Fail to create certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mykccbenefits.com

I ran this command:

It produced this output:
One or more domains had a problem:
[example.mykccbenefits.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for example.mykccbenefits.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for example.mykccbenefits.com - check that a DNS record exists for this domain, url:
[login.mykccbenefits.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for login.mykccbenefits.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for login.mykccbenefits.com - check that a DNS record exists for this domain, url:
[mykccbenefits.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 165.232.168.31: Invalid response from https://mykccbenefits.com/.well-known/acme-challenge/hXqetG75i8ZnLc8CPuwPaAGDiu5tgczTmvAHAvvDOGg: 404, url:
My web server is (include version):apache2

The operating system my web server runs on is (include version):ubuntu

My hosting provider, if applicable, is:namecheap

I can login to a root shell on my machine (yes or no, or I don't know):debian

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2

certbot 2.1.0

3

this is the updated error message:

acme: Error -> One or more domains had a problem:
[example.mykccbenefits.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 165.232.168.31: Invalid response from http://example.mykccbenefits.com/.well-known/acme-challenge/bivLYVcw77MxEYT4YVRuraLD84wqS9zhDPWNYZ6EACM: 404, url:
[login.mykccbenefits.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 165.232.168.31: Invalid response from http://login.mykccbenefits.com/.well-known/acme-challenge/2vRb0_BMD1U2UOt9xjPHaMOV10mE3_dcuuBBZVg2wV0: 404, url:
[mykccbenefits.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 165.232.168.31: Invalid response from https://mykccbenefits.com/.well-known/acme-challenge/6I8p_RSElaMSL8l2Rf_5iigGCJJzTbMFPiKrD8D-MUI: 404, url:

4

Welcome to the community @divina

Right now the error to your domain is a timeout. The Let's Debug test site (link here) is often helpful when setting up a new site. Once Let's Debug says "OK" you should try the certbot request again.

3 Likes
5

When opening firewall rules to all (since I do not know what addresses does let's encrypt use) - the test passes successfully.
When the first certificate generation attempt made - I opened firewall rules as well.

How do I proceed from here?

6

The error in your first post was for DNS lookup failure. You should not be blocking your DNS servers. How would anyone find the IP to connect to your site?

As for the current timeouts, Let's Encrypt recommends keeping port 80 open always. See below

3 Likes
7

DNS is not blocked. DNS provider is sitting in the cloud... the website is reachable.
it's only let'sencrypt IP's which I wasn't sure of, that are probably used during certificate generation - so I opened all addresses temporarily. Other than that, the website is accessible by the relevant IPs...
Port 80 is open - but the webite is configured to redirect http to https

8

From my own test server I timeout right now trying to reach mykccbenefits.com with either HTTP or HTTPS.

A test site like SSL Labs can't reach your site either (link here)

Let's Encrypt does not publish the IP list. See below topics

3 Likes
9

like I said - the test will not work, as the website is limited by firewall. (to be accessible to only my ip at the moment) - but DNS server is on the cloud, and is not blocked.
When I attempt to generate the certificate, I opened firewall rules and it failed with the errors mentioned on the top of the thread.

If I open the FW rules - the test you suggested works successfully.

Kindly read my replies before replying,

10

Please do not test my site - rather suggest what to check how to solve.
As you are being miseld by not reading my description carefully

11

both of these test pass successfully!
Please assist if you can, and do not attempt to run tests yourself, as these websites originating from their own IP -of course it wont be accessible.

Can you please assist? Can you read the error messages rather than running test yourself (which is redundant and time wasting + frustrating)

12

FYI

https://www.ssllabs.com/ssltest/analyze.html?d=mykccbenefits.com&hideResults=on
!!!

13

I am sorry that I do not interpret your comments the same way you mean them.

I see you have gotten 3 certs for those domain names in the past week. See link here:

What is it you want help with? Because you are able to get certs.

3 Likes
14

what do you suggest then?

15

For what? You can get certs. Your own SSL Labs test showed a successful connect.

I see you got a 404 error and also DNS errors. But, you must have fixed those to get certs.

So, what is it you want help with now?

3 Likes
16

I AM NOT ABLE TO GENERATE CERTIFICATES!!!
Please read my first message on the top of the thread!!!

17

You definitely are as shown by this link I provided earlier

3 Likes
18

I'm trying to get a different cert from a different system
please stop testing my site, and check the error messages I shared

19

I don't know what that means. I will stop responding to let other volunteers try to help

3 Likes
20

these are the error messages:
Do you have any idea?
One or more domains had a problem:
[example.mykccbenefits.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for example.mykccbenefits.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for example.mykccbenefits.com - check that a DNS record exists for this domain, url:
[login.mykccbenefits.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up A for login.mykccbenefits.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for login.mykccbenefits.com - check that a DNS record exists for this domain, url:
[mykccbenefits.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: 165.232.168.31: Invalid response from https://mykccbenefits.com/.well-known/acme-challenge/hXqetG75i8ZnLc8CPuwPaAGDiu5tgczTmvAHAvvDOGg: 404, url:
My web server is (include version):apache2