Error creating certificate

luis77 · October 27, 2019, 4:53pm

I am trying to create a certificate for secure connection of the domain http://www.nace.network/ I am following this little tutorial https://gorails.com/guides/free-ssl-with-rails-and-nginx-using-let-s-encrypt but when executing ./letsencrypt-auto it shows me the following error:

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.nace.network
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification…
Challenge failed for domain www.nace.network
http-01 challenge for www.nace.network
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: www.nace.network
Type: unauthorized
Detail: Invalid response from
http://www.nace.network/.well-known/acme-challenge/9i4aKGtb8W08p62S49boVhGoGTnsqgHo-XFcbmdTgbo
[52.33.85.110]: “\r\n404 Not
Found\r\n\r\n

404 Not
Found
\r\n
nginx\r\n”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

I have verified and the domain name has been entered correctly and the DNS A contains ip 52.33.85.110

my application is made in ruby on rails 5 and is hosted on an AWS server

what could be happening?

rg305 · October 27, 2019, 5:15pm

That is a red herring - ignore

Your problem is here:

Try placing a test file in the location you should find /.well-known/acme-challenge/ files.
See if you can reach it from the Internet.

luis77 · October 27, 2019, 8:26pm

@rg305 Thanks for responding, I was able to access the test file from the internet

rg305 · October 27, 2019, 8:28pm

Did you also get a cert?

luis77 · October 27, 2019, 8:37pm

I can’t access the certificate, it seems that it doesn’t exist, I’m looking in the folder .well-known/acme-challenge/ and I don’t see it

rg305 · October 27, 2019, 8:39pm

Only challenges go there.
[which are discards after use]

Please show:
./letsencrypt-auto certificates

luis77 · October 27, 2019, 9:03pm

Requesting to rerun ./letsencrypt-auto with root privileges…
./letsencrypt-auto has insecure permissions!
To learn how to fix them, visit Certbot-auto deployment best practices
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a release (2.7.7+) that supports hmac.compare_digest as soon as possible.
utils.PersistentlyDeprecated2018,
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: nace.network
Domains: nace.network www.nace.network
Expiry Date: 2019-10-25 12:56:10+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/nace.network/fullchain.pem
Private Key Path: /etc/letsencrypt/live/nace.network/privkey.pem
Certificate Name: www.nace.network
Domains: www.nace.network
Expiry Date: 2019-10-25 12:58:39+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/www.nace.network/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.nace.network/privkey.pem

mnordhoff · October 27, 2019, 9:18pm

Precisely what command did you originally run earlier? What was the complete output?

Do you have any idea why renewal might have stopped working in the last three months? Changes to the web server setup or configuration?

luis77 · October 27, 2019, 9:34pm

I have no idea why it stopped working, I have not made changes to the webserver setup or configuration. The command I used was

./letsencrypt-auto

and when I execute it the following appears

Requesting to rerun ./letsencrypt-auto with root privileges…
./letsencrypt-auto has insecure permissions!
To learn how to fix them, visit Certbot-auto deployment best practices
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a release (2.7.7+) that supports hmac.compare_digest as soon as possible.
utils.PersistentlyDeprecated2018,
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?

1: www.nace.network

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.nace.network
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification…
Challenge failed for domain www.nace.network
http-01 challenge for www.nace.network
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: www.nace.network
Type: unauthorized
Detail: Invalid response from
http://www.nace.network/.well-known/acme-challenge/662QKAjJBZnyJoVBKbnuHeJ6RQfMjDd7-OfNSQH3KU0
[52.33.85.110]: “\r\n404 Not
Found\r\n\r\n

404 Not
Found
\r\n
nginx\r\n”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

mnordhoff · October 27, 2019, 9:40pm

So Certbot’s trying to use its nginx plugin, but things aren’t working out somehow.

Can you post the Nginx virtual host for www.nace.network?

Looking at the website’s headers, Varnish and Phusion Passenger seem to be involved. What’s listening on port 80? Nginx?

I don’t remember how much detail /var/log/letsencrypt/letsencrypt.log includes, but does it show that Certbot has found and is modifying the correct virtual host?

luis77 · October 27, 2019, 10:12pm

@mnordhoff This is the nginx file left by the previous programmer,

server {
listen 8080 default_server;
listen [::]:8080 default_server ipv6only=on;

    server_name www.nace.network;
    passenger_enabled on;
    rails_env production;
    root /home/ubuntu/nace/public;

    # redirect server error pages to the static page /50x.html
    error_page   500 502 503 504  /50x.html;

    location / {
            deny 46.229.168.0;
            deny 51.68.152.0;
    }

    location = /50x.html {
            root   html;
    }

listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.nace.network/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.nace.network/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

}

with this command netstat -tulpn | grep :80 it seems that port 80 is not listening to anything
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 14206/nginx: worker
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp6 0 0 :::8080 :::* LISTEN 14206/nginx: worker
tcp6 0 0 :::80 :::* LISTEN -

mnordhoff · October 27, 2019, 10:15pm

What if you run netstat with sudo?

