Certbot certonly failed to issue

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: worldoilcorps.com

I ran this command: sudo certbot certonly -d worldoilcorps.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Requesting a certificate for worldoilcorps.com

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: worldoilcorps.com
Type: unauthorized
Detail: Invalid response from http://worldoilcorps.com/.well-known/acme-challenge/CVvBOetNSAaa-scQ2_SjnyqhxYa_aCdIVCxSsQ83Kgo [34.102.136.180]: "<!doctype html><html lang="en"><meta http-equiv="content-type" content="text/html;charset=utf-8"><meta name="viewport" con"

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx

The operating system my web server runs on is (include version): Linux kali 5.10.0-kali9-cloud-amd64 #1 SMP Debian 5.10.46-4kali1 (2021-08-09) x86_64 GNU/Linux

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.18.0

2

@ddauer
It is difficult to troubleshoot --standalone problems.

Is there an IPS or other type of inline device protecting HTTP (TCP port 80)?

1 Like
3

Machine in in AWS. I believe I have all inbounds ports open: All All 0.0.0.0/0

1 Like
4

As a security person reading that makes me cringe!

1 Like
5

I did it to eliminate any inbound issues to get the certificate.

1 Like
6

Did you get a certificate?
Should that even be necessary to get one?

1 Like
7

I edited the rule to : HTTP TCP 80 0.0.0.0/0
I did not get a certificate yet. Now it states

sudo certbot certonly -d worldoilcorps.com 1 ⨯
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Requesting a certificate for worldoilcorps.com
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

1 Like
8

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: worldoilcorps.com

I ran this command: sudo certbot certonly -d worldoilcorps.com

It produced this output:
How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Requesting a certificate for worldoilcorps.com
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx, I think?

The operating system my web server runs on is (include version):
Linux kali 5.10.0-kali9-cloud-amd64 #1 SMP Debian 5.10.46-4kali1 (2021-08-09) x86_64 GNU/Linux

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.18.0

1 Like
9

Please don't open multiple topics for the same problem.

That means you are using the production system to test a broken setup.

1 Like
10

ok. I will remember that for the future.

1 Like
11

The definition of insanity:
Doing the same exact thing (over and over) and expecting a different result.

We need to try something else!

Are you against installing a web server?

1 Like
12

How do I fix this issue? The system is still in testing.

1 Like
13

If not we may need to run certbot with --debug-challenges
[to get a better look at what it does while running]
Again - not using production - so add: --dry-run
And we need to review the logs:
/var/log/letsencrypt/letsencrypt.log

1 Like
14

Well I'm trying to setup a phishing server as I'm a penetration tester. I read that getting a certificate will make it more secure for transmitting possible creds.

1 Like
15

Basically, I'll need to do this multiple times throughout the year but using different domains.

1 Like
16

Sounds like a fun gig!

Then you should get the basics down:
It helps immensely to have a working HTTP server to validate the HTTP challenge requests.

1 Like
17

How do we resolve?

1 Like
18

You only need it for HTTP - you can still penetrate the world via HTTPS! LOL

2 Likes
19

If it's the easiest way to resolve and keep me from making the same mistakes, NO! Let's do it.

1 Like
20

Then using whichever method you have...
Like:
sudo apt install nginx

Add a web server [nginx, apache, anything anyone has heard of]

1 Like