Certbot error while obtaining certificate using webroot plugin

Domain: gamoly.com

Name and Version of OS:

root@gm-web-1:~# uname -a; cat /etc/issue

Linux gm-web-1 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64 GNU/Linux
Debian GNU/Linux 8 \n \l

Web server: nginx
nginx is up and running

root@gm-web-1:/var/www# systemctl status nginx

●     nginx.service - A high performance web server and a reverse proxy server
       Loaded: loaded (/lib/systemd/system/nginx.service; enabled)
       Active: active (running) since Thu 2017-05-25 07:51:22 UTC; 2min 56s ago
      Process: 30978 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS)
      Process: 30981 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
      Process: 30980 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
     Main PID: 30984 (nginx)
       CGroup: /system.slice/nginx.service
               ├─30984 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
               ├─30985 nginx: worker process
               ├─30986 nginx: worker process
               ├─30987 nginx: worker process
               └─30988 nginx: worker process

May 25 07:51:22 gm-web-1 systemd[1]: Starting A high performance web server and a reverse proxy server...
May 25 07:51:22 gm-web-1 systemd[1]: Failed to read PID from file /run/nginx.pid: Invalid argument
May 25 07:51:22 gm-web-1 systemd[1]: Started A high performance web server and a reverse proxy server.

nginx is bound to tcp port 80

root@gm-web-1:/var/www# netstat -tuplen|grep nginx
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          98132       30984/nginx -g daem
tcp6       0      0 :::80                   :::*                    LISTEN      0          98133       30984/nginx -g daem

Able to hit “gamoly.com” on the browser

CERTBOT commands and output

root@gm-web-1:~# certbot certonly --webroot -w /var/www/gamoly -d gamoly.com

/var/www/gamoly does not exist or is not a directory

root@gm-web-1:~#  mkdir -p /var/www/gamoly
root@gm-web-1:~# ls -lrt /var/www/gamoly/
total 0

root@gm-web-1:~# certbot certonly --webroot -w /var/www/gamoly -d gamoly.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for gamoly.com
Using the webroot path /var/www/gamoly for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. gamoly.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to 104.154.207.47

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: gamoly.com
   Type:   connection
   Detail: Could not connect to 104.154.207.47

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

letsencrypt log file

root@gm-web-1:~# cat /var/log/letsencrypt/letsencrypt.log

2017-05-25 08:06:50,989:DEBUG:certbot.main:Root logging level set at 20
2017-05-25 08:06:50,990:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-05-25 08:06:50,990:DEBUG:certbot.main:certbot version: 0.10.2
2017-05-25 08:06:50,991:DEBUG:certbot.main:Arguments: ['--webroot', '-w', '/var/www/gamoly', '-d', 'gamoly.com']
2017-05-25 08:06:50,991:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2017-05-25 08:06:50,992:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2017-05-25 08:06:50,996:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f741c91ce50>
Prep: True
2017-05-25 08:06:50,997:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f741c91ce50> and installer None
2017-05-25 08:06:51,027:DEBUG:certbot.main:Picked account: <Account(49baf70dfcfe6740968fe38c2eb534f3)>
2017-05-25 08:06:51,029:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-05-25 08:06:51,032:INFO:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-05-25 08:06:51,248:DEBUG:urllib3.connectionpool:"GET /directory HTTP/1.1" 200 352
2017-05-25 08:06:51,249:DEBUG:acme.client:Received response:
HTTP 200
content-length: 352
strict-transport-security: max-age=604800
boulder-request-id: dYyzewTwI0jCUBAwHNLJjb7Ec5NMJMKNWdxQlcXFmPY
expires: Thu, 25 May 2017 08:06:51 GMT
server: nginx
connection: keep-alive
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Thu, 25 May 2017 08:06:51 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: zT6oteR6w8qY2lA0QWbZEow12m4fLJKi1ob1IYtpDW8

