Error getting validation data - NGINX


#1

Hi, this might look like a problem that has been already posted before but unfortuntaley i didnt find any solution to help me. I am running a basic NGINX server configuration and have registered a domain name and now learning how to make it https enabled. Unfotunately it doesnt proceed well. Here is the log :slight_smile:

"To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2018-02-22 02:19:29,697:INFO:certbot.auth_handler:Cleaning up challenges
2018-02-22 02:19:30,868:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.21.1’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1240, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 994, in run
certname, lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 118, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 357, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 318, in obtain_certificate
self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 81, in get_authorizations
self._respond(resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 138, in _respond
self._poll_challenges(chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 202, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. www.animesh.life (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.animesh.life/.well-known/acme-challenge/6zxC37U_32D_bBVdJrxAYvg5lOcCpwON_CnJjE8XI9c: Error getting validation data "

Here is my default file under "sites-available"
listen 80 default_server;
listen [::]:80 default_server;

    # SSL configuration
    #
    # listen 443 ssl default_server;
    # listen [::]:443 ssl default_server;
    #
    # Note: You should disable gzip for SSL traffic.
    # See: https://bugs.debian.org/773332
    #
    # Read up on ssl_ciphers to ensure a secure configuration.
    # See: https://bugs.debian.org/765782
    #
    # Self signed certs generated by the ssl-cert package
    # Don't use them in a production server!
    #
    # include snippets/snakeoil.conf;

    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;

    server_name animesh.life www.animesh.life;
    location / {
            try_files $uri $uri/ /index.html;
    }
    location /hello/ {
            proxy_pass http://127.0.0.1:3001;
    }
    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #       include snippets/fastcgi-php.conf;
    #
    #       # With php7.0-cgi alone:
    #       fastcgi_pass 127.0.0.1:9000;
    #       # With php7.0-fpm:
    #       fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #       deny all;
    #}

#2

Your DNS situation is a bit unclear.

www.animesh.life points to Namecheap’s parking page.

animesh.life has two records, one pointing to an Ubuntu/nginx server, and the other pointing to Namecheap’s URL forwarding service. So it will basically not work on a random basis.

You probably won’t be able to issue a Let’s Encrypt certificate until you figure out how you want this to be setup, and then do it.

I think you probably want www.animesh.life and animesh.life to both point to 139.59.60.5, but that’s up to you to decide.


#3

yea i went to namecheap and in advancedDNS i saw CNAME pointing to some parkingdomain. I guess this is what you are referring to. I will remove this and try again. Will come back later today.


#4

@_az Thanks so much for pointing out that problem. The validation passed and certificate has been enabled. :slight_smile:

I was thinking how this problem can cause validation to fail. So if I correctly understand, the certificate authority tries to validate all dns entries, in this case A record, CName etc…? Am I correct?


#5

I’m not sure about the precise policy. The actual ACME spec says (in draft-03, under 7.2 HTTP):

As a domain may resolve to multiple IPv4 and IPv6 addresses, the
server will connect to at least one of the hosts found in A and AAAA
records, at its discretion

(this includes CNAME records, as they basically act as pointers to A/AAAA records).

Whether each record is always individually validated, I don’t know. It doesn’t look like it to me from the source code of Boulder (the server implementation), but I could be mistaken.


#6

You’re correct. We validate the first A/AAAA record, not all of them.


#7

The order was probably randomized by Unbound? (If not the authoriative DNS server as well.)


#8

You’re correct - I should have been more precise in my answer. Boulder picks the first A/AAAA record from the set of A/AAAA records returned by Unbound. I don’t know how Unbound orders the records.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.