Challenge failed for domain

Help
1

My domain is: brasens.com

I ran this command: sudo certbot --nginx

It produced this output:

No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): www.brasens.com.br brasens.com.br
Requesting a certificate for www.brasens.com.br and brasens.com.br
Performing the following challenges:
http-01 challenge for brasens.com.br
http-01 challenge for www.brasens.com.br
Waiting for verification...
Challenge failed for domain brasens.com.br
Challenge failed for domain www.brasens.com.br
http-01 challenge for brasens.com.br
http-01 challenge for www.brasens.com.br
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: brasens.com.br
   Type:   dns
   Detail: no valid A records found for brasens.com.br; no valid AAAA
   records found for brasens.com.br

   Domain: www.brasens.com.br
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up A for www.brasens.com.br -
   check that a DNS record exists for this domain; DNS problem:
   NXDOMAIN looking up AAAA for www.brasens.com.br - check that a DNS
   record exists for this domain

The operating system my web server runs on is (include version): Amazon Linux 2

My hosting provider, if applicable, is: https://www.hostinger.com.br/

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 1.11.0

I think I need to explain my situation as a whole.
It's my first time setting up HTTPs on a server, so I'm having some difficulties.

Basically I'm creating a WEB application, which is hosted on the domain (www.brasens.com), this application will work in conjunction with a server made in Spring and hosted on AWS EC2, this server that will use the SSL certificate so that I can use HTTPs instead of HTTP in communication with it.

But I have several doubts about how to do this.
For example, I'm using the application's domain when creating the certificate, is that right? Should I use another domain?

This same domain is registered by Hostinger, which has already provided me with an SSL certificate, but has not provided me with its information, so can I generate another one on this same domain to use on the server?

Basically, I'm quite lost so I'd really appreciate it if you could enlighten me.

2

Hello @MatheusMarkies, welcome to the Let's Encrypt community. :slightly_smiling_face:

The domain names brasens.com.br and www.brasens.com.br have no DNS A, AAAA, or CNAME Records.
The HTTP-01 challenge states "The HTTP-01 challenge can only be done on port 80."
Best Practice - Keep Port 80 Open
Without access to Port 80 HTTP-01 challenge fails, without an IP Address there can be no access to Port 80.

Here are the DNS Records I see for the domain name that is having the issue(s).

image
image1207×473 15.5 KB

1 Like
3

But, your cert request was for domains ending in .br

Can you explain more about these two sets of names?

Do you want, say, browsers to connect to the .com domain and have an app connect to your Spring server on EC2 using the .com.br name?

I ask because you need a cert that includes the name used in the URL to connect to it.

If separate servers using different names need certs you will likely need two certs.

2 Likes
4

I'm sorry, I just put the test I did on another domain I own, the application domain will actually be (brasens.com) which is the one on hostinger.

name(s) (comma and/or space separated)  (Enter 'c' to cancel): brasens.com www.brasens.com
Requesting a certificate for brasens.com and www.brasens.com
Performing the following challenges:
http-01 challenge for brasens.com
http-01 challenge for www.brasens.com
Waiting for verification...
Challenge failed for domain brasens.com
Challenge failed for domain www.brasens.com
http-01 challenge for brasens.com
http-01 challenge for www.brasens.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: brasens.com
   Type:   unauthorized
   Detail: 76.76.21.98: Invalid response from
   http://brasens.com/.well-known/acme-challenge/8VOerLlEcHT5jnXOxPQAYLOL50ASXUPIcLpFV8eLxcw:
   404

   Domain: www.brasens.com
   Type:   unauthorized
   Detail: 76.76.21.22: Invalid response from
   http://www.brasens.com/.well-known/acme-challenge/MWayjJAgCgy1scYWv6sIMkxwbFgCkc-m-e-UXKLX6mM:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Thanks for the reply and the welcome!
Does this mean that if I want to use .com.br I would have to configure the DNS for that?
In the case of the log above, what does this Type: unauthorized mean?

I'm having great difficulty understanding what's going on here, for example, to make HTTP requests on my server I'm using the public IPv4 DNS that Amazon EC2 generated for me, however, to generate a certificate for the server in the certbot command I use the domain that the web application is using (www.brasens.com) and not that of the server.
Is this really correct?
I followed the instructions of a tutorial on the internet, so I don't understand it very well.

2 Likes
5

Yes you would.

1 Like
6

Which instructions were those? Do you have a link

2 Likes
7

Also here is a list of issued certificates crt.sh | brasens.com, the latest being 2024-03-25.
Yet the presently being severed certificate is "Not Before: Feb 09, 2024 16:41:05 GMT"

1 Like
8

Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher.

1 Like
9

This link here:

10

@MatheusMarkies please use the instructions from here https://certbot.eff.org/
I would probably try this one first Certbot Instructions | Certbot

1 Like
11

I am pretty sure Amazon Linux 2023 does not support snapd. Or at least not officially.

