Error nginx certboot

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:turnosweb.jussanjuan.gob.ar

I ran this command:

http-01 challenge for turnosweb.jussanjuan.gob.ar
Waiting for verification…
Challenge failed for domain turnosweb.jussanjuan.gob.ar
http-01 challenge for turnosweb.jussanjuan.gob.ar
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: turnosweb.jussanjuan.gob.ar
    Type: dns
    Detail: DNS problem: SERVFAIL looking up A for
    turnosweb.jussanjuan.gob.ar - the domain’s nameservers may be
    malfunctioning

It produced this output:

My web server is (include version):centos 7

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

configuration file /etc/nginx/nginx.conf:

For more information on configuration, see:

* Official English Documentation: http://nginx.org/en/docs/

* Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.

include /usr/share/nginx/modules/*.conf;

events {
worker_connections 1024;
}

http {
log_format main '$remote_addr - $remote_user [$time_local] “$request” ’
'$status $body_bytes_sent “$http_referer” ’
‘"$http_user_agent" “$http_x_forwarded_for”’;

access_log  /var/log/nginx/access.log  main;

sendfile            on;
tcp_nopush          on;
tcp_nodelay         on;
keepalive_timeout   65;
types_hash_max_size 2048;

client_max_body_size 100M;

include             /etc/nginx/mime.types;
default_type        application/octet-stream;

# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;

server {
    listen       80 default_server;
    listen       [::]:80 default_server;
    server_name  _;
    root         /usr/share/nginx/html;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {
    }

    error_page 404 /404.html;
        location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }
}

Settings for a TLS enabled server.

server {

listen 443 ssl http2 default_server;

listen [::]:443 ssl http2 default_server;

server_name _;

root /usr/share/nginx/html;

ssl_certificate “/etc/nginx/cert.crt”;

ssl_certificate_key “/etc/nginx/cert.key”;

ssl_session_cache shared:SSL:1m;

ssl_session_timeout 10m;

ssl_ciphers HIGH:!aNULL:!MD5;

ssl_prefer_server_ciphers on;

# Load configuration files for the default server block.

include /etc/nginx/default.d/*.conf;

location / {

}

error_page 404 /404.html;

location = /40x.html {

}

error_page 500 502 503 504 /50x.html;

location = /50x.html {

}

}

}

configuration file /usr/share/nginx/modules/mod-http-image-filter.conf:

load_module “/usr/lib64/nginx/modules/ngx_http_image_filter_module.so”;

configuration file /usr/share/nginx/modules/mod-http-perl.conf:

load_module “/usr/lib64/nginx/modules/ngx_http_perl_module.so”;

configuration file /usr/share/nginx/modules/mod-http-xslt-filter.conf:

load_module “/usr/lib64/nginx/modules/ngx_http_xslt_filter_module.so”;

configuration file /usr/share/nginx/modules/mod-mail.conf:

load_module “/usr/lib64/nginx/modules/ngx_mail_module.so”;

configuration file /usr/share/nginx/modules/mod-stream.conf:

load_module “/usr/lib64/nginx/modules/ngx_stream_module.so”;

configuration file /etc/nginx/mime.types:

types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;

text/mathml                                      mml;
text/plain                                       txt;
text/vnd.sun.j2me.app-descriptor                 jad;
text/vnd.wap.wml                                 wml;
text/x-component                                 htc;

image/png                                        png;
image/svg+xml                                    svg svgz;
image/tiff                                       tif tiff;
image/vnd.wap.wbmp                               wbmp;
image/webp                                       webp;
image/x-icon                                     ico;
image/x-jng                                      jng;
image/x-ms-bmp                                   bmp;

font/woff                                        woff;
font/woff2                                       woff2;

application/java-archive                         jar war ear;
application/json                                 json;
application/mac-binhex40                         hqx;
application/msword                               doc;
application/pdf                                  pdf;
application/postscript                           ps eps ai;
application/rtf                                  rtf;
application/vnd.apple.mpegurl                    m3u8;
application/vnd.google-earth.kml+xml             kml;
application/vnd.google-earth.kmz                 kmz;
application/vnd.ms-excel                         xls;
application/vnd.ms-fontobject                    eot;
application/vnd.ms-powerpoint                    ppt;
application/vnd.oasis.opendocument.graphics      odg;
application/vnd.oasis.opendocument.presentation  odp;
application/vnd.oasis.opendocument.spreadsheet   ods;
application/vnd.oasis.opendocument.text          odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                 pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                 xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                 docx;
application/vnd.wap.wmlc                         wmlc;
application/x-7z-compressed                      7z;
application/x-cocoa                              cco;
application/x-java-archive-diff                  jardiff;
application/x-java-jnlp-file                     jnlp;
application/x-makeself                           run;
application/x-perl                               pl pm;
application/x-pilot                              prc pdb;
application/x-rar-compressed                     rar;
application/x-redhat-package-manager             rpm;
application/x-sea                                sea;
application/x-shockwave-flash                    swf;
application/x-stuffit                            sit;
application/x-tcl                                tcl tk;
application/x-x509-ca-cert                       der pem crt;
application/x-xpinstall                          xpi;
application/xhtml+xml                            xhtml;
application/xspf+xml                             xspf;
application/zip                                  zip;

