Challenge failed for domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: flow3.flowbasket.com

I ran this command: certbot --nginx

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for flow3.flowbasket.com
Performing the following challenges:
http-01 challenge for flow3.flowbasket.com
Using the webroot path /var/www for all unmatched domains.
Waiting for verification...
Challenge failed for domain flow3.flowbasket.com
http-01 challenge for flow3.flowbasket.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: flow3.flowbasket.com
   Type:   unauthorized
   Detail: 167.99.47.86: Invalid response from
   http://flow3.flowbasket.com/.well-known/acme-challenge/H3L40v5IeQWS8D3J9BHmERlhD6VQCXqtqN-4oHHpRsw:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): CentOS Linux release 7.9.2009 (Core)

The operating system my web server runs on is (include version): CentOS Linux release 7.9.2009 (Core)

My hosting provider, if applicable, is: Whogohost

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0

The output you showed was not for that command.

You might try this though ...

sudo certbot certonly --nginx -d flow3.flowbasket.com --dry-run

(omit sudo if you do not need it)

Once --dry-run (testing) works remove it to get a production cert

And, is it possible to upgrade your Certbot to the snap version? The version that comes with Centos 7 is over 2.5 years old

4 Likes

okay thanks for your response, I'll try that now

please how do I upgrade my Certbot to the snap version

Certbot install instructions are at link I provided earlier (and below). Follow them carefully.

What happened with the certonly ... --dry-run command?

4 Likes

Oh, I see a bigger problem.

You are trying to use the --nginx plug-in but you are running Apache server. Or, your DNS is set wrong.

Let us step back. Can you explain more what you are trying to do?

curl -i flow3.flowbasket.com
HTTP/1.1 200 OK
Date: Fri, 01 Sep 2023 23:14:18 GMT
Server: Apache

Also, that domain got a valid cert from cPanel yesterday. And, the Apache server is using it. Why do you need another cert? See link below for your active cert:

3 Likes

this is what I got when I ran the command

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Simulating a certificate request for flow3.flowbasket.com
Performing the following challenges:
http-01 challenge for flow3.flowbasket.com
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Challenge failed for domain flow3.flowbasket.com
http-01 challenge for flow3.flowbasket.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: flow3.flowbasket.com
   Type:   unauthorized
   Detail: 167.99.47.86: Invalid response from
   http://flow3.flowbasket.com/.well-known/acme-challenge/SFgZXEXJIP0oFSBbtRiWNJ-yBXW1Q82wx3OJz3LWVhg:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I am trying to generate a certificate for a service I am running on the server that needs it

What really made me to try to generate a new certificate is that I am running jitsi-meet using docker on my server if I don't enable let's encrypt in the .env configuration the jitsi-meet web docker container will start and run successfully without any issues because it will not try to generate SSL certificate and it will run as unsecured http, but if I enable let's encrypt (that's to tell it to run the web docker container with https) by setting ENABLE_LETSENCRYPT=1 after the web docker container has been created it will try to generate SSL using let's encrypt it will give exactly that error message I'm getting if I try to generate SSL certificate with certbot and it will stop and keep restarting itself