Canonical does not show it in the list of their supported platforms for snap. I installed an unofficial one as far back as Amazon Linux 1 (or maybe 2 I forget) but it was painful.

I think the pip/venv is probably the best if you insist on Certbot on AL2023 but you can find those instructions on Certbot site too. In fact, that Medium blog copies the Certbot docs for alternate methods. The pip install is here:

2 Likes
12

Do you mean that EC2 property name literally? Like the name that looks something like:
ec2-3-123-456-789.compute-1.amazonaws.com

Because I would not recommend using that name in any app. If you want to direct requests from the public internet (or an app running from there) to your EC2 instance then setup a DNS A record with the IPv4 public IP address. And then use the name for that A record in a URL just like any other domain name. If/when you setup IPv6 you create an AAAA record for the public IPv6 address.

2 Likes
13

Sound good to me. :slight_smile:

Didn't really look like Amazon to me (but I am not an expert).

$ curl -Ii http://brasens.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
content-type: text/html
content-length: 150
date: Wed, 27 Mar 2024 02:08:47 GMT
server: LiteSpeed
platform: hostinger
content-security-policy: upgrade-insecure-requests

$ nmap -Pn -p80,443 brasens.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-27 02:11 UTC
Nmap scan report for brasens.com (185.211.7.198)
Host is up (0.19s latency).
Other addresses for brasens.com (not scanned): 2a02:4780:13:818:0:3ade:ffa5:2

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.36 seconds
1 Like
14

That IP does not point to an EC2 instance. But, they are talking about how to handle their EC2 instance and pointed to a blog about Certbot on AL2023. There are several moving parts here that are not yet clear.

2 Likes
15

Then, I'll move out of the way to help keep the path clearer. :slight_smile:

3 Likes
16

I'd much rather use acme.sh than anything pip.

3 Likes
17

Personally I would too. But if you are going to use pip following the Certbot instructions is better than following some random blog instructions. Which is why I provided the link

3 Likes
18 
   Domain: brasens.com
   Type:   unauthorized
   Detail: 76.76.21.98: Invalid response from
   http://brasens.com/.well-known/acme-challenge/8VOerLlEcHT5jnXOxPQAYLOL50ASXUPIcLpFV8eLxcw:
   404

What does this type mean?

Yes, I realized that I would have a lot of trouble using AL2023, so I created another instance in Ubuntu.
Now the certbot installation was very easy :sweat_smile:

So my requests would be directed to this domain (For example, sending an http post request to: brasens.com/ login in place of ec2-3-123-456-789.compute-1.amazonaws.com:8080/login)?
What about my web software which is on this domain?

My web software is being deployed by Versel, from the git repository, it's a React application.
Here at Versel they have also generated an SSL for the web application via let's encrypt.
And there are also some dns settings.

Captasdfdsffasdurar
Captasdfdsffasdurar1261×368 30 KB

To configure the server, I need to provide the certificate details:

server.port=8443
server.ssl.key-store=classpath:keystore.jks
server.ssl.key-store-password=secret
server.ssl.key-password=another-secret

19

Nothing special. It is just the category of error. Almost all are this category

I don't understand your question. But an example is to setup a DNS A record for a domain name like ec2.brasens.com and use the public IP for that EC2 as the value.

You can then run Certbot on that EC2 and get a cert for ec2.brasens.com. First test using https://letsdebug.net

Once you have the cert use a URL like https://ec2.brasens.com to connect to it using HTTPS. If you must add a port then do it otherwise it comes in on port 443 the default for HTTPS

It sounds like the EC2 instance is a "back end" service rather than the "front end". If I misunderstand please be more specific. Thanks

3 Likes
20

Okay! It worked! I was able to generate the certificate at ec2.brasens.com
This domain points to an elastic IP of my EC2 instance. After running certbot with the dns challenge I was able to generate the certificate.
I put it in the spring application and it started correctly on port 8443.

Only one more problem: I can't make requests to it. Always TIME_OUT

Captasdfdsffsadfffasdurar
Captasdfdsffsadfffasdurar876×542 29.9 KB

ubuntu@:~/mspm-backend/target$ java -jar msmp-http-0.0.1-SNAPSHOT.jar

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::                (v2.6.3)

