Certbot manual mode

I'm stuck at this part, how do I create that file? Is it suppose to be a text file uploaded into the directory below in my server?

Create a file containing just this data:

ku_S2oQFAldBycIn27BDjpPnsF8wwhuTSozttWzlHmU.saYNLkf_0nQEbqeExUbcoEDKVD8FD412vv2Wf4OOmdk

And make it available on your web server at this URL:

http://junnorthloop.com/.well-known/acme-challenge/ku_S2oQFAldBycIn27BDjpPnsF8wwhuTSozttWzlHmU
1 Like

Hi @ZiWang55,

Yes, that's correct.

1 Like

This is the result I get after I uploaded the txt file with the key. I saved the key as the body and title of the txt file. And double checked that it is in the right directory. What am I doing wrong here?

I using a shared hosting service with asmallorange and I was wondering if there is an easier way to get the certificate?

Press Enter to Continue
    Waiting for verification...
    ←[31mChallenge failed for domain junnorthloop.com←[0m
    http-01 challenge for junnorthloop.com
    Cleaning up challenges
    ←[31mSome challenges have failed.←[0m
    ←[1m
    IMPORTANT NOTES:
    ←[0m - The following errors were reported by the server:

   Domain: junnorthloop.com
   Type:   unauthorized
   Detail: Invalid response from
   https://junnorthloop.com/.well-known/acme-challenge/X6f0h9al1LG1VsiulXNTlvoKSR8XEgFyXEowuA4hX28
   [143.95.39.130]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
1 Like

You don't need any additional content with the file:
just the data acme-challenge needed example:

sudo nano /your/web/root/.well-known/acme-challenge/ku_S2oQFAldBycIn27BDjpPnsF8wwhuTSozttWzlHmU

and copy the string ku_S2oQFAldBycIn27BDjpPnsF8wwhuTSozttWzlHmU.saYNLkf_0nQEbqeExUbcoEDKVD8FD412vv2Wf4OOmdk
into the file and save it

Don't forget to config your Apache or Nginx to allow .well-known/acme-challenge

4 Likes

Welcome to the Let's Encrypt Community, Zi :slightly_smiling_face:

I'm seeing that junnorthloop.com has a valid ZeroSSL certificate installed with http to https redirects in place for http://junnorthloop.com and http://www.junnorthloop.com. The only things I can note are that those should be 301 redirects instead of 302 redirects and they should all redirect to https://junnorthloop.com to keep the domain name consistent for search engine optimization (SEO) purposes (https://www.junnorthloop.com does not redirect to https://junnorthloop.com). You can see the redirects by putting http://junnorthloop.com, http://www.junnorthloop.com, or https://www.junnorthloop.com in the box of this tool:

https://www.redirect-checker.org/

If you're still having trouble, I think you might be better off running certbot (on the webserver hosting junnorthloop.com) like this:

sudo certbot certonly --nginx -d "junnorthloop.com,www.junnorthloop.com" --deploy-hook "nginx -s reload"

View the complete certificate history of junnorthloop.com.

2 Likes

I did exactly that for the file and saved it but it still wasn't able to validate my domain even with multiple tries.
How do you config Apache to allow .well-known/acme-challenge? Could that be causing the error?

Thanks

1 Like

I just noticed that you're redirecting from an nginx server to an apache server. Are they the same machine (with the same IP address)?

1 Like

Thanks for the welcome!

I was able to get ZeroSSL working through their site but it expires in 90 days and can only do it for 3 times. So that is why I want to use LetsEncrypt. Which I understand can auto reinstall certificates?

As for the 301 directs I found the .htaccess file located in the public_html folder. But from my google I need to add R=301? into the picture below?

As for running certbot on the webserver hosting

If you're still having trouble, I think you might be better off running certbot (on the webserver hosting junnorthloop.com ) like this:

sudo certbot certonly --nginx -d "junnorthloop.com,www.junnorthloop.com" --deploy-hook "nginx -s reload"

I realize that the server I use is Apache instead of nginx. How should I change that code?

Thanks for everyone's patients. I did a coding boot camp but never learned about ssl webhosting, so this is very new to me.

