Create new certificate Failure


#1

My domain is: jira.c-e.com

I ran this command: sudo certbot certonly -a webroot --webroot-path=/var/www/html/jira -d jira.c-e.com -d jira.lowe-ce.com

It produced this output:

My web server is (include version): Apache 2.4.6

The operating system my web server runs on is (include version): RHEL 7.5

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The web server resides in our DMZ. Domain jira.c-e.com has a dmz IP address of 10.197.191.236 which was verified by running dig jira.c-e.com A command.
Externally, jira.c-e.com DNS is 170.200.78.236. External traffic for jira.c-e.com is NAT’d to the DMZ address 10.197.191.236

When I run the certbot certonly command, I assume that certbot fails because (internally) jira.c-e.com A record points to the private IP address.

I assume this is a common configuration for web servers. How do I workaround this configuration to generate a certificate?
Thank you very much for any help you can provide.


#2

Hi @david.livelsberger

normally, such a configuration should work.

http://jira.c-e.com/secure/Dashboard.jspa

works. Can you create a file test

http://jira.c-e.com/.well-known/acme-challenge/test

so that we can test it?

jira.lowe-ce.com - there is no A- and no AAAA-record. So http-01 - challenge can’t work.

Perhaps (first step): Use the test / stage system and create a certificate with jira.c-e.com as name (only one name).


#3

Thank you for your help.
I will only create a certificate for jira.c-e.com
When I went to document root, I noticed that Certbot didn’t create the .well-known file. For testing purposes, should I create it? Are there instructions somewhere for creating this test file?


#4

When Certbot runs, it creates the .well-known directory if necessary. If it doesn’t exist, it sounds like Certbot hasn’t been run with that web root.

Certbot automatically creates and deletes the acme-challenge directory, so it’s normal for that not to exist.


#5

Thank you. How do I configure this so that I can test at http://jira.c-e.com/.well-known/acme-challenge/test??


#6

That was meant to be @JuergenAuer’s question to you—can you create this file yourself without using Certbot?


#7

nslookup results.txt (443 Bytes)
letsencrypt.log.txt (16.8 KB)

I have created the directory for the test and I get 404 error.
http://jira.c-e.com/.well-known/acme-challenge/test.txt
I ran the certbot command with verbose and dry-run arguments. The results are attached. I also ran nslookup from the server. Note the difference between our “internal” DNS and public DNS.


#8

Did you create a test.txt file yourself? That’s what @JuergenAuer was asking for. It’s not something that Certbot would do, but a task for you to make sure that your configuration currently works the way that you expect and the way that Certbot will expect.


#9

Your internal IP-addresses are irrelevant. From outside, I can load your website, so the Letsencrypt-Check has also access to /.well-known/acme-challenge/file-with-a-very-long-token-as-filename

But it’s important to know if there is no file-restriction or other problems (suboptimal redirects). So it’s helpful if you create manual a file, post the name and we can check this.


#10

Yes, I did create test.txt. I am including below the file structure.

[name@detcewawp01 acme-challenge]# pwd
/var/www/html/jira/.well-known/acme-challenge
[root@detcewawp01 acme-challenge]# ls -alt
total 0
-rw-r–r-- 1 apache apache 0 Jun 26 12:42 test.txt


#11

http://jira.c-e.com/.well-known/acme-challenge/test.txt returns a “Oops, you’ve found a dead link. - JIRA” 404 Not Found page.

Are you sure that that’s the right directory, and files in that directory get served directly, instead of handled by JIRA’s backend?


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.