Error getting SSL certificates with Nginx, raspbian

Help
1

Hello,

Ive been stuck on this problem for over a week now and im really curious what the problem is here. If i have to post anymore info let me know. Thanks for atleast reading.

My domain is: dgmicha.com

I ran this command: sudo /etc/letsencrypt/certbot-auto certonly --agree-tos --webroot -w /data/mysite.com/www -d mysite.com -d www.mysite.com -d mail.mysite.com -d srv01.mysite.com

It produced this output:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for dgmicha.com
http-01 challenge for www.dgmicha.com
Using the webroot path /data/dgmicha.com/www for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. dgmicha.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.dgmicha.com/.well-known/acme-challenge/f5hDG8bpQyW-fRehqSjRLSj8oUP7gi 89iXEHVtW5kgE: Error getting validation data, www.dgmicha.com (http-01): urn:acm e:error:connection :: The server could not connect to the client to verify the d omain :: Fetching http://www.dgmicha.com/.well-known/acme-challenge/l9-qWh-ATJim AniVgqxaHfDBeb2CiXTypsKN30k9GlE: Error getting validation data

IMPORTANT NOTES:

  • If you lose your account credentials, you can recover through
    e-mails sent to myemail@gmail.com.

  • The following errors were reported by the server:

    Domain: dgmicha.com
    Type: connection
    Detail: Fetching
    http://www.dgmicha.com/.well-known/acme-challenge/f5hDG8bpQyW-fRehqSjRLSj8oUP 7gi89iXEHVtW5kgE:
    Error getting validation data

    Domain: www.dgmicha.com
    Type: connection
    Detail: Fetching
    http://www.dgmicha.com/.well-known/acme-challenge/l9-qWh-ATJimAniVgqxaHfDBeb2 CiXTypsKN30k9GlE:
    Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Raspbian (Debian)

My hosting provider, if applicable, is: namecheap.com

I can login to a root shell on my machine (yes or no, or I don’t know): yes

2

Hello,

Your web server does not give an HTTP response to basically any query except index:

$ curl -vvv -i http://www.dgmicha.com/any-url
*   Trying 198.54.117.216...
* TCP_NODELAY set
* Connected to www.dgmicha.com (198.54.117.216) port 80 (#0)
> GET /any-url HTTP/1.1
> Host: www.dgmicha.com
> User-Agent: curl/7.55.1
> Accept: */*
> 
* Empty reply from server
* Connection #0 to host www.dgmicha.com left intact
curl: (52) Empty reply from server
3

It looks like http://dgmicha.com/ is using Namecheap URL forwarding, and http://www.dgmicha.com/ is using Namecheap domain parking.

You should have A/AAAA records pointing at your web server to use HTTP-01 validation.

5

At the very least, you would need to remove that CNAME record, as it is preventing your A record from working.

You may also want to change the @ record to also be an A record to your IP address, but it might not be totally necessary for Certbot to work.

7

The new www. record looks okay, though your web server doesn’t seem to be actually accessible at the moment. Is 81.245.176.79 the right IP?

You currently have no A record for the base domain (dgmicha.com), so you will need to add one, in a similar way to www..

9

Your A record is not working for dgmicha.com, it is only working for www.dgmicha.com. Can you take another screenshot of the DNS manager?

11

Looks like the A record for dgmicha.com. is working now :slight_smile: .

The next steps would be:

  • Make sure your web server is accessible from the internet. At the moment, http://81.245.176.79 does not load (no route to host). This will be either due to firewall rules, or because your web server is not running.
  • Once you have confirmed the web server is running, try run the certbot certonly command again.
13

I don’t know, sorry.

‘No route to host’ usually indicates a firewall issue. Maybe your residential ISP (Belgacom) blocks port 80, maybe your router is not forwarding traffic from port 80 to your web server.

Let’s Encrypt won’t be able to give you a certificate using http-01 unless you can solve it.

$ curl -i -vvv 81.245.176.79
* Rebuilt URL to: 81.245.176.79/
*   Trying 81.245.176.79...
* TCP_NODELAY set
* connect to 81.245.176.79 port 80 failed: No route to host
* Failed to connect to 81.245.176.79 port 80: No route to host
* Closing connection 0
curl: (7) Failed to connect to 81.245.176.79 port 80: No route to host

You can alternatively use dns-01 validation to get your certificate, by using --preferred-challenges dns-01 instead of --webroot -w /data/mysite.com/www in your command.

This would allow you to work around the problem of your web server not being accessible from the internet.

15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.