{
  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
2017-05-25 08:06:51,249:INFO:certbot.main:Obtaining a new certificate
2017-05-25 08:06:51,250:DEBUG:root:Requesting fresh nonce
2017-05-25 08:06:51,250:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
2017-05-25 08:06:51,325:DEBUG:urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2017-05-25 08:06:51,326:DEBUG:acme.client:Received response:
HTTP 405
content-length: 91
allow: POST
boulder-request-id: 6bw2Q_6dL0_CiFg6uMDd62WSEUK5C-uZ5kbMEprImJw
expires: Thu, 25 May 2017 08:06:51 GMT
server: nginx
connection: keep-alive
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Thu, 25 May 2017 08:06:51 GMT
content-type: application/problem+json
replay-nonce: f84mZbAu2W5iX7_o-EiJStS2hh6-BOcye-GoPWjUlCQ


2017-05-25 08:06:51,326:DEBUG:acme.client:Storing nonce: f84mZbAu2W5iX7_o-EiJStS2hh6-BOcye-GoPWjUlCQ
2017-05-25 08:06:51,326:DEBUG:acme.client:JWS payload:
{
  "identifier": {
    "type": "dns", 
    "value": "gamoly.com"
  }, 
  "resource": "new-authz"
}
2017-05-25 08:06:51,330:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
  "header": {
    "alg": "RS256", 
    "jwk": {
      "e": "AQAB", 
      "kty": "RSA", 
      "n": "qFSaSvGh2DzV4bLkqSOaKpzlBqN0FNj-pFIq5IvPhvpWRGhEgVnO3mpq89lSvHTMg0MtwRoyu-rpp6X5FJXM_kXff1iSL1YZSW__U4kvufUIRK_saj-_YuJvjnDpyY9mk6_ZSYpR2xpdjQuf3ORDkk3uug1SK6gkg46P3h4sWM71o-bz9-0_pluJ8BBSdU43vneR_wpgL_YMOgGIRfs_Yg8ZO_Yl4jxJxHZC2uDf6uOX3PL0LrsQa28iPWLm96m1xPOYOAkdYHiVXBrKbcrDaVW47EOMrt-pSS3mUpG7lPSo2092wwgbP3ekueloTQ8b_XYbtKj4CLFXw3UPkB-08Q"
    }
  }, 
  "protected": "eyJub25jZSI6ICJmODRtWmJBdTJXNWlYN19vLUVpSlN0UzJoaDYtQk9jeWUtR29QV2pVbENRIn0", 
  "payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAiZ2Ftb2x5LmNvbSIKICB9LCAKICAicmVzb3VyY2UiOiAibmV3LWF1dGh6Igp9", 
  "signature": "XOxcbkv0fAEuNwhKNGf2nSqMuqa8Hx3-yoMGcs7C1R4wU8apXrlDxfM7BPD_7MHj9Bn3ZSrHct3Kea2yFCm3YBRKGT2Ma7jrRDmDV6BmO9O9qg8ZOIhx4iJCVWHGtEyTFmZNXZs6XMDSgllhxcsvbxSGn2doLtAmxmWdJmLbTjHrcJreuqkcRMcjRrDWOaM_htlYPrUXbldZxiWYYE8Gqo-bCAAg9aCfNrrY0IwRig4zN_IuJ80YO7UCaWZ-zGqDDCnnwEnvoGaB7ltSQefnDiewkii0ggTzs3CUlDSVEau8wWdBP8RZRNCvLDI9TJa7AQuwsKOPimD85XH7kMdiSg"
}
2017-05-25 08:06:51,553:DEBUG:urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 998
2017-05-25 08:06:51,554:DEBUG:acme.client:Received response:
HTTP 201
content-length: 998
strict-transport-security: max-age=604800
boulder-request-id: yZ2gQtLNzaDiC0G1KYyzV9nrg_nEIDXBP4JIzMrzjfg
boulder-requester: 15462945
expires: Thu, 25 May 2017 08:06:51 GMT
server: nginx
connection: keep-alive
link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
location: https://acme-v01.api.letsencrypt.org/acme/authz/vGZ_yKCHICH0txxt5lad0HqkNaYhCLo-Usr4_OpM9Zs
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Thu, 25 May 2017 08:06:51 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: Lhf6iNfIeYSBT5yxKzdN1A6aOpafXsLtWmt5tSq718k

