Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
My web server is (include version): nginx 1.6.2
The operating system my web server runs on is (include version): Debian 8 Jessie
My hosting provider, if applicable, is: DigitalOcean
I can login to a root shell on my machine (yes or no, or I donât know): yes
Iâm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The domain points to the correct IP address on my DNS A entry. I am not sure why I have no authorization.
Please let me know if there is something I have missed.
Certbot places a file to verify your ownership of the domain at /home/dev/sites/seeknsupply2/.well-known/acme-challenge/GzGCl7pKtNAVmWm0rXnpbTz6HOwtuB6o46P4riSA3Fs but the validation server gets a 404 error when it tries to retrieve it from http://seeknsupply.com/.well-known/acme-challenge/GzGCl7pKtNAVmWm0rXnpbTz6HOwtuB6o46P4riSA3Fs.
If youâre sure the /home/dev/sites/seeknsupply2/ path is correct, there is probably an issue in your nginx configuration that prevents this static file from being served. You could create a test file /home/dev/sites/seeknsupply2/.well-known/acme-challenge/test.txt or so and try and access it at http://seeknsupply.com/.well-known/acme-challenge/test.txt to debug it yourself. Or you can share the server block from your nginx configuration and maybe we can identify what the problem could be.
Your nginx configuration proxies all requests to another web server running on port 8000. Since this server is answering your requests and doesnât know about the certbot validation files, you get an error.
You could pass the webroot for the port 8000 server to certbot, if one exists. But this seems unlikely since you have a /static location rule in nginx.
So you can add the following location block to your nginx configuration, which will tell nginx not to proxy these connections to the port 8000 server:
You may also want to switch to the Nginx plugin. To do so, remove the --webroot and -w flags above, and add:
--nginx
I believe this should just take care of everything for you, and you wonât need to add a location directive.
If I can ask, were you following a specific tutorial when you chose the --webroot method? Now that --nginx is available, weâd like to encourage people to use it, which may include updating tutorials.
Aha, I just checked with a colleague and discovered that the version of the Nginx plugin available in jessie-backports is too out-of-date, and so our current recommendation is indeed to use --webroot. Sorry for the misleading advice above, please disregard.
So I applied this and it worked in regards to displaying the test file.
Before this, I was a little impatient and applied the following to see what would happen: $ sudo certbot certonly --standalone -d seeknsupply.com.
The terminal did return a successful message. After editing the nginx file according to what you recommended,
I tried again with the original command certbot certonly --webroot -w /home/dev/sites/seeknsupply2 -d seeknsupply.com
I chose to replace the previous key. All messages return as successful but I am unable to open the site vis https.
Here is the return message:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isnât close to expiry.
(ref: /etc/letsencrypt/renewal/seeknsupply.com.conf)
What would you like to do?
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
Select the appropriate number [1-2] then [enter] (press âcâ to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for seeknsupply.com
Using the webroot path /home/dev/sites/seeknsupply2 for all unmatched domains.
Waiting for verificationâŚ
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0003_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0003_csr-certbot.pem
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/seeknsupply.com/fullchain.pem. Your cert will
expire on 2018-03-14. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew all of your certificates, run âcertbot
renewâ
If you like Certbot, please consider supporting our work by:
âcertbot certonlyâ creates certificates, but doesnât configure software to use them.
If you have a fairly recent version of Certbot â which you probably donât, on Debian Jessie â using âcertbot --nginxâ is a good idea; it creates certificates and configures Nginx to use them.
Using certonly, itâs necessary to configure HTTPS in Nginx.
Weak Diffie-Hellman paramaters make your website susceptible to the Logjam attack. Since a minority of clients use Finite Field Diffie-Hellman Exchange (DHE) these days in favor of Elliptic Curve Diffie-Hellman Exchange (ECDHE), which does not have this issue, SSLLabs only downgrades you to a B rating for this issue.