application/octet-stream                         bin exe dll;
application/octet-stream                         deb;
application/octet-stream                         dmg;
application/octet-stream                         iso img;
application/octet-stream                         msi msp msm;

audio/midi                                       mid midi kar;
audio/mpeg                                       mp3;
audio/ogg                                        ogg;
audio/x-m4a                                      m4a;
audio/x-realaudio                                ra;

video/3gpp                                       3gpp 3gp;
video/mp2t                                       ts;
video/mp4                                        mp4;
video/mpeg                                       mpeg mpg;
video/quicktime                                  mov;
video/webm                                       webm;
video/x-flv                                      flv;
video/x-m4v                                      m4v;
video/x-mng                                      mng;
video/x-ms-asf                                   asx asf;
video/x-ms-wmv                                   wmv;
video/x-msvideo                                  avi;

}

configuration file /etc/nginx/conf.d/backoffice.conf:

server {
listen 80;
server_name mevinterno.jussanjuan.gob.ar;

location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://10.107.1.136:8000;
}
}

configuration file /etc/nginx/conf.d/mesa.conf:

server {
server_name mesavirtual.jussanjuan.gob.ar;

    location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_pass http://10.107.1.136;
    }


listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mesavirtual.jussanjuan.gob.ar/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mesavirtual.jussanjuan.gob.ar/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
if ($host = mesavirtual.jussanjuan.gob.ar) {
return 301 https://$host$request_uri;
} # managed by Certbot

server_name mesavirtual.jussanjuan.gob.ar;

return 301 https://$server_name$request_uri;
listen 80;
return 404; # managed by Certbot

}

configuration file /etc/letsencrypt/options-ssl-nginx.conf:

This file contains important security parameters. If you modify this file

manually, Certbot will be unable to automatically provide future security

updates. Instead, Certbot will print and log an error message with a path to

the up-to-date file that you will need to refer to when manually updating

this file.

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers “ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384”;

configuration file /etc/nginx/conf.d/mesav.conf:

server {
listen 80;
server_name mesavirtual.jussanjuan.gov.ar;
return 301 https://mesavirtual.jussanjuan.gob.ar$request_uri;

}

configuration file /etc/nginx/conf.d/mev.conf:

server {
server_name mev.jussanjuan.gob.ar;

location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://10.107.1.136;
}

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mev.jussanjuan.gob.ar/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mev.jussanjuan.gob.ar/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
if ($host = mev.jussanjuan.gob.ar) {
return 301 https://$host$request_uri;
} # managed by Certbot

listen 80;
server_name mev.jussanjuan.gob.ar;
return 404; # managed by Certbot

}

configuration file /etc/nginx/conf.d/mevv.conf:

server {
listen 80;
server_name mev.jussanjuan.gov.ar;
return 301 https://mev.jussanjuan.gob.ar$request_uri;

}

configuration file /etc/nginx/conf.d/pignusv.conf:

server {
listen 80;
server_name pignus.jussanjuan.gov.ar;
return 301 https://pignus.jussanjuan.gob.ar$request_uri;
}

configuration file /etc/nginx/conf.d/sitios.conf:

server {
server_name pignus.jussanjuan.gob.ar;

    location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_pass http://10.107.1.121;
    }


listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mesavirtual.jussanjuan.gob.ar/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mesavirtual.jussanjuan.gob.ar/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
if ($host = pignus.jussanjuan.gob.ar) {
return 301 https://$host$request_uri;
} # managed by Certbot

server_name pignus.jussanjuan.gob.ar;

return 301 https://$host$request_uri;
listen 80;
return 404; # managed by Certbot

}

configuration file /etc/nginx/conf.d/turnos.conf:

server {
listen 80;
server_name turnosweb.jussanjuan.gob.ar;

location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://10.107.3.40;
}
}

2

Hi @oflorespjsj

there is a (running) check of your domain name - https://check-your-website.server-daten.de/?q=turnosweb.jussanjuan.gob.ar

Startet 15:09, running, your name servers are terrible slow.

Now - 15:20 - the check is ready. Your name servers are buggy:

X Fatal error: Nameserver doesn't support echo capitalization. That's critical if you want to create Letsencrypt certificates. Read draft-vixie-dnsext-dns0x20-00 (2008). If a dns client asks "ExAmPlE.cOm", the name server must answer with the same name, not with "example.com". Creating Letsencrypt certificates isn't possible. Your name server provider must update the software.: ns1.huaweicloud-dns.net / 159.138.112.21

Same with all of your other name servers. Your DNS provider has to fix that. If not, you can't create a Letsencrypt certificate.

Rechecked with Unboundtest - same problem - https://unboundtest.com/m/A/turnosweb.jussanjuan.gob.ar/J6UTTUDN

Letsencrypt uses an unbound-instance with the same configuration, so that's critical.

3

Thank you very much, I make the claim to the supplier

4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.