{
  "identifier": {
    "type": "dns",
    "value": "gamoly.com"
  },
  "status": "pending",
  "expires": "2017-06-01T08:06:51.369032358Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/vGZ_yKCHICH0txxt5lad0HqkNaYhCLo-Usr4_OpM9Zs/1224870812",
      "token": "9TN3XahxhjjPZj4QNQ3KU2flCs2ZCDp0G-KclXAGhN4"
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/vGZ_yKCHICH0txxt5lad0HqkNaYhCLo-Usr4_OpM9Zs/1224870814",
      "token": "sBv4drePr-JXguzCnIgS3xCgd5Vooiy4PAiaQWOCD4g"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/vGZ_yKCHICH0txxt5lad0HqkNaYhCLo-Usr4_OpM9Zs/1224870816",
      "token": "CJFBLyWmIjiy-TRgtuizIabvvZrCmZBHHIBIaBdWlJQ"
    }
  ],
  "combinations": [
    [
      0
    ],
    [
      1
    ],
    [
      2
    ]
  ]
}
2017-05-25 08:06:51,555:DEBUG:acme.client:Storing nonce: Lhf6iNfIeYSBT5yxKzdN1A6aOpafXsLtWmt5tSq718k
2017-05-25 08:06:51,555:INFO:certbot.auth_handler:Performing the following challenges:
2017-05-25 08:06:51,556:INFO:certbot.auth_handler:http-01 challenge for gamoly.com
2017-05-25 08:06:51,556:INFO:certbot.plugins.webroot:Using the webroot path /var/www/gamoly for all unmatched domains.
2017-05-25 08:06:51,556:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/www/gamoly/.well-known/acme-challenge
2017-05-25 08:06:51,561:DEBUG:certbot.plugins.webroot:Attempting to save validation to /var/www/gamoly/.well-known/acme-challenge/9TN3XahxhjjPZj4QNQ3KU2flCs2ZCDp0G-KclXAGhN4
2017-05-25 08:06:51,562:INFO:certbot.auth_handler:Waiting for verification...
2017-05-25 08:06:51,562:DEBUG:acme.client:JWS payload:
{
  "keyAuthorization": "9TN3XahxhjjPZj4QNQ3KU2flCs2ZCDp0G-KclXAGhN4.l3aoFuH5cAXhFnR758g5kb2qNxBrefbkqnMjmEEBxlE", 
  "type": "http-01", 
  "resource": "challenge"
}
2017-05-25 08:06:51,567:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/vGZ_yKCHICH0txxt5lad0HqkNaYhCLo-Usr4_OpM9Zs/1224870812:
{
  "header": {
    "alg": "RS256", 
    "jwk": {
      "e": "AQAB", 
      "kty": "RSA", 
      "n": "qFSaSvGh2DzV4bLkqSOaKpzlBqN0FNj-pFIq5IvPhvpWRGhEgVnO3mpq89lSvHTMg0MtwRoyu-rpp6X5FJXM_kXff1iSL1YZSW__U4kvufUIRK_saj-_YuJvjnDpyY9mk6_ZSYpR2xpdjQuf3ORDkk3uug1SK6gkg46P3h4sWM71o-bz9-0_pluJ8BBSdU43vneR_wpgL_YMOgGIRfs_Yg8ZO_Yl4jxJxHZC2uDf6uOX3PL0LrsQa28iPWLm96m1xPOYOAkdYHiVXBrKbcrDaVW47EOMrt-pSS3mUpG7lPSo2092wwgbP3ekueloTQ8b_XYbtKj4CLFXw3UPkB-08Q"
    }
  }, 
  "protected": "eyJub25jZSI6ICJMaGY2aU5mSWVZU0JUNXl4S3pkTjFBNmFPcGFmWHNMdFdtdDV0U3E3MThrIn0", 
  "payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogIjlUTjNYYWh4aGpqUFpqNFFOUTNLVTJmbENzMlpDRHAwRy1LY2xYQUdoTjQubDNhb0Z1SDVjQVhoRm5SNzU4ZzVrYjJxTnhCcmVmYmtxbk1qbUVFQnhsRSIsIAogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9", 
  "signature": "O4mwsocVJLIWHRZyOBetCO7x3271lC3ZfMy8nYxd86w4Be5M6A1BHyMt2jsF7pxw2IMPBI_XGynqN3wODaYLdC8AjmjT1gnV0MkQlg84Pn0SqIC0EeGYh8GF47BFIuF0vCs3JhZu3EO62PY5CEXvtyVi65HDqucptxddstYmmef0DpOb2DsrzmKgKM_LFkdCbdQS3x1pfO8d7hSj4mtIHRmSiYxHvMBcsglTrzdmvg_QS_RGg7r8SzDSHPMSM9PYLOMRjuvj4YyMpSyKciTqn9sr2wK022vZwn84k6OqZDLg3Gsu2SpiXQh7NzzpztbxrfDc6KUdE-KagN-5EI-8DQ"
}
2017-05-25 08:06:51,663:DEBUG:urllib3.connectionpool:"POST /acme/challenge/vGZ_yKCHICH0txxt5lad0HqkNaYhCLo-Usr4_OpM9Zs/1224870812 HTTP/1.1" 202 336
2017-05-25 08:06:51,664:DEBUG:acme.client:Received response:
HTTP 202
content-length: 336
boulder-request-id: DQv_9RiI_snldKHRkSItbWe0elVXZ7XQtRlppWrwoXw
boulder-requester: 15462945
expires: Thu, 25 May 2017 08:06:51 GMT
server: nginx
connection: keep-alive
link: <https://acme-v01.api.letsencrypt.org/acme/authz/vGZ_yKCHICH0txxt5lad0HqkNaYhCLo-Usr4_OpM9Zs>;rel="up"
location: https://acme-v01.api.letsencrypt.org/acme/challenge/vGZ_yKCHICH0txxt5lad0HqkNaYhCLo-Usr4_OpM9Zs/1224870812
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Thu, 25 May 2017 08:06:51 GMT
content-type: application/json
replay-nonce: fbfrrDe--NU4D1XGBK2lHF-Dm176cNi9D8oMZClKkzE

