Create new certificate Failure

Help
1

My domain is: jira.c-e.com

I ran this command: sudo certbot certonly -a webroot --webroot-path=/var/www/html/jira -d jira.c-e.com -d jira.lowe-ce.com

It produced this output:

My web server is (include version): Apache 2.4.6

The operating system my web server runs on is (include version): RHEL 7.5

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The web server resides in our DMZ. Domain jira.c-e.com has a dmz IP address of 10.197.191.236 which was verified by running dig jira.c-e.com A command.
Externally, jira.c-e.com DNS is 170.200.78.236. External traffic for jira.c-e.com is NAT’d to the DMZ address 10.197.191.236

When I run the certbot certonly command, I assume that certbot fails because (internally) jira.c-e.com A record points to the private IP address.

I assume this is a common configuration for web servers. How do I workaround this configuration to generate a certificate?
Thank you very much for any help you can provide.

2

Hi @david.livelsberger

normally, such a configuration should work.

http://jira.c-e.com/secure/Dashboard.jspa

works. Can you create a file test

http://jira.c-e.com/.well-known/acme-challenge/test

so that we can test it?

jira.lowe-ce.com - there is no A- and no AAAA-record. So http-01 - challenge can't work.

Perhaps (first step): Use the test / stage system and create a certificate with jira.c-e.com as name (only one name).

3

Thank you for your help.
I will only create a certificate for jira.c-e.com
When I went to document root, I noticed that Certbot didn’t create the .well-known file. For testing purposes, should I create it? Are there instructions somewhere for creating this test file?

4

When Certbot runs, it creates the .well-known directory if necessary. If it doesn't exist, it sounds like Certbot hasn't been run with that web root.

Certbot automatically creates and deletes the acme-challenge directory, so it's normal for that not to exist.

5

Thank you. How do I configure this so that I can test at http://jira.c-e.com/.well-known/acme-challenge/test??

6

That was meant to be @JuergenAuer’s question to you—can you create this file yourself without using Certbot?

7

nslookup results.txt (443 Bytes)
letsencrypt.log.txt (16.8 KB)

I have created the directory for the test and I get 404 error.
http://jira.c-e.com/.well-known/acme-challenge/test.txt
I ran the certbot command with verbose and dry-run arguments. The results are attached. I also ran nslookup from the server. Note the difference between our “internal” DNS and public DNS.

8

Did you create a test.txt file yourself? That's what @JuergenAuer was asking for. It's not something that Certbot would do, but a task for you to make sure that your configuration currently works the way that you expect and the way that Certbot will expect.

9

Your internal IP-addresses are irrelevant. From outside, I can load your website, so the Letsencrypt-Check has also access to /.well-known/acme-challenge/file-with-a-very-long-token-as-filename

But it's important to know if there is no file-restriction or other problems (suboptimal redirects). So it's helpful if you create manual a file, post the name and we can check this.

10

Yes, I did create test.txt. I am including below the file structure.

[name@detcewawp01 acme-challenge]# pwd
/var/www/html/jira/.well-known/acme-challenge
[root@detcewawp01 acme-challenge]# ls -alt
total 0
-rw-r–r-- 1 apache apache 0 Jun 26 12:42 test.txt

11

http://jira.c-e.com/.well-known/acme-challenge/test.txt returns a “Oops, you’ve found a dead link. - JIRA” 404 Not Found page.

Are you sure that that’s the right directory, and files in that directory get served directly, instead of handled by JIRA’s backend?

12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.