2 Likes

I'm running to lunch, but I'll return later to help. I think there are several improvements we can make. :slightly_smiling_face:

2 Likes

I'm a bit confused why an nginx server is listening for http (on port 80) and an apache server is listening for https (on port 443). I don't see how an Apache .htaccess file would be able to cause a redirect in those circumstances. No matter though because .htaccess files should be avoided whenever possible anyhow.

The challenge you will face is that certbot will create an exception in the port 80 webserver configuration when either the nginx or apache authenticator is used to satisfy an http-01 challenge, which prevents the http to https redirection from occurring for the challenge. Once the certificate is successfully acquired, it must then be installed into the port 443 webserver configuration. So, nginx will satisfy the challenge and apache will use the certificate. It would also be possible to use the webroot authenticator instead with a bit more information.

Firstly, let's see what's really going on by posting the outputs of these two commands:

sudo nginx -T
sudo apachectl -S
3 Likes

This is the response I got from running those two commands.

Ms-MacBook-Air:~ root# sudo nginx -T

sudo: nginx: command not found

Ms-MacBook-Air:~ root# sudo apachectl -S

AH00557: httpd: apr_sockaddr_info_get() failed for Ms-MacBook-Air.local

AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message

VirtualHost configuration:

ServerRoot: "/usr"

Main DocumentRoot: "/Library/WebServer/Documents"

Main ErrorLog: "/private/var/log/apache2/error_log"

Mutex default: dir="/private/var/run/" mechanism=default

Mutex mpm-accept: using_defaults

PidFile: "/private/var/run/httpd.pid"

Define: DUMP_VHOSTS

Define: DUMP_RUN_CFG

User: name="_www" id=70

Group: name="_www" id=70

As for the .htaccess file, should I remove it?

2 Likes

Did you run the commands on the webserver hosting your website?

1 Like

I just figured out how to access my server through shell access on my terminal. Here are the results for the two commands. I currently have shell access through both my windows pc and my mac. But I am more familiar with windows than mac os.

liwa89@junnorthloop.com [~]# sudo nginx -T

sudo: effective uid is not 0, is sudo installed setuid root?

liwa89@junnorthloop.com [~]# sudo apachectl -S

sudo: effective uid is not 0, is sudo installed setuid root?
2 Likes

Do you have root access to your webserver? Put another way, what happens when you run su root ?

1 Like

It's showing

-jailshell: /bin/su: Permission denied

I must not have root access. I contacted support and they told me since I have a shared server I do not get access to root server. Only get basic SSH access.

Not sure what to do about that.

2 Likes

Well... my ACME client CertSage was specifically designed for shared hosting users who don't have root access. Once you upload its one webpage file to your server and rename it, you only need to visit that webpage to get your certificate within a minute without any manual actions or commands. You will need to install the certificate and private key yourself in place of the ones you got from ZeroSSL. CertSage is not yet fully released to the public, but the many users who have been great testers have had only positive results and been very happy. It's free, of course. If that sounds alright, I'll private message you the download and instructions.

3 Likes

Please I would love to look into it. Thank you so much!

2 Likes

Hi @ZiWang55, I looked at your site - nice (makes me hungry and thirsty). :smiley: I see you got your cert, but you also have one mixed content and you have TLSv1 enabled.

Per WhyNoPadLock.com/junnorthloop.com, here's your 3 problem areas - which the 1st should definitely be addressed since you have a commerce site.

Protocols

You currently have TLSv1 enabled.
This version of TLS is being phased out. This warning won't break your padlock, however if you run an eCommerce site, PCI requirements state that TLSv1 must be disabled by June 30, 2018.


Mixed Content - Errors

Hard Failure

A style-sheet with an insecure url of "http://cdn-images.mailchimp.com/embedcode/slim-10_7.css" was loaded on line: 11393 of https://junnorthloop.com/.
This URL will need to be updated to use a secure URL for your padlock to return.


The link to your homepage from the Home icon in the head banner is not working for https://junnorthloop.com/index.htm when on the Contact Us page. The button works okay from the other pages. You should fix that so people will be directed back to your homepage from the Contact Us page.

Not Found

The requested URL /index.htm was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.