{
  "type": "http-01",
  "status": "pending",
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/vGZ_yKCHICH0txxt5lad0HqkNaYhCLo-Usr4_OpM9Zs/1224870812",
  "token": "9TN3XahxhjjPZj4QNQ3KU2flCs2ZCDp0G-KclXAGhN4",
  "keyAuthorization": "9TN3XahxhjjPZj4QNQ3KU2flCs2ZCDp0G-KclXAGhN4.l3aoFuH5cAXhFnR758g5kb2qNxBrefbkqnMjmEEBxlE"
}
2017-05-25 08:06:51,664:DEBUG:acme.client:Storing nonce: fbfrrDe--NU4D1XGBK2lHF-Dm176cNi9D8oMZClKkzE
2017-05-25 08:06:54,667:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/vGZ_yKCHICH0txxt5lad0HqkNaYhCLo-Usr4_OpM9Zs.
2017-05-25 08:06:54,750:DEBUG:urllib3.connectionpool:"GET /acme/authz/vGZ_yKCHICH0txxt5lad0HqkNaYhCLo-Usr4_OpM9Zs HTTP/1.1" 200 2583
2017-05-25 08:06:54,751:DEBUG:acme.client:Received response:
HTTP 200
content-length: 2583
strict-transport-security: max-age=604800
boulder-request-id: _20jQuj7FnaZXIy0l7aPz0isvDaZ2lldQ1H5Op0c1_0
expires: Thu, 25 May 2017 08:06:54 GMT
server: nginx
connection: keep-alive
link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Thu, 25 May 2017 08:06:54 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 3BUbbcP7dFi4fUwQ5J02_C4EubpqSfQJZTpI2JAyQMA