this is the error message it gives:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-set-timezone: executing... 
[cont-init.d] 01-set-timezone: exited 0.
[cont-init.d] 10-config: executing... 
/opt /
[Thu Aug 31 18:19:51 UTC 2023] Installing to /config/acme.sh
[Thu Aug 31 18:19:51 UTC 2023] Installed to /config/acme.sh/acme.sh
[Thu Aug 31 18:19:51 UTC 2023] Installing alias to '/root/.profile'
[Thu Aug 31 18:19:51 UTC 2023] OK, Close and reopen your terminal to start using acme.sh
[Thu Aug 31 18:19:51 UTC 2023] Installing cron job
28 0 * * * "/config/acme.sh"/acme.sh --cron --home "/config/acme.sh" > /dev/null
[Thu Aug 31 18:19:52 UTC 2023] Good, bash is found, so change the shebang to use bash as preferred.
[Thu Aug 31 18:19:52 UTC 2023] OK
/
[Thu Aug 31 18:19:54 UTC 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Thu Aug 31 18:19:54 UTC 2023] Run pre hook:'if [[ -d /var/run/s6/services/nginx ]]; then s6-svc -d /var/run/s6/services/nginx; fi'
[Thu Aug 31 18:19:54 UTC 2023] Standalone mode.
[Thu Aug 31 18:19:56 UTC 2023] Create account key ok.
[Thu Aug 31 18:19:57 UTC 2023] Registering account: https://acme-v02.api.letsencrypt.org/directory
[Thu Aug 31 18:19:59 UTC 2023] Registered
[Thu Aug 31 18:19:59 UTC 2023] ACCOUNT_THUMBPRINT='lLzm63uh4owCHM92Ljf0qRbva7ver9HqohBfbOczVD0'
[Thu Aug 31 18:19:59 UTC 2023] Single domain='flow3.flowbasket.com'
[Thu Aug 31 18:19:59 UTC 2023] Getting domain auth token for each domain
[Thu Aug 31 18:20:03 UTC 2023] Getting webroot for domain='flow3.flowbasket.com'
[Thu Aug 31 18:20:04 UTC 2023] Verifying: flow3.flowbasket.com
[Thu Aug 31 18:20:04 UTC 2023] Standalone mode server
[Thu Aug 31 18:20:11 UTC 2023] flow3.flowbasket.com:Verify error:167.99.47.86: Invalid response from http://flow3.flowbasket.com/.well-known/acme-challenge/LT_KktSbyvlnUY77POldhjrd77K6y2nXxM7p5bCoxYo: 404
[Thu Aug 31 18:20:11 UTC 2023] Please add '--debug' or '--log' to check more details.
[Thu Aug 31 18:20:11 UTC 2023] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Thu Aug 31 18:20:11 UTC 2023] Run post hook:'if [[ -d /var/run/s6/services/nginx ]]; then s6-svc -u /var/run/s6/services/nginx; fi'
Failed to obtain a certificate from the Let's Encrypt CA.
Exiting.
[cont-init.d] 10-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/et

I've been on the issue for over 7 days now

there's also an option of using an existing TLS certificate and key

from the documentation

  • mount /path/to/your/cert.key file to /config/keys/cert.key mount point
  • mount /path/to/your/cert.fullchain file to the /config/keys/cert.crt mount

and when I search my server directories I didn't any file that ends in .fullchain so that's why I'm trying to generate new certificate with certbot

That info is very helpful. You have a lot of pieces that need to work together.

What does the Apache server do?

Your cert requests have to be resolved by that because that is what is handling HTTP requests to your domain. You could instead use a DNS Challenge but it is hard to say if that would help.

That Apache server has a cert, chain, and private key file. If you can find that maybe you could use that as the existing TLS cert and key? It does not have to be called "fullchain". That is just the naming convention used by Certbot.

Update: And, Apache right now is also handling HTTPS requests so if you want to reach any of those other parts on standard HTTP and HTTPS ports you need to figure out what to do. Either use Apache as a reverse proxy or get it out of the way entirely.

5 Likes

thanks for your response and suggestions, I think I will try to use one of the .key and .crt files in the /etc/ssl/private and certs directory because I don't know any other things to do anymore

this is the content of my private and certs directory, the coturn.key in the private dir is a self generated key, and I don't know if it will work if I should use the 167-99-47-86.cprapid.com.key or the coturn.key as the cert.key and any .crt file in the certs directory as the cert.fullchain

and please if I would use Apache as a reverse proxy how do I go about it and what would be the effect on my server

I think you are trying to put together a complicated mix of components. We focus on helping people get Let's Encrypt certs. I think you need help with general server design and setup. You would probably be better off at a jitsi meet forum for guidance (see below link).

You could also search this forum for jitsi and you will see some of what other people have sorted out.

Most of us here are volunteers offering our expertise and time for free. It is possible some other volunteer will be willing to guide you it is more involved than I want to help with.

I wish you good luck

4 Likes

thanks so much for your time

2 Likes