Certification problems..dns problem?


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.onderwegnaarmorgen.com

I ran this command: ```
sudo nextcloud.enable-https lets-encrypt


It produced this output:
Please enter your domain name(s) (space-separated): www.onderwegnaarmorgen.com
Attempting to obtain certificates... error running certbot:

Saving debug log to /var/snap/nextcloud/current/certs/certbot/logs/letsencrypt.log
Plugins selected: Authenticator nextcloud:webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.onderwegnaarmorgen.com
Using the webroot path /var/snap/nextcloud/current/certs/certbot for all domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.onderwegnaarmorgen.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.onderwegnaarmorgen.com/.well-known/acme-challenge/dLYMjFisZfioda3UtGbXyunwQRiUnOvHL_IU_fr16hc: "<!DOCTYPE html>
<html>
<head lang="en">
<meta charset="ascii">
<title>TransIP - Reserved domain</title>
"
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: www.onderwegnaarmorgen.com
Type: unauthorized
Detail: Invalid response from
http://www.onderwegnaarmorgen.com/.well-known/acme-challenge/dLYMjFisZfioda3UtGbXyunwQRiUnOvHL_IU_fr16hc:
"<!DOCTYPE html>
<html>
<head lang="en">
<meta charset="ascii">
<title>TransIP - Reserved domain</title>
"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): I dont know but have this:
name: nextcloud
version: 13.0.5snap1
summary: Nextcloud Server - A safe home for all your data
description: |
Access, share and protect your files, calendars, contacts, communication and
more at home and in your enterprise.
architectures:
- amd64
confinement: strict
grade: stable
hooks:
configure:
plugs:
- network
- network-bind
apps:
apache:
command: command-apache.wrapper
daemon: simple
plugs:
- network
- network-bind
- removable-media
restart-condition: always
stop-command: stop-command-apache.wrapper
disable-https:
command: command-disable-https.wrapper
plugs:
- network
- network-bind
enable-https:
command: command-enable-https.wrapper
plugs:
- network
- network-bind
manual-install:
command: command-manual-install.wrapper
plugs:
- network
- network-bind
- removable-media
mdns-publisher:
command: command-mdns-publisher.wrapper
daemon: simple
plugs:
- network
- network-bind
restart-condition: always
mysql:
command: command-mysql.wrapper
daemon: simple
plugs:
- network
- network-bind
restart-condition: always
stop-command: stop-command-mysql.wrapper
mysql-client:
command: command-mysql-client.wrapper
plugs:
- network
- network-bind
mysqldump:
command: command-mysqldump.wrapper
plugs:
- network
- network-bind
nextcloud-cron:
command: command-nextcloud-cron.wrapper
daemon: simple
plugs:
- network
- network-bind
- removable-media
restart-condition: on-failure
occ:
command: command-occ.wrapper
plugs:
- network
- network-bind
- removable-media
php-fpm:
command: command-php-fpm.wrapper
daemon: simple
plugs:
- network
- network-bind
- removable-media
restart-condition: always
redis-server:
command: command-redis-server.wrapper
daemon: simple
plugs:
- network
- network-bind
restart-condition: always
renew-certs:
command: command-renew-certs.wrapper
daemon: simple
plugs:
- network
- network-bind
restart-condition: always

I use a dns from a vpn provider!! It gives a server in Australië. With IpLeak; dns adress- 1 server: 103.86.xx.xxx

The operating system my web server runs on is (include version):ubuntu 18.04 lts

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

#2

Hi,

Can you please confirm that your domain has pointed to your server’s IPs?

Because when I tried to connect to your domain, it shows me a “trans IP” parking page.

Thank you


#3

I can´t conform that. But now I know that I can change that by the domain registration.
I have three IP-adresses:
Local from my computer
The externel IP from my router
The IP from the dns server, in Australië which I have got from my vpn provider. Which is different from my internetprovider.
Which one should I install by the domain name?
And which type should I use: A, AAAA, CNAME, MX, etc?


#4

Additionaly!
The servernames from my internetprovider: https://www.xs4all.nl/klant/servers.htm


#5

and in the registration of the domainname I see: This I can full in.

DNS
DNSSEC ON
name TTL Type waarde (IP)
… … … …

And further on

Nameservers:
Primaire nameserver: …
Secondaire nameserver:…

What for data must I full in there?