luis77 · October 27, 2019, 10:33pm

netstat throws this

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address tcp 0 0 unix 3 unix 3 unix 3 unix 3 unix 3 unix 3 unix 3 unix 2 unix 3 unix 2 unix 3 unix 3 unix 2 unix 3 unix 3 unix 3 unix 3 unix 3 unix 3 unix 3 unix 3 unix 3 unix 2 unix 3 unix 3 unix 2 unix 3 unix 3 unix 2 unix 2 unix 3 unix 3 unix 3 unix 3 unix 3 unix 3 unix 2 unix 3 unix 3 unix 3 unix 3 unix 3 unix 3 unix 3 unix 3 unix 2 unix 2 unix 2 unix 3 State
noopener">ip-172-31-0-204.us:http crawl-66-249-73-3:41666 TIME_WAIT
ESTABLISHED
rel="nofollow noopener">s3-1.amazonaws.co:https CLOSE_WAIT
ESTABLISHED
noopener">ip-172-31-0-204.us:http crawl-66-249-73-3:37131 TIME_WAIT
ESTABLISHED
ESTABLISHED
ESTABLISHED
DGRAM 9005 /dev/log
STREAM CONNECTED 111532442 /var/run/dbus/system_bus_socket
STREAM CONNECTED 7859 /var/run/dbus/system_bus_socket
STREAM CONNECTED 111616119
STREAM CONNECTED 8758 @/com/ubuntu/upstart
STREAM CONNECTED 9015 /var/run/dbus/system_bus_socket
STREAM CONNECTED 111615070
STREAM CONNECTED 111310283
DGRAM 111646618
STREAM CONNECTED 111615027
DGRAM 111646609
STREAM CONNECTED 111615451
STREAM CONNECTED 7846
DGRAM 50695
STREAM CONNECTED 111615064
STREAM CONNECTED 7858
STREAM CONNECTED 7489 @/com/ubuntu/upstart
STREAM CONNECTED 111616553 /var/run/mysqld/mysqld.sock
STREAM CONNECTED 111310287 /var/run/dbus/system_bus_socket
STREAM CONNECTED 111309799
STREAM CONNECTED 7288 @/com/ubuntu/upstart
STREAM CONNECTED 111616118
STREAM CONNECTED 111533314
DGRAM 8094
STREAM CONNECTED 111615068
STREAM CONNECTED 8947 @/com/ubuntu/upstart
DGRAM 10349
STREAM CONNECTED 111615065
STREAM CONNECTED 7474
DGRAM 7888
DGRAM 111659641
STREAM CONNECTED 111615026
DGRAM 8428
STREAM CONNECTED 111310284
STREAM CONNECTED 8959
STREAM CONNECTED 111532439
STREAM CONNECTED 1630
STREAM CONNECTED 111646607
STREAM CONNECTED 111615069
STREAM CONNECTED 111532440
DGRAM 8429
STREAM CONNECTED 111615066
STREAM CONNECTED 111615071
STREAM CONNECTED 7907
STREAM CONNECTED 7659
STREAM CONNECTED 8960
DGRAM 111310186
STREAM CONNECTED 111659639
DGRAM 111532301
STREAM CONNECTED 111615067

mnordhoff · October 27, 2019, 10:47pm

I meant “sudo netstat -tulpn | grep :80”.

luis77 · October 27, 2019, 10:53pm

tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 9615/nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1326/varnishd
tcp6 0 0 :::8080 :::* LISTEN 9615/nginx
tcp6 0 0 :::80 :::* LISTEN 1326/varnishd

mnordhoff · October 27, 2019, 10:58pm

So it’s Varnish!

It might work if you additionally pass “--http-01-port 8080” to Certbot, along with any other options you’re using.

luis77 · October 28, 2019, 12:38am

Thank you very much friend, I was able to renew the certificate with your command, I executed it like this: ./letsencrypt-auto --http-01-port 8080

luis77 · October 28, 2019, 1:26am

something curious happens and if I try to access the page from google then it sends me the alert that the site is not safe, until I put the https in the url, I must do something additional so that always access with the https or something ?

rg305 · October 28, 2019, 2:04am

You can (should) redirect http to https.

Something more or less like this should work:

RewriteEngine On
RewriteRule ^\.well-known\/acme-challenge\/ - [L]
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

actually something maybe more like:

  location / {
    return 301 https://$host$request_uri;
  }#location root

But your port 80 and port 443 configs look combined into one.
So I’m not sure how to tell just one config “go to the other config” when they are one and the same.
I would break them up in two, one for http and one for https.
And place the redirection only in the http config (block).

rg305 · October 28, 2019, 2:08am

Something like this:

server {
    listen 8080 default_server;
    listen [::]:8080 default_server ipv6only=on;
    server_name www.nace.network;
    root /home/ubuntu/nace/public; #could maybe change this to dummy location like /nul
    location / {
        return 301 https://$host$request_uri;
    }#location
}#server
server {
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    server_name www.nace.network;
    passenger_enabled on;
    rails_env production;
    root /home/ubuntu/nace/public;
    # redirect server error pages to the static page /50x.html
    error_page   500 502 503 504  /50x.html;
    location / {
            deny 46.229.168.0;
            deny 51.68.152.0;
    }#locatoin
    location = /50x.html {
            root   html;
    }#location
    ssl_certificate /etc/letsencrypt/live/www.nace.network/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.nace.network/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
}#server