Error generating cert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ahmaguinee.com

I ran this command: root@ahmawordpress:/etc/nginx/sites-available# sudo certbot certonly --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel): ahmaguinee.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ahmaguinee.com
Waiting for verification…
Challenge failed for domain ahmaguinee.com
http-01 challenge for ahmaguinee.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

1 Like

Hi,

A 503 error generally means your web server can’t handle that much traffic (from my understanding).
Can you check your server load and try to see if it’s extremely high?

Your whole site is showing HTTP error 503 now, so there’s not that much i can see.

The site uses CloudFlare CDN, so I don’t think there is any issue with the “system”.
I think the problem is in the configuration.
The cert I see, although from CloudFlare, is not for the site name being requested:

2 Likes

image

1 Like

You’re onto something.

I think the site is not using the Cloudflare CDN, but it is using a Cloudflare Origin Certificate.

A Cloudflare Origin Certificate is what you install on your origin server when you want to secure communication between your origin and the Cloudflare network. (https://support.cloudflare.com/hc/en-us/articles/115000479507-Managing-Cloudflare-Origin-CA-certificates)

That is a sign that the site used to use the Cloudflare CDN, and then somebody switched off the CDN part in the Cloudflare control panel.

What I’d like to know, is what the 104.50.10.241 server is. It is not listening with nginx on 80/443 (because there is no Server response header). Is it your server @dialloamadou? Do you recognize that IP?

1 Like

@dialloamadou is my github. all 80/443 is redirected to pfsense. I have four domain that all share the same IP.

1 Like

What webserver is running on pfSense machine that the ports are forwarded to?

Is it haproxy or something?

You can check with:

sudo ss -tlnp | grep -E ":(80|443)"

If it is haproxy, the 503 means that haproxy is unable to talk to your nginx server. You should resolve that connectivity issue, and then you can try Certbot again.

1 Like

ok let me clarify since you are helping me.
I have pfsense and Haproxy is the one that redirect all my connection. I have unraid server ruining ubuntu server vm. I install nginx on it and I want to get a certificate for it so I can hose wordpress and that is where I am getting the error.

1 Like

OK.

In your situation, haproxy is terminating SSL for you.

This means that you need to issue and install the SSL certificate for ahmaguinee.com on the haproxy server, not on the nginx server.

The only way you can do SSL on the nginx server is either by having a second public IP address, or changing haproxy to TCP mode and using SSL prereading (which is quite complex).

Either way, you need to first fix the haproxy->nginx reverse proxy setup, because it not working. The HTTP 503 is happening because haproxy has not been correctly configured with the nginx backend.

1 Like

any suggestion on how to do it

1 Like

Posting your haproxy configuration would be a good start.

1 Like

I have no setup where haproxy has a relation with Nginx. haproxy is only servicing my other docker app. the Nginx is only installed on the ubuntu server on a different VM

1 Like

I don’t know what to tell you. The two are clearly related because haproxy is answering my traffic when I connect to ahmaguinee.com. If you don’t believe me, I can’t really help.

1 Like

how do I get the info you need. I am using haproxy on pfsense.

1 Like

How do you configure haproxy normally?

Usually if by file, it is stored in the file /etc/haproxy/haproxy.cfg.

If you configure it by user interface, maybe take a screenshot of that.

1 Like

i have to do screenshot of the specific config you will need to see. I don’t have /etc/haproxy…
and yes all my 4 domain will land you to haproxy because they all share the same ip address

This is the same reason you cannot use the SSL certificate on your nginx server.

haproxy doesn’t exactly “redirect” the connections. What it does (with the way you’ve set it up) is decode the HTTP requests, look at the domain name to see where the request should go, and then re-dispatch them to your other servers.

Because SSL traffic is encrypted, haproxy can’t decode the port 443 traffic, and therefore doesn’t know where to forward the traffic. The only way it can figure out where to send the traffic is if haproxy is the one which is doing the SSL encryption, which allows it to decrypt it and figure out where to send it.

Therefore, the SSL for all 4 domains must be performed on the pfSense/haproxy server. This means that you must create and use the certificates on the pfSense/haproxy server.

I hope that makes sense.

2 Likes

yes and thank you. I just need to copy from pfsense to my ubuntu server.

thank you all. I found my solution. I had to forward 80 and 443 to my server.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.