CertSage not working

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: billing.matttechbackups.com

I ran this command: billing.matttechbackups.com/certsage.php, Filled the information into the needed fields so everything looks good! Clicked on the Aquire staging certificate.

It produced this output:
urn:ietf:params:acme:error:unauthorized
162.0.232.36: Invalid response from https://billing.matttechbackups.com/.well-known/acme-challenge/3tskgFjT-XNQlwBE_lpi43039zSKKxvME7xdPnd1Giw: 404

My web server is (include version): Not sure

The operating system my web server runs on is (include version): Not sure

My hosting provider, if applicable, is: Namecheap, Shared hosting package (stellar)

I can login to a root shell on my machine (yes or no, or I don't know): I can access shell yes !

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Cpanel 110.0.7

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Certsage: version 1.4.1

I've installed an SSL with Certsage on my primary domain matttechbackups.com but it will not work on the subdomain..!!

Hi @Rooster, and welcome to the LE community forum

Can't Cpanel obtain a cert for you?

BTW, the web server identifies itself as:
server: LiteSpeed

Welcome to the Let's Encrypt Community, Robert!

Let me check something...

Based upon the tests I've run so far, I see no evident reason why the challenge file would be unreachable.

If you put a file named test inside the /.well-known/acme-challenge/ directory under your webroot directory for billing.matttechbackups.com, are you able to successfully access the contents of that test file by visiting http://billing.matttechbackups.com/.well-known/acme-challenge/test in a browser? Please be sure that you're checking if you can access the file using HTTP in the URL and not HTTPS as Let's Encrypt will first attempt validation over HTTP on port 80 then follow the redirect to use HTTPS on port 443. If there is a problem with a rogue rewrite/redirect, this test path will help surface it.

Some of my testing, for reference:

https://letsdebug.net/billing.matttechbackups.com

Hey Jonathan,

I've made maybe 10 - 12 attempts. I had originally tried to do it all together with my main domain but that failed with the same error!

Why I did it for just my main domain everything went perfect!

Any ideas??

--Robert

Did you try manually creating the test file as I suggested? If we can get that file to be accessible from the internet then the challenge should succeed.

That would only work if your main domain name and billing subdomain name share the exact same webroot directory.

Hey Jonathan,

I created the test file and it's accessible now! It looks like certsage cannot create the file it needs for its test! Is that possible?

-- Robert

I can't reach it using:

I can guarantee you that it can or CertSage would have thrown an error indicating otherwise.

It can be accessed as test.txt

So what's the next step? Do you want to try to acquire the test ssl??. I could send you the content of the password file if needed.

-- Robert

I can confirm that I can access http://billing.matttechbackups.com/.well-known/acme-challenge/test.txt with only a single redirect from HTTP to HTTPS.

I'm starting to wonder if you might be right about CertSage being unable to create the challenge file. I find this difficult to believe though as I built specific error checking into CertSage for that very situation. Perhaps I should add a secondary existence check after each directory and file creation. Adding that to my next release . Clearly LiteSpeed is able to serve files from that directory. What are the permissions on these directories:

• (webroot directory of billing.matttechbackups.com)
• (webroot directory of billing.matttechbackups.com)/.well-known
• (webroot directory of billing.matttechbackups.com)/.well-known/acme-challenge

Good morning

The information you requested :

billing.matttechbackups.com - 0750
billing.matttechbackups.com/.well-known - 0755
billing.matttechbackups.com/well-known/acme-challenge - 0755

-- Robert

When I do
curl -k -s -v 'https://billing.matttechbackups.com/.well-known/acme-challenge/test.txt'

I got at the end of the output:

...
< content-length: 13
< date: Mon, 25 Sep 2023 17:27:35 GMT
< server: LiteSpeed
< p3p: policyref=\"/w3c/p3p.xml\", CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"
< x-turbo-charged-by: LiteSpeed
< 
* Connection #0 to host billing.matttechbackups.com left intact

Content-length is 13, but no data is coming.

@bruncsak
I get:

...
* Connection #0 to host billing.matttechbackups.com left intact
Good morning 

You are right, it is there for me too. I just overlooked. Sorry.

So we know that it is reachable, how do we get a certificate setup??

-- Robert

Do you have a strange umask value that would deny reading the challenge file?

pi@raspberrypi:~ $ umask 777
pi@raspberrypi:~ $ echo "Good morning" > test.txt
pi@raspberrypi:~ $ cat test.txt
cat: test.txt: Permission denied
pi@raspberrypi:~ $ ls -l test.txt
---------- 1 pi pi 13 Sep 25 20:02 test.txt
pi@raspberrypi:~ $

By the way that cannot be the problem. Certsage explicitly sets the file permissions to 644. No more idea.