{
  "identifier": {
    "type": "dns",
    "value": "gamoly.com"
  },
  "status": "invalid",
  "expires": "2017-06-01T08:06:51Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:connection",
        "detail": "Could not connect to 104.154.207.47",
        "status": 400
      },
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/vGZ_yKCHICH0txxt5lad0HqkNaYhCLo-Usr4_OpM9Zs/1224870812",
      "token": "9TN3XahxhjjPZj4QNQ3KU2flCs2ZCDp0G-KclXAGhN4",
      "keyAuthorization": "9TN3XahxhjjPZj4QNQ3KU2flCs2ZCDp0G-KclXAGhN4.l3aoFuH5cAXhFnR758g5kb2qNxBrefbkqnMjmEEBxlE",
      "validationRecord": [
        {
          "url": "http://gamoly.com/.well-known/acme-challenge/9TN3XahxhjjPZj4QNQ3KU2flCs2ZCDp0G-KclXAGhN4",
          "hostname": "gamoly.com",
          "port": "80",
          "addressesResolved": [
            "50.63.202.8"
          ],
          "addressUsed": "50.63.202.8",
          "addressesTried": []
        },
        {
          "url": "http://gamoly.com/.well-known/acme-challenge/9TN3XahxhjjPZj4QNQ3KU2flCs2ZCDp0G-KclXAGhN4",
          "hostname": "gamoly.com",
          "port": "80",
          "addressesResolved": [
            "50.63.202.8"
          ],
          "addressUsed": "50.63.202.8",
          "addressesTried": []
        },
        {
          "url": "http://104.154.207.47/.well-known/acme-challenge/9TN3XahxhjjPZj4QNQ3KU2flCs2ZCDp0G-KclXAGhN4",
          "hostname": "104.154.207.47",
          "port": "80",
          "addressesResolved": [],
          "addressUsed": "",
          "addressesTried": []
        },
        {
          "url": "http://gamoly.com/.well-known/acme-challenge/9TN3XahxhjjPZj4QNQ3KU2flCs2ZCDp0G-KclXAGhN4",
          "hostname": "gamoly.com",
          "port": "80",
          "addressesResolved": [
            "50.63.202.8"
          ],
          "addressUsed": "50.63.202.8",
          "addressesTried": []
        }
      ]
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/vGZ_yKCHICH0txxt5lad0HqkNaYhCLo-Usr4_OpM9Zs/1224870814",
      "token": "sBv4drePr-JXguzCnIgS3xCgd5Vooiy4PAiaQWOCD4g"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/vGZ_yKCHICH0txxt5lad0HqkNaYhCLo-Usr4_OpM9Zs/1224870816",
      "token": "CJFBLyWmIjiy-TRgtuizIabvvZrCmZBHHIBIaBdWlJQ"
    }
  ],
  "combinations": [
    [
      0
    ],
    [
      1
    ],
    [
      2
    ]
  ]
}
2017-05-25 08:06:54,752:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: gamoly.com
Type:   connection
Detail: Could not connect to 104.154.207.47

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2017-05-25 08:06:54,753:INFO:certbot.auth_handler:Cleaning up challenges
2017-05-25 08:06:54,753:DEBUG:certbot.plugins.webroot:Removing /var/www/gamoly/.well-known/acme-challenge/9TN3XahxhjjPZj4QNQ3KU2flCs2ZCDp0G-KclXAGhN4
2017-05-25 08:06:54,753:DEBUG:certbot.plugins.webroot:All challenges cleaned up, removing /var/www/gamoly/.well-known/acme-challenge
2017-05-25 08:06:54,754:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 626, in obtain_cert
    action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 107, in _auth_from_available
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 291, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 262, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 77, in get_authorizations
    self._respond(resp, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 134, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 198, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. gamoly.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to 104.154.207.47

Hosting provider: GCP Compute engine

Please let me know what is causing this issue and help me out. Thanks.

