Error getting validation data

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy but only makes it harder for us to provide help.

My domain is: protect.paypoint.com.na

I ran this command: certbot certonly --standalone -d protect.paypoint.com.na

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for protect.paypoint.com.na
Performing the following challenges:
http-01 challenge for protect.paypoint.com.na
Waiting for verification...
Challenge failed for domain protect.paypoint.com.na
http-01 challenge for protect.paypoint.com.na

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: protect.paypoint.com.na
Type: connection
Detail: 13.244.158.132: Fetching http://protect.paypoint.com.na/.well-known/acme-challenge/C0WXRuGF9xML7_Nn4daE1J0nLAp52iJsS8bljllkaB0: Error getting validation data

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx

The operating system my web server runs on is (include version): Rocky 9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): direct access

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 3.2.0

2

Same command works perfectly with other domain but failing for this one only.

3

Hi. Can you open your website from outside of your network? According to this your website closes connection unexpectedly.

Before trying to get a certificate you need to make sure your webserver operates correctly.

2 Likes
4

Hi Nekit,

With IP address, I'm able to access the site. With FQDN only, it's not loading properly.

5

Same result for the IP. Is the IP correct? It'd probably help if you shared your nginx config with nginx -T (note capital T). Decorate it with triple backticks like so:

```
<output of nginx -T>
```
2 Likes
6

Not using nginx.

Running Wazuh 4.11.0, backend is on node application on port 443. With a similar setup with a different domain certbot can register & get the certificate. Some how not able to identify why its fail in this server.

7

You claimed nginx in your initial post… I'm throwing in a towel. Not sure anyone on this forum has experience with this Wazuh thing, so you may be better served by support channels of this software of yours. Or wait for another volunteer to chime in.

2 Likes
8

Thanks Nekit!

I was trying with cerbot standalone authenticator & plugin option without apace or nginx installed in the server.

Only with this domain I'm having issue. I tested with a different domain on a similar setup and able to generate SSL certificate

9

The --standalone method is difficult to debug because you need to keep Certbot running to test connection from the public internet.

A way to test this easier is to use these command options

certbot certonly --standalone --dry-run --debug-challenges -v -d (domain)

This command will show you the challenge URL to try from the public internet and the proper response. After showing you this it will say "Press Enter to Continue". DO NOT PRESS ENTER.

Leave it paused and use a different device to test connection. You can use a mobile phone with wifi disabled to use your carrier's network.

You do not have to use the full URL. Just try http://(yourdomain)

If the connection works this shorter URL should see a response like below. Repeat this as needed as you modify your comms setup until it works.

ACME client standalone challenge solver
4 Likes
10

No changes!

While trying from a different network, I'm just getting ERR_EMPTY_RESPONSE from the server

11

That is partly good news in that you now have a good way to test the comms setup.

I see your DNS IP is for an AWS EC2 instance. Have you checked the EC2 Security Group to ensure port 80 is allowed inbound? Also check your VPC ACL Rules to ensure you are not blocking these inbound requests. And, if you have any other advanced AWS firewalls setup make sure they allow these requests.

Check everything in your o/s too like if you have firewalld setup

2 Likes
12

OS level firewall is not enabled.

EC2 security group both port 80 and 443 is allowed in inbound rules. Also able to telnet to port 80/443

13

Is Certbot --standalone still running?

Can you show output of this:

sudo ss -pant | grep -i listen | grep ':80'

Have you double-checked the IP in the DNS is your public IP? What does this show from that server?

curl -4 https://ifconfig.io

From the public internet? Or, just locally?

2 Likes
14

Using openssl to check port 443 I see below. Do you recognize that?

echo|openssl s_client -connect protect.paypoint.com.na:443
CONNECTED(00000003)
depth=0 CN = ip-10-0-14-115.ec2.internal
verify error:num=18:self-signed certificate
verify return:1
---
Certificate chain
 0 s:CN = ip-10-0-14-115.ec2.internal
   i:CN = ip-10-0-14-115.ec2.internal
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 16 07:30:48 2023 GMT; NotAfter: Aug 13 07:30:48 2033 GMT

Telnet to port 80 says I am talking with an nginx server. How is that involved? Is there some load balancer or similar active?

3 Likes
15

Thanks @MikeMcQ!

It is an issue with the AWS elastic IP, even if I remove the association with the VM. I was able to telnet both 80 and 443 ports.

After replacing it with a new elastic IP, I was able to register & get the certificate.

2 Likes
16

A post was split to a new topic: Error getting validation data