Error while trying to install a new cert


#1

Im trying to re-install a cert that expire, I try to renew and failed, so I decide to re-install certbot and create a new cert, but it failed (same error)

My domain is: aftercoffeedesigns.com

I ran this command: sudo certbot --apache -d aftercoffeedesigns.com -d www.aftercoffeedesigns.com

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for aftercoffeedesigns.com
http-01 challenge for www.aftercoffeedesigns.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. aftercoffeedesigns.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://aftercoffeedesigns.com/.well-known/acme-challenge/NVPB6HuUlE2b1P4LaAadScfcgz5EbaE9ouZQ3AC5SsU: Error getting validation data

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: aftercoffeedesigns.com
    Type: connection
    Detail: Fetching
    https://aftercoffeedesigns.com/.well-known/acme-challenge/NVPB6HuUlE2b1P4LaAadScfcgz5EbaE9ouZQ3AC5SsU:
    Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): Apache/2.4.18

The operating system my web server runs on is (include version): Ubuntu 16.04.5 LTS

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Your server seems to be serving HTTP (rather than HTTPS) on port 443.

The challenge comes in over HTTP and you’re redirecting it to HTTPS; Let’s Encrypt will happily follow the redirect but there needs to be a working HTTPS connection at the end of it (not necessarily a valid certificate, but HTTP on port 443 won’t work).

There should be some directives to enable HTTPS (SSLEngine on and so forth) in your port 443 VirtualHost, or in an included file such as options-ssl-apache.conf - do you remember removing something like this? You may need to put it back in.

Or you could try temporarily disabling the redirect until you get things working again.


#3

I try disabling redirection and same error. Also try to use apache ssl_mod to redirect traffic to 443 and same error. Any other suggestion


#4

Did you re-enable it again? It still seems to be redirecting, for me.

I’m not sure what you mean by this … mod_ssl doesn’t do anything with redirects, rather it allows you to enable SSL/TLS. And it still seems to be disabled on your server.

It’s often useful to post the error anyway, even if it looks the same, as there might be subtle differences that could be meaningful to the folks here…

Posting the relevant parts of your Apache configuration (for that domain) might be helpful.


#5

I guess I will have to wait some time

An unexpected error occurred: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/


#6

Hi @ae3erdion

this is not really a problem:

There is a Failed Validation limit of 5 failures per account, per hostname, per hour. This limit is higher on our staging environment, so you can use that environment to debug connectivity problems.

First use the testsystem (option --staging), there is a higher limit. If that works, use the productive system.

Perhaps use (with the testsystem) certonly as option, so your configuration is unchanged.


#7

Still getting
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for aftercoffeedesigns.com
http-01 challenge for www.aftercoffeedesigns.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.aftercoffeedesigns.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://aftercoffeedesigns.com/.well-known/acme-challenge/dRdfw42lczVCszkikmzPWlVJCmLATi-Ubp6jJlUvIzo: Error getting validation data

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.aftercoffeedesigns.com
    Type: connection
    Detail: Fetching
    https://aftercoffeedesigns.com/.well-known/acme-challenge/dRdfw42lczVCszkikmzPWlVJCmLATi-Ubp6jJlUvIzo:
    Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.


#8

This is still true as of right now and is still the reason preventing the validation from succeeding,


#9

Test the url in your browser. Then you see a special error:

This site can’t provide a secure connection
aftercoffeedesigns.com sent an invalid response.

Why? You send http over port 443.

D:>download http://aftercoffeedesigns.com:443/.well-known/acme-challenge/dRdfw42lczVCszkikmzPWlVJCmLATi-Ubp6jJlUvIzo -h
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 2
Cache-Control: no-cache, must-revalidate, max-age=0
Content-Type: text/html; charset=UTF-8
Date: Mon, 27 Aug 2018 10:59:33 GMT
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Location: https://aftercoffeedesigns.com/.well-known/acme-challenge/dRdfw42lczVCszkikmzPWlVJCmLATi-Ubp6jJlUvIzo
Server: Apache/2.4.18 (Ubuntu)
X-Powered-By: W3 Total Cache/0.9.7

Status: 301 MovedPermanently

http over port 443 should send an error, not 301 Moved. So your https - configuration is broken.

You don’t need a valid certificate to use http-01 - validation.

Perhaps, remove the redirect http -> https and install https later.

PS: No, not a good solution. You have an older certificate. So fix your https - setting.


#10

this might sound dumb, but how do I change the http -> https redirect?


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.