Requesting a certificate for cp.niflheimro.com
Performing the following challenges:
http-01 challenge for cp.niflheimro.com
Input the webroot for cp.niflheimro.com: (Enter 'c' to cancel): /srv/www/letsencrypt
Waiting for verification...
Challenge failed for domain cp.niflheimro.com
http-01 challenge for cp.niflheimro.com
Cleaning up challenges
Some challenges have failed.
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0
Question are: If I requesting certificate ONLY for a subdomain (on my case, cp.niflheimro.com), why is certbot trying to access to nonexistent address (www.cp.niflheimro.com)? I to not think I need these secondary address, and I'm using a lot of subdomains without www. and without error prior today.
Possible response: some methond to bypass requesting to have www. address, and only validate the requested one.
Request to: cp.niflheimro.com/2001:41d0:a:5c7f::120, Result: [Address=2001:41d0:a:5c7f::120,Address Type=IPv6,Server=nginx/1.18.0,HTTP Status=301,Number of Redirects=1,Final HTTP Status=404], Issue:
Trace:
@0ms: Making a request to http://cp.niflheimro.com/.well-known/acme-challenge/letsdebug-test (using initial IP 2001:41d0:a:5c7f::120)
@0ms: Dialing 2001:41d0:a:5c7f::120
@151ms: Server response: HTTP 301 Moved Permanently
@151ms: Received redirect to https://cp.niflheimro.com/.well-known/acme-challenge/letsdebug-test
@151ms: Dialing 2001:41d0:a:5c7f::120
@368ms: Server response: HTTP 404 Not Found
IPv4:
Request to: cp.niflheimro.com/176.31.69.120, Result: [Address=176.31.69.120,Address Type=IPv4,Server=nginx/1.18.0,HTTP Status=301,Number of Redirects=1,Final HTTP Status=404], Issue:
Trace:
@0ms: Making a request to http://cp.niflheimro.com/.well-known/acme-challenge/letsdebug-test (using initial IP 176.31.69.120)
@0ms: Dialing 176.31.69.120
@146ms: Server response: HTTP 301 Moved Permanently
@146ms: Received redirect to https://cp.niflheimro.com/.well-known/acme-challenge/letsdebug-test
@146ms: Dialing 176.31.69.120
@379ms: Server response: HTTP 404 Not Found
Oh, shoot, it's probably my test system that doesn't actually have IPv6 connectivity. Somehow I thought AWS Cloudshell would be configured reasonably out-of-the-box, but it isn't. Now I feel silly. Forget everything I said.
No worries brother. It's a reasonable (and common) diagnosis.
I can't connect to http://cp.niflheimro.com or https://cp.niflheimro.com for the life of me though. The latter presents a wrong certificate that doesn't cover cp.niflheimro.com. When I bypass the warning I get, it just hangs.
This is the result of a redirect to that www subdomain, can't be something else, unless a very recent version of Boulder has messed up really big time.. But I doubt that
The other rule I have are the page itself. These one only send a redirect to HTTPS version.
I know https version shows a certificate for www.niflheimro.com, not the correct one (I need a certificate for https binding on nignx). But certbot doesn't have problem validating with URLs with invalid certificates as I've seen until now.
About output of "certbot certificates" I have lots of certificates, but I've done a reduced output:
The full command line (for cleaning any question) are:
CP# certbot certonly -d cp.niflheimro.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Please choose an account
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: ***@2017-04-25T22:58:00Z (6bf1)
2: ***@2018-04-10T11:02:38Z (5d96)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Requesting a certificate for cp.niflheimro.com
Performing the following challenges:
http-01 challenge for cp.niflheimro.com
Input the webroot for cp.niflheimro.com: (Enter 'c' to cancel): /srv/www/letsencrypt
Waiting for verification...
Challenge failed for domain cp.niflheimro.com
http-01 challenge for cp.niflheimro.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: cp.niflheimro.com
Type: dns
Detail: Fetching
https://www.cp.niflheimro.com/.well-known/acme-challenge/s0Z318bjaofJ-YUJaWHG7NThzDei3l1qxUeAaJ_mloI:
DNS problem: NXDOMAIN looking up A for www.cp.niflheimro.com -
check that a DNS record exists for this domain
CP#
As you can see, I've requested "cp.niflheimro.com" but certbot says they're searching for "www.cp.niflheimro.com". The certificate for this FQDN has never been on this machine (I have these certificate on a old machine). The "www.cp.niflheimro.com" FQDN has never been created on the DNS system.
Also, I know I have a problem with the web (PHP are getting me a timeout sometimes) but these problem doesn't affect certbot and also that's not the problem here.
Could you perhaps run the certbot command with --debug-challenges added? And NOT press the enter (or any other) key when certbot is paused after enabeling the challenge? And tell us here that certbot is paused when it is
I know things doesn't resolve by themselves (I'm technician). The only thing I can think, are some cache when cp. subdomain are not configured on nginx... reaching the "niflheimro.com" configuration who they have a 301 to www.*. But I know for sure I haven't tried to configure certificate before configuring and restarting nginx.
