Error obtaining certificate with Raspberry at home under redirect

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: gcampos.it

I ran this command: sudo certbot certonly --standalone -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): gcampos.it
Requesting a certificate for gcampos.it
Performing the following challenges:
http-01 challenge for gcampos.it
Waiting for verification...
Challenge failed for domain gcampos.it
http-01 challenge for gcampos.it

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: gcampos.it
Type: unauthorized
Detail: 62.149.128.45: Invalid response from http://gcampos.it/.well-known/acme-challenge/crSrl2_wWNqzzIyVFNI4vVkJ7TXGUaUrBPdtzZiTmBA: 404

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): hiawatha 11.5

The operating system my web server runs on is (include version): Raspbian 11

My hosting provider, if applicable, is: raspberry is at home, domain has redirect to gcampos.ddns.net

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot
letsencrypt.txt (17.8 KB)
2.8.0

Hi @gyc, and welcome to the LE community forum :slight_smile:

The site doesn't redirect.
It has this code instead:

<html>
	<head>
		<meta name="viewport" content="width=device-width, initial-scale=1" />
			<title>www.gcampos.it</title>
	</head>
	<body style="margin:0px;padding:0px;border:0px;height:100%;width:100%">
		<iframe style="margin:0px;padding:0px;border:0px;" src="http://gcampos.ddns.net/" width="100%" height="100%"></iframe>
	</body>
</html>

That will not work.
LE can't "follow" such a wrapped page.

2 Likes

Hello @gyc,

Side note:
From here Hardenize Report: gcampos.it

No HTTPS serviceThis server provides only unencrypted (plaintext) HTTP service. Its traffic is thus not protected and fully exposed to monitoring and modification in transit. It provides no confidentiality and exposes the visitors to persistent tracking.
1 Like

This looks like Server: Microsoft-IIS/8.5 not hiawatha 11.5 on Raspbian 11.

$ curl -Ii http://gcampos.it/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Cache-Control: private
Content-Length: 5013
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Fri, 29 Dec 2023 03:08:54 GMT

This must be the provider where I registered the domain and set up the "redirection" (I saw the previous reply on redirection issue). At my home I do have a raspberry PI 3B running my website.
It is meant to be nothing fancy, but still I would prefer to have a certificate in order to avoid browsers denying access.

This is not the true web site, that one runs at my place on a raspberry PI 3B - and that's precisely why I am trying to obtain a certificate.

Hello rg, thanks.

I just registered the domain (with email) and "redirection" - so said by the provider - which is not a true redirection but an html "trick".

How can I then solve the problem?

1 Like

Just point your domain name to the correct IP address (the internet connection where the Pi resides). Don't use that redirection stuff.

Also, is there a specific reason why you're using the --standalone authenticator? I'm assuming the --webroot plugin would also work with Hiawatha.

4 Likes

Problem 1 is I do not have a static IP at my ADSL home connection.
Problem 2 is that I did not explicitly wrote that html code. The provider offers redirection but obviously uses that 'trick' instead. I'll have to call customer service and clear this out.

just followed the certbot site advice on <<web site running 'other' on 'debian 10'>> (raspbian nor hiawatha are present on drop-down list) - and that would also save potential trouble serving /.well-known by hiawatha..

One often uses Dynamic DNS for that. Usually one would use a CNAME RR in DNS for that. However, a CNAME would not be allowed for the "apex domain", gcampos.it, but only for subdomains, such as www.gcampos.it. This is due to the fact that if a CNAME is being used, no other RRs are allowed, including MX RRs for email (only DNSSEC records like RRSIG and NSEC are allowed next to CNAME RRs).

That's because your domain name is "pointing" to a webserver of the provider. If DNS would point to a different IP address, that HTML code wouldn't be in the picture altogether.

Is that a known problem?

3 Likes

Thanks Osiris for clearing (a few) things up. (web sites is not my daily job)

Precisely! That's why I "redirected" gcampos.it (btw, www.gcampos.it also works) to gcampos.ddns.net, provided by no-ip.com.

This is the "true" obstacle, that I must ask the provider to change, then.

I've only learned about hiawatha in the past 10 days; by experience, not running into trouble (even if only potential) "heads on" is usually a good idea :wink:.

1 Like

Or use a control panel. Usually users can change these things themselves. If not, then indeed, you should ask the provider for assistance.

The --standalone plugin has the limitation that any service listening on port 80 (e.g. Hiawatha) needs to be stopped beforehand. Thus, it usually creates more trouble than it solves. Only in certain specific circumstances the --standalone is the right choice from the start (e.g., hosts with just a mailserver and no webserver running).

4 Likes

I managed to change the CNAME for www.gcampos.it and then obtained a certificate.
I get my web page served by www.gcampos.it, however, now gcampos.it pops-up a page stating the domain is registered - which is true, of course - not my web page. Not a problem for the time being.
While waiting for the records to propagate, I also tried obtaining the certificate for gcampos.ddns.net - and it also worked.

However, hiawatha always gives me an error loading the certificate.
I carefully checked permissions (400), copied the certificate to the hiawatha config folder (while changing the .conf file accordingly) to no avail. But here I am off scope...

Which I did. I am just starting and I don't have the need to be online 24/7.

Solved!

Switched from Hiawatha to Nginx... it worked first time, seamless, no hassles.....

Thanks for your support (tip about CNAME was instrumental).

2 Likes

So it seems that Post 10 by @Osiris is the one to mark as a solution. :slightly_smiling_face:

2 Likes

Unfortunately this doesn't include the apex domain gcampos.it. That IP address points to a different IP address than your DDNS hostname does. Probably still for that redirect? It doesn't answer on port 443 (connection reset by peer), so it's possible users will get a warning about the fact no secure connection was possible.

Although currently I'm seeing a "This domain is already taken" message from Aruba.it? Weird..

By the way, searching a little bit I found something about something called "CNAME flattening". See e.g.:

or

I still don't understand it, but it sounds like it is something that has to be done at the DNS server level? And needs to be supported by the DNS provider? Maybe you could ask your DNS service provider about it.

4 Likes

Yes I noticed that, in line with what you had written about CNAME.
I can live with that for the moment, the info to the public is "www.gcampos.it".

Not really, standard with this provider for domains without hosting (only registration and email)

New to me, certainly useful, it solves the problem I have, directing the apex domain to a server through DDNS. I read the pages, it seems this a functionality available on Cloudflare and Gcore.
No reference to this on my provider (aruba.com)

I will.
However, to my first request they replied 'directing' me to a paid solution 'domain+hosting' so I suspect they will not be willing...

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.