Domain issues: Issues that may prevent any certificate for this domain being issued

Help
#1

My domain is: www.viberchatbot.ga

I ran this command: sudo certbot --nginx

It produced this output:

sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: viberchatbot.ga
2: www.viberchatbot.ga
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/viberchatbot.ga.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for viberchatbot.ga and www.viberchatbot.ga

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/viberchatbot.ga/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/viberchatbot.ga/privkey.pem
This certificate expires on 2022-09-18.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for viberchatbot.ga to /etc/nginx/sites-enabled/flask_app
Successfully deployed certificate for www.viberchatbot.ga to /etc/nginx/sites-enabled/flask_app
Your existing certificate has been successfully renewed, and the new certificate has been installed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version): Flask 2.1.2

The operating system my web server runs on is (include version): Ubuntu 22.04 LTS

My hosting provider, if applicable, is: freenom.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.28.0

I am getting the following from letsdebug on my domain and www.domain:

Which is different from what I got a a day ago:

DNS checkup for viberchatbot.ga is showing A records as Resolved

I have the following in my test.py:

from flask import Flask
app = Flask(__name__)

@app.route('/')
def hello_world():
    return 'Hello, World!'

if __name__ == "__main__":
    app.run(host="0.0.0.0",  debug=True)

and I start it with:
gunicorn3 --workers=3 test:app

I can access gunicorn3 with curl:
curl -il 127.0.0.1:8000
HTTP/1.1 200 OK
Server: gunicorn
Date: Mon, 20 Jun 2022 09:19:53 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 14 Hello, World!

I see from letsdebug that the request reaches my external address at 80 http 141.147.63.84 and is then forwarded to my 443 https but then I lose the connection.

I got a free domain from Freenom to test out hosting a server on ubuntu. Got the following settings:

image
image1874×839 36.5 KB

Is there an issue with the certificate?
Adding text from LetsDebug so it will pop out in search queries:

[ANotWorking](https://letsdebug.net/viberchatbot.ga/1082596#ANotWorking-Error)

ERROR

viberchatbot.ga has an A (IPv4) record (141.147.63.84) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

Get "https://viberchatbot.ga/.well-known/acme-challenge/letsdebug-test": dial tcp 141.147.63.84:443: connect: no route to host

Trace:
@0ms: Making a request to http://viberchatbot.ga/.well-known/acme-challenge/letsdebug-test (using initial IP 141.147.63.84)
@0ms: Dialing 141.147.63.84
@178ms: Server response: HTTP 301 Moved Permanently
@178ms: Received redirect to https://viberchatbot.ga/.well-known/acme-challenge/letsdebug-test
@178ms: Dialing 141.147.63.84
@266ms: Experienced error: dial tcp 141.147.63.84:443: connect: no route to host

[IssueFromLetsEncrypt](https://letsdebug.net/viberchatbot.ga/1082596#IssueFromLetsEncrypt-Error)

ERROR

A test authorization for viberchatbot.ga to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

141.147.63.84: Fetching https://viberchatbot.ga/.well-known/acme-challenge/nCDFPuK8rJH09t8rjsRms66r-5FYbIg-UagkdYaPUbU: Error getting validation data
#2

Adding clarification form previous LetsDebug that I was not able to add in initial post:

***Which is different from what I got a a day ago:

image
image1013×612 40.5 KB

#3

Please don't keep renewing a perfectly fine certificate over and over again: if issuance of the certificate is not the issue, but something else is, it doesn't make sense to re-issue the certificate. Currently, you've issued four perfectly certificates already: crt.sh | viberchatbot.ga Which makes you at risk of running into rate limits.

The "no route to host" error is probably due to a firewall blocking access to port 443 as the ICMP response is coming directly from your IP address 141.147.63.84 while port 80 works nicely.

2 Likes
#4

I had all 443 allowed from UFW however I guess it did not work until I restarted the whole instance from the Oracle cloud.

Everything is up and running now.