Challenge failed for domain catch-22.co.nz

Help
1

Hi guys,

I decided to migrate my friend's WordPress website from the docker containers to the LEMP stack and couldn't obtain a certificate due to errors with DNS A/AAAA record(s) however these records have been already configured on a domain site long ago. Uncommenting of the

listen [::]:443 ssl http2 ipv6only=on;
listen 443 ssl http2; # managed by Certbot

doesn't help as well :slight_smile:

Could you pls help by any chance? :slight_smile:

Nginx config:

server {
        root /var/www/catch-22;
        index index.php index.html index.htm index.nginx-debian.html;
        server_name catch-22.co.nz www.catch-22.co.nz;

        # listen [::]:443 ssl http2 ipv6only=on;
        # listen 443 ssl http2; # managed by Certbot

        client_max_body_size 500M;

        location / {
                #try_files $uri $uri/ =404;
                try_files $uri $uri/ /index.php$is_args$args;
        }

        location ~ \.php$ {
                include fastcgi_params;
                fastcgi_intercept_errors on;
               # include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
                fastcgi_connect_timeout 300s;
                fastcgi_read_timeout 300s;
                fastcgi_send_timeout 300s;
        }

        location ~ /\.ht {
                deny all;
        }

        location = /favicon.ico { log_not_found off; access_log off; }
        location = /robots.txt { log_not_found off; access_log off; allow all; }
        location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
            expires max;
            log_not_found off;
        }

	location ~ ^/\.user\.ini {
		deny all;
	}

        # ssl_certificate /etc/letsencrypt/live/catch-22.co.nz/fullchain.pem; # managed by Certbot
        # ssl_certificate_key /etc/letsencrypt/live/catch-22.co.nz/privkey.pem; # managed by Certbot
        # include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        # ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
        # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

The domain is: catch-22.co.nz

I ran this command: sudo certbot --nginx -d catch-22.co.nz -d www.catch-22.co.nz

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for catch-22.co.nz
http-01 challenge for www.catch-22.co.nz
Waiting for verification...
Challenge failed for domain catch-22.co.nz
Challenge failed for domain www.catch-22.co.nz
http-01 challenge for catch-22.co.nz
http-01 challenge for www.catch-22.co.nz
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: catch-22.co.nz
   Type:   connection
   Detail: 130.162.231.184: Fetching
   http://catch-22.co.nz/.well-known/acme-challenge/IYaAFXYgylxTaNyb1jeUzJ5CFw4rcRxL97D-XTN5Kog:
   Error getting validation data

   Domain: www.catch-22.co.nz
   Type:   connection
   Detail: 130.162.231.184: Fetching
   http://www.catch-22.co.nz/.well-known/acme-challenge/7U0k2jVws7YQtaO2ffoO36csqJYAbl8yKmrjoXF3FZ4:
   Error getting validation data

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version): nginx/1.21.6

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: https://myhost.nz

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

2

I can't connect to your server and do not see port 80 (or port 443) open. Also see Let's Debug

Your DNS records point to IP 130.162.231.184. Is that still your server IP? You can confirm by running:

curl -4 ifconfig.co
3 Likes
3

Hi Mike,

Yeah, ports are open and IP is correct :slight_smile:

❯ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
22                         ALLOW       Anywhere
80                         ALLOW       Anywhere
443                        ALLOW       Anywhere
22/tcp                     ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
22 (v6)                    ALLOW       Anywhere (v6)
80 (v6)                    ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)
22/tcp (v6)                ALLOW       Anywhere (v6)

curl -4 ifconfig.co
130.162.231.184

sudo systemctl status nginx
● nginx.service - nginx - high performance web server
     Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2022-05-08 19:07:59 UTC; 20h ago
       Docs: https://nginx.org/en/docs/
   Main PID: 1873 (nginx)
      Tasks: 3 (limit: 1112)
     Memory: 2.6M
     CGroup: /system.slice/nginx.service
             ├─1873 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
             ├─9346 nginx: worker process
             └─9347 nginx: worker process

May 08 19:07:59 ubuntu2 systemd[1]: Starting nginx - high performance web server...
May 08 19:07:59 ubuntu2 systemd[1]: Started nginx - high performance web server.
4

They may be open in ufw but not to the public internet

PORT    STATE    SERVICE
22/tcp  open     ssh
80/tcp  filtered http
443/tcp filtered https

Let's Debug still can't see your site either

Check your hosting network config to ensure these ports are allowed for inbound traffic.

3 Likes
5

Oh my, Oracle doesn't allow access to their dashboard anymore while I try accessing from Russia.
It says: Forbidden Your client is not allowed to access the requested object. :slight_smile:

I even changed my billing to New Zealand, but still haven't received a single message from their support. Most likely they've just blocked it without even noticing. It was working a few days ago without any issues on Docker though. Will additionally inspect IP Tables Rules :slight_smile:

How could I check these ports if they're allowed for the inbound traffic? :slight_smile:

sudo lsof -i:80
COMMAND   PID        USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
gomon    1412 snap_daemon   13u  IPv4 156986      0t0  TCP ubuntu2.subnet01202112.vcn01202112.oraclevcn.com:46434->169.254.169.254:http (ESTABLISHED)
nginx    1873        root    6u  IPv4  36366      0t0  TCP *:http (LISTEN)
nginx   11154       nginx    6u  IPv4  36366      0t0  TCP *:http (LISTEN)
nginx   11155       nginx    6u  IPv4  36366      0t0  TCP *:http (LISTEN)
6

I know nothing about Oracle Cloud services - sorry.

Just curious what does this show?

sudo lsof -i:443
3 Likes
7

No worries, mate. I've just moved some of my services from my home lab to their free instances :slight_smile:

Shows nothing :slight_smile:

9

I guess, in this case, you got what you paid for:

curl -Ii catch-22.co.nz
curl: (56) Recv failure: Connection reset by peer

curl catch-22.co.nz
curl: (56) Recv failure: Connection reset by peer

They charged nothing, for something that's worth nothing. -jk

It is likely just a simple misconfiguration issue - keep looking and you will find it.

2 Likes
10

Migrated from Oracle to Digitalocean and it works fine :slight_smile:

2 Likes
11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.