Error in certificate


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cimr-innovations.com

I ran this command: sudo certbot --nginx --staging

It produced this output:
“”""
Failed authorization procedure. mail.cimr-innovations.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.cimr-innovations.com/.well-known/acme-challenge/9KSkkPGdoHYvro-UK_wbKLQU-LuuTpedbPsRgTMWttc: Connection reset by peer, cimr-innovations.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://cimr-innovations.com/.well-known/acme-challenge/Ci_xPpS2X5QKJO__iWVMk3nEfS9eqIh-mBVqmfbJCt4: Connection reset by peer

_   Domain: mail.cimr-innovations.com_
_   Type:   connection_
_   Detail: Fetching_
_   http://mail.cimr-innovations.com/.well-known/acme-challenge/9KSkkPGdoHYvro-UK_wbKLQU-LuuTpedbPsRgTMWttc:_
_   Connection reset by peer_

_   Domain: cimr-innovations.com_
_   Type:   connection_
_   Detail: Fetching_
_   http://cimr-innovations.com/.well-known/acme-challenge/Ci_xPpS2X5QKJO__iWVMk3nEfS9eqIh-mBVqmfbJCt4:_
_   Connection reset by peer_

“”""

My web server is (include version): nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04

I can login to a root shell on my machine (yes or no, or I don’t know): YES!!!

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): nop but i installed iRedMail and in other servers before there was no problem
I am using --staging because otherwise i get :

_An unexpected error occurred:_
_    There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/_

because i was trying like 2 hours to solve this problem


#2

Hi @Moralitos28

fetching the validation file

http://mail.cimr-innovations.com/.well-known/acme-challenge/9KSkkPGdoHYvro-UK_wbKLQU-LuuTpedbPsRgTMWttc

per browser, there is a page about a JavaScript-check, then a redirect.

Fetching this url directly, there is a “Connection closed”:

download http://mail.cimr-innovations.com/.well-known/acme-challenge/9KSkkPGdoHYvro-UK_wbKLQU-LuuTpedbPsRgTMWttc -h
Error (1): Die zugrunde liegende Verbindung wurde geschlossen: Unbekannter Fehler beim Empfangen…
ReceiveFailure
3
Von der Übertragungsverbindung können keine Daten gelesen werden: Eine vorhandene Verbindung wurde vom Remotehost geschlossen.

(it’s the same like your “Connection reset by peer”).

There is an instance who checks the client. Is it possible that you remove that if the url starts with

/.well-known/acme-challenge/

Are there rewrite-rules or something else to do such things?

If this is not possible, you may use dns-01 - validation, not http-01 - validation. Then you have to create a dns text entry (in your domain nameserver settings)

_acme-challenge.mail.cimr-innovations.com

with a special value.

But: You have to change this value every 60 - 80 days, because Letsencrypt certificates are only 90 days valide. So your dns-provider should have a supported API to automate that.


#3

Oky, How can I rm /.well-known/acme-challenge/
I make:
find / -name ".well-known" and send no info
Sorry I am new in this!


#4

@Moralitos28, @JuergenAuer doesn’t mean to delete this directory, but rather to create an exception to whatever part of your web server configuration is serving this Javascript code.

There is something in your web server configuration that doesn’t allow this file to be served without a redirection or first interpreting a script. It might be something advertised as a DDoS prevention or scraping prevention service, and it’s not compatible with Let’s Encrypt’s validation.


#5

I am sorry my confg file are

# /etc/nglinx/sites-enable
# Note: This file must be loaded before other virtual host config files,
#
# HTTP
server {
    # Listen on ipv4
    listen 80;

    # Listen on ipv6.
    # Note: this setting listens on both ipv4 and ipv6 with Nginx release
    #       shipped in some Linux/BSD distributions.
    #listen [::]:80;
    location ^~ /.well-known/acme-challenge/ {
        allow all;
    default_type "text/plain";
    }
    server_name _;
    return 301 https://$host$request_uri;

}

and

#./ssl.config
# Note: This file must be loaded before other virtual host config files,
#
# HTTPS
server {
    listen 443;
    server_name mail.cimr-innovations.com cimr-innovations.com;

    root /var/www/html;
    index index.php index.html;
    location ^~ /.well-known/acme-challenge/ {
        allow all;
    default_type "text/plain";
    }
    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;
    include /etc/nginx/templates/iredadmin.tmpl;
    include /etc/nginx/templates/roundcube.tmpl;
    include /etc/nginx/templates/sogo.tmpl;
    include /etc/nginx/templates/netdata.tmpl;
    include /etc/nginx/templates/php-catchall.tmpl;
}

where and what i have to change to make this work? I already treat everything!


#6

I really think there’s something else like a firewall or reverse proxy in front of this server that’s dropping connections. Your nginx configuration above doesn’t do that, but something does!


#7

When loading your startpage, there are checks and a redirect to

http://cimr-innovations.com/Docsis_system.asp

The headers have no Server-information. But does your nginx really handle asp-pages?

Looks like your nginx isn’t used, instead, there is a Microsoft IIS.


#8

OKY I RESOLVE IT! The Modem-Router BackPort of Service whas Listening in the 80 port bloking the conexion reseting it! Because of that @JuergenAuer get a Docsis_sytem.asp insted of a html or nglinx code or anything ! Thanks To @schoen !


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.