Hi @muruganrsr,

I don’t understand this part, with the option -w /var/www/gamoly you are specifiying what is the Document Root of your domain and it should be already configured in nginx but you only created the document root /var/www/gamoly once you received the error.

Your nginx server block for gamoly.com should contain a root directive, something like:

root /usr/share/nginx/html;

So you need to use the same document root in nginx and with certbot command.

I mean, if you have root /usr/share/nginx/html; in nginx you need to put the same in certbot:

certbot certonly --webroot -w /usr/share/nginx/html -d gamoly.com

Also, keep in mind that your site gamoly.com with ip 50.63.202.9 and I saw it also with ip 184.168.221.3 (seems you are changing the ips) is being redirected from an IIS server to http://104.154.207.47 (nginx server)

$ curl -IkL http://gamoly.com
HTTP/1.1 301 Moved Permanently
Cache-Control: max-age=900
Content-Length: 0
Content-Type: text/html
Location: http://104.154.207.47
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 25 May 2017 15:07:51 GMT
Age: 1
Connection: keep-alive

HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 25 May 2017 15:07:53 GMT
Content-Type: text/html
Content-Length: 867
Last-Modified: Tue, 23 May 2017 11:41:22 GMT
Connection: keep-alive
ETag: "59241fe2-363"
Accept-Ranges: bytes

There should be no problem to issue the certificate, Let’s Encrypt will follow the redirection to validate your domain but I think is something you should take care because the clients that are trying to reach your domain with http://gamoly.com will end seeing in their browser the site http://104.154.207.47 and don’t know whether you want that ;).

So, before trying to issue a new cert for your domain, test that you can access a test file, the same that will try to do Let’s Encrypt to validate your domain.

Example using /usr/share/nginx/html/ as the document root for gamoly.com.

1.- Create the required directories.
mkdir -p /usr/share/nginx/html/.well-known/acme-challenge/

2.- Put a test file without extension.
echo -n "This is a test for gamoly.com" > /usr/share/nginx/html/.well-known/acme-challenge/test

3.- Now, try to see the test file with your browser or with curl from command line:

With browser:
http://gamoly.com/.well-known/acme-challenge/test

With curl from command line:
curl -ikL http://gamoly.com/.well-known/acme-challenge/test

If you can see the text This is a test for gamoly.com then it is ok, you can try to issue a cert for your domain (remember to specify the right document root path to -w option).

I hope this helps.

Cheers,
sahsanu.

1 Like

Thank you so much. I just followed your suggestion and obtained the certificate.:smiley:

1 Like

Last time i tried it, Let’s Encrypt would not follow a redirect to an IP address. Oddly enough. You had to use a hostname.

1 Like

Good catch, I didn't know that, everyday we learn something new ;). Yes it is really strange, Let's Encrypt follows whatever is the domain in redirection but not if this is an ip (i'm pretty sure there is a good reason behind that).

I've just tested it and yes, if the redirection is an ip I get:

FailedChallenges: Failed authorization procedure. fake.domain.tld (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to 1.2.3.4

But changing it to a domain works as expected.

@mnordhoff, thank you :wink:

Hi @sahsanu ,

I am able to generate the certificate on my webserver for the domain: gamoly.com.

I edited my domain’s ‘A’ record to point to my webserver’s ip 104.154.207.47

curl -IkL https://gamoly.com
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Fri, 26 May 2017 11:04:48 GMT
Content-Type: text/html
Content-Length: 867
Last-Modified: Tue, 23 May 2017 11:41:22 GMT
Connection: keep-alive
ETag: "59241fe2-363"
Accept-Ranges: bytes

Webserver : nginx/1.6.2 listens for both http and https

Now, I have other machine (REST server) which has to be exposed to the world. Please let me know how to secure this machine.

