Certain domain suffix fail?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
scream.1dev.win
I ran this command:
certbot certonly -v --webroot --staging -w /var/www/certbot/ --email “admin@1dev.win” -d scream.1dev.win --rsa-key-size 4096 --agree-tos --force-renewal --debug-challenges
It produced this output:
Challenge failed for domain scream.1dev.win
My web server is (include version):
Nginx 1.15.12
The operating system my web server runs on is (include version):
docker image: nginx:1.15-alpine
My hosting provider, if applicable, is:
AWS
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.37.2

Before hitting Enter at Press Enter to Continue I’m able to get the challenge http://scream.1dev.win/.well-known/acme-challenge/Y0ceCnvI27fuZYLuE6BcoAqYFu1kODzdZaFgdv3ifug using curl and chrome from my home computer and cellphone. I can see all request coming in the log that I initiate but no request at all from challenge. My only guess is .win suffix is not allowed?

1 Like

Your firewall may be blocking HTTP requests (or only allowing specific IPs through).

1 Like

Yes, for example from here I can’t connect to port 80 of that host, so I think @rg305 is right to suspect IP address blocking.

1 Like

Thank you for your response. Yes it was that! Thank you so much for you help.

1 Like

I generated the PEM certificate but when I run openssl s_client -state -debug -CAfile ca.pem -tls1_2 -servername scream.1dev.win -connect scream.1dev.win:443. The response say Verify return code: 20 (unable to get local issuer certificate). Is it because I’m using staging?

1 Like

Yes, exactly. The staging certificate you've installed on your server chains to the Fake LE Root X1 certificate, which (appropriately) your OpenSSL installation and other client software don't know how to verify, because this certificate isn't intended for any client software to trust.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.