Hi, trying to setup certbot using apache2 with debian 8. Having some troubles passing the webroot challenge.
OS: Debian 8.11(Jessie)https://pastebin.com/nh4t9gmR http://www.fxleblanc.ca https://pastebin.com/5N0ZzRiy
At first, I thought it was having trouble accessing the acme-challenge directory, so I tried adding a test.html file:
http://168.235.108.155/.well-known/acme-challenge/test.html
I can access it so I don’t think that’s the problem.
Any help is appreciated.
Regards,
FĂ©lix
Let’s Encrypt won’t access an IP address URL.
http://168.235.108.155/.well-known/acme-challenge/test.html won’t work.
http://example.net/.well-known/acme-challenge/test.html will.
Can you change it to redirect to a hostname, or not redirect at all?
Right. Should I change that at the DNS level(I use Gandi.net ) or in my apache configuration?
It looks like it’s using Gandi’s web forwarding service, so you’d have to change it in Gandi’s control panel somewhere.
Can you turn off the forwarding service and change it to a regular A record?
Yes. I just entered the following A record:
*.fxleblanc.ca 1800 IN A 168.235.108.155
It seems it still changes the hostname to the ip
Hi,
Now your domain is not resolved correctly. (No IP is found)
www.fxleblanc.ca 1800 IN A 168.235.108.155
fxleblanc.ca 1800 IN A 168.235.108.155
(Gandi might pre-populated the domain for you, you might need to use
www 1800 IN A 168.235.108.155
@ 1800 IN A 168.235.108.155
if things do not work out)
After you added those DNS records, please wait a few minutes and try to visit the following links to check if the changes are in effect.https://www.whatsmydns.net/#A/fxleblanc.ca https://www.whatsmydns.net/#A/www.fxleblanc.ca
Thank you
Hi, it worked :). Thanks for your help. It worked with these lines:
www 1800 IN A 168.235.108.155
@ 1800 IN A 168.235.108.155
I assume that www refers to www.fxleblanc.ca and @ to *.fxleblanc.ca. How do you know if your DNS provider is using one syntax or the other?
Normally it would be using the @ and www....
Glad it works!
Thank you
It works in staging but for some reason, when I remove the --staging flag, it doesn’t work. It gives me the following error:
https://pastebin.com/TdZnRY59
Apache config:https://pastebin.com/dg1TMz34
Command:
Hi @fxleblanc
your command
is "special": If you use the webroot as authenticator, you need a running webserver. So your pre-hook and your post-hook is wrong.
Remove both.
"Connection refused" - you have stopped your webserver.
Good to know. Thanks. I remove the hooks:
sudo certbot certonly -a webroot -w /var/www/html/ -d www.fxleblanc.ca
and it regenerates the certificates and chain but when I go to the https url(https://www.fxleblanc.ca ), it says it’s an insecure connection. I’m guessing it has to do with my apache config:
https://pastebin.com/dg1TMz34
If you use the
fxleblanc:
certonly
option, you have to install the certificate manual. There is the Fake LE - Certificate installed (from the test system).
Where’s the Fake LE certificate? I currently use the generated full chain and private key in my config:
SSLCertificateFile /etc/letsencrypt/live/www.fxleblanc.ca/fullchain.pem
Maybe it has something to do with the fact that I reference only the full chain and privkey. There’s 4 files in the /etc/letsencrypt/live/www.fxleblanc.ca/ directory. Which one(s) should I reference in my apache config?
I see the Fake LE:
These are symlinks. Perhaps they point to the wrong certificate. Check your certificates with
certbot certificates
perhaps delete three (certbot delete ...) - but first make a backup of the folder.
PS: Now I see the new productive certificate:
https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:www.fxleblanc.ca&lu=cert_search
Great. The site works now. Turns out, I just needed to restart apache2 after deleting all the certs and getting a new one.
Thanks
1 Like
Yep, now I see the correct certificate.
Quick question. Do you use a special plugin in firefox to get the certificate hierarchy in your screenshots or is it something different?
This is the normal Windows-Firefox.
Click the certificate
Then use >.
There the link at the end.
There you see the FireFox page informations, there you can see the certificate.
There select "Details".
1 Like
system
November 4, 2018, 8:54pm
19
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