I tried running the below command on this machine (104.155.175.183)

sudo certbot certonly --manual --preferred-challenges http -d gamoly.com

output:

murugan@gm-app-1:~$ sudo certbot certonly --manual --preferred-challenges http -d gamoly.com 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):murugan@gamoly.com
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for gamoly.com

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

-------------------------------------------------------------------------------
Make sure your web server displays the following content at
http://gamoly.com/.well-known/acme-challenge/ha9WrWnLYerW5PCQ-v5GTroUPEoIqfRGgKCFLGJihgg before continuing:

ha9WrWnLYerW5PCQ-v5GTroUPEoIqfRGgKCFLGJihgg.YrKfS30sE2WgXWd0GL-Xm2w-wdUKDumHV8UoWr-XYKM

If you don't have HTTP server configured, you can run the following
command on the target server (as root):

mkdir -p /tmp/certbot/public_html/.well-known/acme-challenge
cd /tmp/certbot/public_html
printf "%s" ha9WrWnLYerW5PCQ-v5GTroUPEoIqfRGgKCFLGJihgg.YrKfS30sE2WgXWd0GL-Xm2w-wdUKDumHV8UoWr-XYKM > .well-known/acme-challenge/ha9WrWnLYerW5PCQ-v5GTroUPEoIqfRGgKCFLGJihgg
# run only once per server:
$(command -v python2 || command -v python2.7 || command -v python2.6) -c \
"import BaseHTTPServer, SimpleHTTPServer; \
s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
s.serve_forever()" 
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/gamoly.com/fullchain.pem. Your cert will
   expire on 2017-08-24. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you lose your account credentials, you can recover through
   e-mails sent to murugan@gamoly.com.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

But when I hit my REST server (104.155.175.183) with the below command,

wget --method GET --header ‘content-type: application/json’ --header 'authorization: Bearer token --output-document - https://104.155.175.183:443/path/to/resource

I get the below error

--2017-05-26 16:45:01--  https://104.155.175.183/path/to/resource
Connecting to 104.155.175.183:443... connected.
    ERROR: certificate common name ‘gamoly.com’ doesn't match requested host name ‘104.155.175.183’.
To connect to 104.155.175.183 insecurely, use `--no-check-certificate'.

I also tried copy/pasting the certificate from my webserver onto the REST server (104.155.175.183) but it throws the same error

I am not sure if the above method is the correct way to obtain and install cert onto the machines other than my webserver or there exists a different way to do it. Please help me out.

Thanks,
Murugan

Hi @muruganrsr,

I’m a bit confused, you already issued a cert for gamoly.com that is listening in ip 104.154.207.47 and now you want to use the same certificate for other server 104.155.175.183?. gamoly.com will be configured in a future with that ip?.

Sorry, I don’t understand what you try to do ;).

Of course, no matters if you put your cert for gamoly.com into any other server, it will work, BUT you must reach that web server using the name gamoly.com not the ip. When you reach the other server with the ip, the certificate served announces that it is valid for gamoly.com only and not the ip, so you receive the above error.

Cheers,
sahsanu

Hi,

This is not a bug but is the intended behavior.

Your certificate only mentions the name gamoly.com, not the IP address 104.155.175.183. Therefore, when you connect to your server using an IP address instead of using a name, the certificate doesn’t match; the client doesn’t know anything about the name and therefore doesn’t know that the certificate is valid for this connection.

Let’s Encrypt does not issue certificates for IP addresses and therefore Let’s Encrypt certificates can never be used directly to authenticate servers when connecting using the IP address instead of the name.

Edit: I think @sahsanu said the same thing in a different way and I didn’t realize at first glance that it was the same conclusion.

1 Like

Hi @sahsanu and @schoen,

Got it.
Thank you for the detailed information.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.