2024-03-27 15:53:59.822  INFO 2911 --- [           main] com.brasens.main.BrasensRest             : Starting BrasensRest v0.0.1-SNAPSHOT using Java 11.0.22 on ip-172-31-21-105 with PID 2911 (/home/ubuntu/mspm-backend/target/msmp-http-0.0.1-SNAPSHOT.jar started by ubuntu in /home/ubuntu/mspm-backend/target)
2024-03-27 15:53:59.830  INFO 2911 --- [           main] com.brasens.main.BrasensRest             : The following profiles are active: prod
2024-03-27 15:54:03.042  INFO 2911 --- [           main] .s.d.r.c.RepositoryConfigurationDelegate : Bootstrapping Spring Data JPA repositories in DEFAULT mode.
2024-03-27 15:54:03.428  INFO 2911 --- [           main] .s.d.r.c.RepositoryConfigurationDelegate : Finished Spring Data repository scanning in 368 ms. Found 14 JPA repository interfaces.
2024-03-27 15:54:05.221  INFO 2911 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat initialized with port(s): 8443 (https)
2024-03-27 15:54:05.250  INFO 2911 --- [           main] o.apache.catalina.core.StandardService   : Starting service [Tomcat]
2024-03-27 15:54:05.250  INFO 2911 --- [           main] org.apache.catalina.core.StandardEngine  : Starting Servlet engine: [Apache Tomcat/9.0.56]
2024-03-27 15:54:05.416  INFO 2911 --- [           main] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring embedded WebApplicationContext
2024-03-27 15:54:05.417  INFO 2911 --- [           main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 5435 ms
2024-03-27 15:54:06.928  INFO 2911 --- [           main] o.hibernate.jpa.internal.util.LogHelper  : HHH000204: Processing PersistenceUnitInfo [name: default]
2024-03-27 15:54:07.076  INFO 2911 --- [           main] org.hibernate.Version                    : HHH000412: Hibernate ORM core version 5.6.4.Final
2024-03-27 15:54:07.463  INFO 2911 --- [           main] o.hibernate.annotations.common.Version   : HCANN000001: Hibernate Commons Annotations {5.1.2.Final}
2024-03-27 15:54:07.745  INFO 2911 --- [           main] com.zaxxer.hikari.HikariDataSource       : HikariPool-1 - Starting...
2024-03-27 15:54:08.598  INFO 2911 --- [           main] com.zaxxer.hikari.HikariDataSource       : HikariPool-1 - Start completed.
2024-03-27 15:54:08.641  INFO 2911 --- [           main] org.hibernate.dialect.Dialect            : HHH000400: Using dialect: org.hibernate.dialect.PostgresPlusDialect
2024-03-27 15:54:10.936  INFO 2911 --- [           main] org.hibernate.tuple.PojoInstantiator     : HHH000182: No default (no-argument) constructor for class: com.brasens.main.security.PasswordResetToken (class must be instantiated by Interceptor)
2024-03-27 15:54:11.653  INFO 2911 --- [           main] o.h.e.t.j.p.i.JtaPlatformInitiator       : HHH000490: Using JtaPlatform implementation: [org.hibernate.engine.transaction.jta.platform.internal.NoJtaPlatform]
2024-03-27 15:54:11.664  INFO 2911 --- [           main] j.LocalContainerEntityManagerFactoryBean : Initialized JPA EntityManagerFactory for persistence unit 'default'
2024-03-27 15:54:12.957  WARN 2911 --- [           main] JpaBaseConfiguration$JpaWebConfiguration : spring.jpa.open-in-view is enabled by default. Therefore, database queries may be performed during view rendering. Explicitly configure spring.jpa.open-in-view to disable this warning
2024-03-27 15:54:13.673  INFO 2911 --- [           main] f.a.AutowiredAnnotationBeanPostProcessor : Autowired annotation should only be used on methods with parameters: public void com.brasens.main.cronjobs.Scheduler.check()
2024-03-27 15:54:14.086  INFO 2911 --- [           main] o.s.s.web.DefaultSecurityFilterChain     : Will secure any request with [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7df6d663, org.springframework.security.web.context.SecurityContextPersistenceFilter@15639d09, org.springframework.security.web.header.HeaderWriterFilter@577bf0aa, org.springframework.web.filter.CorsFilter@13d019a4, org.springframework.security.web.authentication.logout.LogoutFilter@6acffb2d, com.brasens.main.security.AuthenticationFilter@2c30c81d, com.brasens.main.security.AuthValidation@415a3f6a, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@52bd9a27, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@73ca34e7, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@a54acec, org.springframework.security.web.session.SessionManagementFilter@7634f2b, org.springframework.security.web.access.ExceptionTranslationFilter@50b46e24, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@531ec978]
2024-03-27 15:54:15.350  INFO 2911 --- [           main] o.s.b.a.e.web.EndpointLinksResolver      : Exposing 1 endpoint(s) beneath base path '/actuator'
2024-03-27 15:54:15.769  INFO 2911 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat started on port(s): 8443 (https) with context path ''
2024-03-27 15:54:15.817  INFO 2911 --- [           main] com.brasens.main.BrasensRest             : Started BrasensRest in 17.548 seconds (JVM running for 19.09)

I don't know if this could be caused by some missing setting in spring

1 Like