Error attempting to get SSL certificate for website

mikesanders · August 18, 2020, 9:14am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

iwasframed.com

I ran this command:

sudo certbot --apache

It produced this output: > Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: iwasframed.com
2: www.iwasframed.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for iwasframed.com
http-01 challenge for www.iwasframed.com
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. iwasframed.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://iwasframed.com/.well-known/acme-challenge/oMJzibgPa9Lmsis8MXml2uOG6gX8HxQxzxDsPJVDqXE: Error getting validation data, www.iwasframed.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.iwasframed.com/.well-known/acme-challenge/Gc1z27LEFo7y3CPNLJY_zWQgLtmfi7ZeDGVxosaMvck: Error getting validation data

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: iwasframed.com
Type: connection
Detail: Fetching
http://iwasframed.com/.well-known/acme-challenge/oMJzibgPa9Lmsis8MXml2uOG6gX8HxQxzxDsPJVDqXE:
Error getting validation data

Domain: www.iwasframed.com
Type: connection
Detail: Fetching
http://www.iwasframed.com/.well-known/acme-challenge/Gc1z27LEFo7y3CPNLJY_zWQgLtmfi7ZeDGVxosaMvck:
Error getting validation data

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

My web server is (include version):

Apache 2.4.38

The operating system my web server runs on is (include version):

Raspian Linux 10 (Buster)

My hosting provider, if applicable, is:

Myself with a raspberry pi.

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.31.0

I have tried searching for help, but I just can't seem to figure out why I'm receiving the errors I'm receiving when attempting to generate an SSL Certificates for my www & non-www site. I'm hosting the web server myself, but I use Google Domains to manage my synthetic records with Dynamic DNS.

I did try creating the file with no extension, 123456789, and am able to access each file with this:

http://iwasframed.com/.well-known/acme-challenge/123456789
http://www.iwasframed.com/.well-known/acme-challenge/123456789

I appreciate any help you can provide me. I'm very new to this, so thank you in advance.

Mike

_az · August 18, 2020, 9:18am

Looks like an IPv6 issue:

JuergenAuer · August 18, 2020, 9:20am

Hi @mikesanders

read your check result, some hours old - https://check-your-website.server-daten.de/?q=iwasframed.com

Only timeouts.

Host	Type	IP-Address	is auth.	∑ Queries	∑ Timeout
iwasframed.com	A		yes	1	0
	AAAA		yes
www.iwasframed.com	A		yes	1	0
	AAAA	2600:1700:3b01:2a70:39f4:c006:5714:ae24 Visalia/California/United States (US) - AT&T Services, Inc.	yes

Your non-www has no ip address, your www has one. But that doesn't work.

Domainname	Http-Status	Sec.	G
• http://www.iwasframed.com/ 2600:1700:3b01:2a70:39f4:c006:5714:ae24	-14	10.050	T
Timeout - The operation has timed out

• https://www.iwasframed.com/ 2600:1700:3b01:2a70:39f4:c006:5714:ae24	-14	10.013	T
Timeout - The operation has timed out

• http://www.iwasframed.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 2600:1700:3b01:2a70:39f4:c006:5714:ae24	-14	10.043	T
Timeout - The operation has timed out

PS: If you want to create a certificate with non-www and www, first add a non-www AAAA entry.

mikesanders · August 18, 2020, 9:51am

Thank you for the reply, but I'm completely lost. I don't know what I'm doing wrong. I don't know what you mean by "Only timeouts" because there is not problem connecting go my website or is that something else? If so, what do I fix?

This is because that's how Google Domains is doing it. Here's a screen shot of how I set it up with Google. Should I be doing it differently?

Thanks again. If I come off rambling it's just because I'm so new to this, then I may not know what to ask correctly.

Mike.

JuergenAuer · August 18, 2020, 10:33am

That's

only your internal connection.

External - your website isn't visible.

That's the reason you have to use online tools.

If an online tool can't connect your website, Letsencrypt may not be able to connect and check your website.

mikesanders · August 18, 2020, 11:00pm

@JuergenAuer Thank you so much!! I see exactly what you were trying to get across to me. I needed to create the appropriate resource record with my IP address. After I did that, then I was able to easily create the SSL certificates for my www & non-www domain.

system · September 24, 2020, 6:15pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.