can provide would be great. Thanks for your time.


#2

Is this a straight copy of the errors, or have you retyped it ? in some placed the second and third characters of the domain name are the wrong way round mclnfriends.com and mlcnfriends.com. Just checking if that’s just on here, or if there was a typo in the actual command you were running


#3

Might have been a typo on my part. Just ran it again and received this output:

Failed authorization procedure. www.mlcnfriends.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.mlcnfriends.com/.well-known/acme-challenge/IAkwPvU60zszg1hRAhZtUPQMAdGfbK2Y7Bi6_jcx3c8: "

404 Not Found

404 Not Found


"

IMPORTANT NOTES:


#4

If you add a plain text file at /usr/local/www/nginx/.well-known/acme-challenge/test just containing the work “ok” can you reach it at http://www.mlcnfriends.com/.well-known/acme-challenge/test ?


#5

Just ran it again and got the same message as the first time:

Command: (same as before) certbot certonly --dry-run --webroot -w /usr/local/www/nginx -d mlcnfriends.com -d www.mlcnfriends.com

Output: Failed authorization procedure. www.mlcnfriends.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to mclnfriends.com

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.mlcnfriends.com
    Type: connection
    Detail: Could not connect to mclnfriends.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.


#6

No it redirects to https and I get a 404.


#7

Well that’s why there is an issue ( that the file can’t be reached, rather than the redirect). You need to check why it can’t reach that file ( probably something in your .htaccess or config )


#8

Regardless of other issues, your redirect still has a typo:

osiris@desktop ~ $ telnet www.mlcnfriends.com 80
Trying 192.64.119.108...
Connected to www.mlcnfriends.com.
Escape character is '^]'.
GET / HTTP/1.1
Host: www.mlcnfriends.com 

HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Sat, 14 Jan 2017 11:44:51 GMT
Content-Type: text/html
Connection: keep-alive
Content-Length: 154
Location: http://mclnfriends.com

<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
^CConnection closed by foreign host.
osiris@desktop ~ $ 

Notice the typo in the hostname of the Location: header.


#9

That doesn’t make any sense at all. I have a 301 rewrite to https and always have. My config files don’t contain any typo’s so I’m not sure what’s going on there.

Well I’m going to have to investigate that because I have a location in my server block to allow access to that location:

location ~ /.well-known {
allow all;
}


#10

Well, that Location header, provided by your server, doesn’t make a typo by itself :wink:


#11

I know that’s why I don’t get it. How could it be returning the wrong domain when there are NO typos in my config?


#12

Well, not reloading your server after changing configuration files could be the cause of that.


#13

Additionally, the Location target http://mclnfriends.com is an invalid URL without a trailing slash.


#14

Looking at the error log it looks like it’s trying to connect to the wrong directory. Not sure why since mlcnfriends.com was issued a cert but www.mlcnfriends.com produces this error in the nginx error log:

“/usr/local/etc/nginx/html/.well-known/acme-challenge/ULP8x7iZI-vStfFCooMZGGqOjmAniOz0P9cyCLx5a_s” failed (2: No such file or directory)


#15

So /usr/local/etc/nginx/html/ is your webroot for the www-domain, not /usr/local/etc/nginx/ (in your first post) nor /usr/local/www/nginx (in your third post).


#16

No. The web root is /usr/local/www/nginx


#17

Well, then it’s time you audit your whole config and clean it up. It just doesn’t produce typos and wrong paths by itself.

We can’t help you while these inconsistencies persist. Alternatively, just post the whole config.


#18

Proxy config. Sorry for odd formatting, I can’t seem to figure out how to wrap it in code tags. Not much of a fan of this forum software.

    user  www;
    worker_processes  2;


    events {
        worker_connections  1024;
    }

    http {
    	proxy_buffer_size 8k;
    	proxy_buffers 2048 8k;
    	server_tokens off;
    	sendfile        on;
    	client_max_body_size  15360k;
    	client_header_timeout 10;
    	client_body_timeout   10;
    	keepalive_timeout     10;
    	send_timeout          10;
    	#more_clear_headers 'Server';
    	#more_clear_headers 'X-Powered-By';
        # Compression - requires gzip and gzip static modules.
        gzip on;
    	gzip_proxied any;
        gzip_buffers 16 8k;
    	gzip_types text/plain text/css application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp;
        gzip_vary on;
        gzip_http_version 1.1;
        gzip_min_length 700;
        
        # Compression levels over 6 do not give an appreciable improvement
        # in compression ratio, but take more resources.
        gzip_comp_level 6;
        
        # IE 6 and lower do not support gzip with Vary correctly.
        gzip_disable "msie6";
        # Before nginx 0.7.63:
        #gzip_disable "MSIE [1-6]\.";
    	
    	
        include       mime.types;
        default_type  application/octet-stream;

        access_log off;
    	error_log /var/log/nginx/error.log warn;
    	
    	server	{		
    		listen       80;
            root /usr/local/www/nginx;
    		index index.html index.htm;
    		
    		location / {
                try_files $uri $uri/ /index.php?q=$uri&$args;
            }
    		
            error_page      500 502 503 504  /50x.html;
            location = /50x.html {
                root /usr/local/www/nginx-dist;
            }	
    	}
    	
    	server {
    			listen      80;
    			server_name  www.mlcnfriends.com mlcnfriends.com;
    			