#6

Hi @Johnletsencrypt

now you have two ip-addresses:

Name: onderwegnaarmorgen.com
Addresses: 103.86.96.100
82.161.205.205
Aliases: www.onderwegnaarmorgen.com

I have a timeout - website and ip-addresses. Has your server really two ip-addresses?


#7

Hi,

Which one is your server’s IP address?
Is your server inside your home?

Thank you


#8

I have the server installed on a computer inside my home.
The ip from my router extern is 82.161.205.205. My computer, where the server is installed, has another IP intern.
On who.is I get: https://who.is/dns/onderwegnaarmorgen.com
By the domain registration I have put the two IP’s under DNS , under waarde (IP). The IP 103.86.96.100 is from my vpn provider.

When I try to get a certificate, i get now the following:

Attempting to obtain certificates… error running certbot:

Saving debug log to /var/snap/nextcloud/current/certs/certbot/logs/letsencrypt.log
Plugins selected: Authenticator nextcloud:webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.onderwegnaarmorgen.com
Using the webroot path /var/snap/nextcloud/current/certs/certbot for all domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.onderwegnaarmorgen.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.onderwegnaarmorgen.com/.well-known/acme-challenge/A-x4KEnAjRCQc99neE4JToXMIyYyTHo73hSszyzjf58: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.onderwegnaarmorgen.com
    Type: connection
    Detail: Fetching
    http://www.onderwegnaarmorgen.com/.well-known/acme-challenge/A-x4KEnAjRCQc99neE4JToXMIyYyTHo73hSszyzjf58:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.


#9

So, after some trying, I have the right install.
https://who.is/dns/onderwegnaarmorgen.com
But I can’t certificate. I think I must do a portforwarding in my router to the computer with the server.
Also port 80…forward (server)computer IP, which port?
port 443 …forward to (server)computer IP, which port?
Is that correct?
How must I do these portforwarding? I
And has these forwarding no consequencies for other computers of programms?
Thanks for your answers!


#10

First you should clear your dns-settings. Use only the router ip, remove the second entry.

Then add a forward rule in your router, so that I can connect your webserver

http://www.onderwegnaarmorgen.com/

This is required that Letsencrypt is able to validate the domain.


#11

I now only use my router IP. The other one is deleted.
Forwarding…Thats a problem for me, I don know how to do this on a safe way for the ports 80 and 443. Whitch ports do I need for the internservercomputer? And after the certification I can’t remove the portforwarding?


#12

Heb tijdelijk de poorten in de router open gezet. Certificering is gelukt. Bedankt allen!


#13

Which internal port you use? That depends on your other settings.

After the certification you can completely block your router, there is no permanent external access required.


#14

Yep, I see: Now you have a new certificate, created today.

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:www.onderwegnaarmorgen.com&lu=cert_search

So to renew the certificate, open your router, close it when done.


#15

I have closed port 80. But I must forward port 443, also open, and I must install a rule in ufw. This is to let nextcloud function wel as server. This should be safe?


#16

You can restrict your webserver, so that only /.well-known/acme-challenge/randomfilename is allowed per port 80.

So all other traffic is forbidden or redirected.


#17

Hello JuergenAuer,
I see that de certificate expirered at 25 november 2015. Must I renew it then? Or is that going automatic?
What about the restriction: You can restrict your webserver, so that only /.well-known/acme-challenge/randomfilename is allowed per port 80.
How does this work? And what must I do?

And for open port 443 can I also build in restrictions? To make it safer?

Thanks!


#18

Check your crontab if Certbot has created a job. The certificates are renewed after 60 days. But you have 90 days to do that.

I don’t know enough about nextcloud. But it should be possible to create two rules:

http + /.well-known/acme-challenge/ -> load the file
other http -> Go to google

You don’t need port 443 to create a Letsencrypt-certificate. If you have a redirect http -> https, remove that, if the path is /.well-known/acme-challenge/

Then Letsencrypt loads the file per http / port 80 - job is done.

So you can close port 443 completely.


#19

Thanks for your reactions!
443 is a https serverport for nextcloud. If I close this port, nextcloud does not function.

Is there a script to renew your certificate automatically?


#20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.