Failed authorization procedure. Error getting validation data

Hi, trying to setup certbot using apache2 with debian 8. Having some troubles passing the webroot challenge.

OS: Debian 8.11(Jessie)
Cerbot version: 0.10.2
Apache config: https://pastebin.com/nh4t9gmR
Domain: http://www.fxleblanc.ca
Command: sudo certbot certonly -a webroot -w /var/www/html/ -i apache --staging
Error log: https://pastebin.com/5N0ZzRiy

At first, I thought it was having trouble accessing the acme-challenge directory, so I tried adding a test.html file:

http://168.235.108.155/.well-known/acme-challenge/test.html

I can access it so I don’t think that’s the problem.

Any help is appreciated.

Regards,

FĂ©lix

Let’s Encrypt won’t access an IP address URL. :anguished:

http://168.235.108.155/.well-known/acme-challenge/test.html won’t work.

http://example.net/.well-known/acme-challenge/test.html will.

Can you change it to redirect to a hostname, or not redirect at all?

Right. Should I change that at the DNS level(I use Gandi.net) or in my apache configuration?

It looks like it’s using Gandi’s web forwarding service, so you’d have to change it in Gandi’s control panel somewhere.

Can you turn off the forwarding service and change it to a regular A record?

Yes. I just entered the following A record:

*.fxleblanc.ca 1800 IN A 168.235.108.155

It seems it still changes the hostname to the ip

Hi,

Now your domain is not resolved correctly. (No IP is found)
Could you please try to stop the web-forwarding service (if you haven’t) and add the following records to Gandi’s Control Panel?

www.fxleblanc.ca 1800 IN A 168.235.108.155
fxleblanc.ca 1800 IN A 168.235.108.155

(Gandi might pre-populated the domain for you, you might need to use

www 1800 IN A 168.235.108.155
@ 1800 IN A 168.235.108.155 

if things do not work out)

After you added those DNS records, please wait a few minutes and try to visit the following links to check if the changes are in effect.
https://www.whatsmydns.net/#A/fxleblanc.ca
https://www.whatsmydns.net/#A/www.fxleblanc.ca

Thank you

Hi, it worked :). Thanks for your help. It worked with these lines:

www 1800 IN A 168.235.108.155
@ 1800 IN A 168.235.108.155

I assume that www refers to www.fxleblanc.ca and @ to *.fxleblanc.ca. How do you know if your DNS provider is using one syntax or the other?

Normally it would be using the @ and www....
(I actually have no idea how those providers choose in between... But I believe that's the only two wide spread syntax for DNS Management(in a user friendly interface)

Glad it works!

Thank you

It works in staging but for some reason, when I remove the --staging flag, it doesn’t work. It gives me the following error:

https://pastebin.com/TdZnRY59

Apache config:
https://pastebin.com/dg1TMz34

Command:
sudo certbot certonly -a webroot -w /var/www/html/ -d www.fxleblanc.ca --pre-hook “systemctl stop apache2” --post-hook “systemctl start apache2”

Hi @fxleblanc

your command

is "special": If you use the webroot as authenticator, you need a running webserver. So your pre-hook and your post-hook is wrong.

Remove both.

"Connection refused" - you have stopped your webserver.

Good to know. Thanks. I remove the hooks:

sudo certbot certonly -a webroot -w /var/www/html/ -d www.fxleblanc.ca

and it regenerates the certificates and chain but when I go to the https url(https://www.fxleblanc.ca), it says it’s an insecure connection. I’m guessing it has to do with my apache config:

https://pastebin.com/dg1TMz34

If you use the

option, you have to install the certificate manual. There is the Fake LE - Certificate installed (from the test system).

Where’s the Fake LE certificate? I currently use the generated full chain and private key in my config:

SSLCertificateFile /etc/letsencrypt/live/www.fxleblanc.ca/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.fxleblanc.ca/privkey.pem

Maybe it has something to do with the fact that I reference only the full chain and privkey. There’s 4 files in the /etc/letsencrypt/live/www.fxleblanc.ca/ directory. Which one(s) should I reference in my apache config?

I see the Fake LE:

ca

These are symlinks. Perhaps they point to the wrong certificate. Check your certificates with

certbot certificates

perhaps delete three (certbot delete ...) - but first make a backup of the folder.

PS: Now I see the new productive certificate:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:www.fxleblanc.ca&lu=cert_search

Great. The site works now. Turns out, I just needed to restart apache2 after deleting all the certs and getting a new one.

Thanks

1 Like

Yep, now I see the correct certificate.

correct

:wink:

Quick question. Do you use a special plugin in firefox to get the certificate hierarchy in your screenshots or is it something different?

This is the normal Windows-Firefox.

Click the certificate

step-1

Then use >.

step-2

There the link at the end.

step-3

There you see the FireFox page informations, there you can see the certificate.

step-4

There select "Details".

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.