    			return     301 https://$host$request_uri;
    	}	
    	server {			
    		listen       443 ssl;
            server_name  www.mlcnfriends.com mlcnfriends.com;
    		ssl_session_cache    shared:SSL:10m;
    		ssl_session_timeout  10m;
    		ssl_ciphers HIGH:!aNULL:!MD5;
    		ssl_prefer_server_ciphers   on;
    		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    		ssl_certificate /usr/local/etc/nginx/ssl-bundle.crt;
    		ssl_certificate_key /usr/local/etc/nginx/mlcnfriends.com.key;
    		ssl_stapling on;
    		ssl_stapling_verify on;
    		ssl_dhparam /usr/local/etc/nginx/dhparams.pem;
            add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
    		add_header Public-Key-Pins-Report-Only 
    			'pin-sha256="UiQX4dp4EhDs9ccGQU/dFBIoVl2pvkVgV9Ck93OhAus="; pin-sha256="6Yr1yw4zqzg30B7hDLzyZGWFhS+tBbSsraFwPxkmIFM="; pin-sha256="LjbqJg0LxKJXxhTGQ6tYDIcvqXgFHkHRVENfDaL5H+4="; max-age=2592000; includeSubDomains';
    		 location ~ /.well-known/ {
                    allow all;
            }
    		
    		location / {
    			proxy_pass              http://192.168.0.220;
    			proxy_redirect 			http:// https://;
    			proxy_set_header        Host $host;
    			proxy_set_header        X-Real-IP $remote_addr;
    			proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    			proxy_set_header        X-Forwarded-Proto $scheme;	
    		}
    	}
    					
    	server {
    			listen	80;
    			server_name boredguy.chickenkiller.com www.boredguy.chickenkiller.com boredguy.showersnet.com www.boredguy.showersnet.com;
    			return   301 https://boredguy.showersnet.com$request_uri;
    	}
    					
    	server {		
    		listen       443 ssl;
            server_name  www.boredguy.showersnet.com boredguy.showersnet.com;
    		ssl_session_cache    shared:SSL:10m;
    		ssl_session_timeout  10m;
    		ssl_ciphers HIGH:!aNULL:!MD5;
    		ssl_prefer_server_ciphers   on;
    		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    		ssl_certificate /usr/local/etc/letsencrypt/live/boredguy.showersnet.com/fullchain.pem;
    		ssl_certificate_key /usr/local/etc/letsencrypt/live/boredguy.showersnet.com/privkey.pem;
    		ssl_stapling on;
    		ssl_stapling_verify on;
    		ssl_dhparam /usr/local/etc/nginx/dhparams.pem;
            add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
    		 location ~ /.well-known {
                    allow all;
            }
    						
    				location / {
    					proxy_pass  http://192.168.0.226;
    					proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
    					proxy_redirect 			http:// https://;
    					proxy_set_header        Host $host;
    					proxy_set_header        X-Real-IP $remote_addr;
    					proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    					proxy_set_header        X-Forwarded-Proto $scheme;
    					}
    		}
        

    		

    }	

And backend config:

    user  www;
    worker_processes  2;

    events {
        worker_connections  1024;
    }

    http {
    	server_tokens off;
    	sendfile on;
    	client_max_body_size  15360k;
    	client_header_timeout 20;
    	client_body_timeout   20;
    	keepalive_timeout     20;
    	send_timeout          20;
    	#more_clear_headers 'Server';
    	#more_clear_headers 'X-Powered-By';
        # Compression - requires gzip and gzip static modules.
        gzip on;
    	gzip_proxied any;
        gzip_buffers 16 8k;
    	gzip_types text/plain text/css application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp;
        gzip_vary on;
        gzip_http_version 1.1;
        gzip_min_length 700;
        
        # Compression levels over 6 do not give an appreciable improvement
        # in compression ratio, but take more resources.
        gzip_comp_level 6;
        
        # IE 6 and lower do not support gzip with Vary correctly.
        gzip_disable "msie6";
        # Before nginx 0.7.63:
        #gzip_disable "MSIE [1-6]\.";
    	
        include       mime.types;
        default_type  application/octet-stream;

        access_log off;
    	error_log /var/log/nginx/error.log error;
    	
    	set_real_ip_from 192.168.0.225;
    	real_ip_header X-Forwarded-For;
    	

        server {
            listen       80;
            server_name  mlcnfriends.com www.mlcnfriends.com;
    		root /usr/local/www/nginx;
            index index.php index.html index.htm;
    		
    		 location ~ /.well-known/ {
                    allow all;
            }
        
    		add_header X-Frame-Options "SAMEORIGIN";
    	
            location / {
                try_files $uri $uri/ =404;
            }

            error_page      500 502 503 504  /50x.html;
            location = /50x.html {
                root /usr/local/www/nginx-dist;
            }
    		
    		if ($request_method !~ ^(GET|HEAD|POST)$ )
    		{
    				return 444;
    		}

            location ~ \.php$ {
                    try_files $uri =404;
                    fastcgi_split_path_info ^(.+\.php)(/.+)$;
                    fastcgi_pass unix:/var/run/php-fpm.sock;
                    fastcgi_index index.php;
                    fastcgi_param SCRIPT_FILENAME $request_filename;
    				fastcgi_param REMOTE_ADDR $http_x_real_ip;
                    include fastcgi_params;
            }
        }
    }

#19

Select the whole block of text, then click the </> in the editor toolbar.

Edit: Are you aware that www.mlcnfriends.com points to two different IP addresses?

www.mlcnfriends.com.    1799    IN      A       67.209.241.26
www.mlcnfriends.com.    1799    IN      A       192.64.119.108

Of which 192… has the wrong redirect and 67… isn’t reachable on port 80 at all?


#20

First is my IP the second is namecheap the domain registrar.